Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

General tab

Use the General tab to specify general information about the asset.

Table 62: Asset: General properties
Property Description
Name

Enter a unique display name for the asset.

Limit: 100 characters

Required

Description

(Optional) Enter information about this managed system.

Limit: 255 characters

Partition

Browse to select a partition for this asset.

NOTE: You can set a specific partition as the default, see Setting a default partition.

Profile

Browse to select a profile to manage this asset's accounts.

NOTE: You must assign all assets to a profile. Safeguard for Privileged Passwords assigns all new assets to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default partition profile.

Click (or tap) Reset to set the profile to the current default.

NOTE: The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, Safeguard for Privileged Passwords does not activate the Reset button. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.

Management tab

Use the Administrative Tools | Assets | Management tab to add the network address, operating system and version information for an asset:

Table 63: Asset: Management tab properties
Property Description
Product

Select an operating system for this asset. A custom platform can be selected. For more information, see Custom Platforms.

NOTE: Safeguard for Privileged Passwords allows you to select a generic operating system of "Other" or "Other Linux". This allows you to add an asset to Safeguard for Privileged Passwords without designating a specific platform.

  • Other - Safeguard for Privileged Passwords cannot manage an asset with an "Other" operating system. You can manually change passwords on accounts associated with an asset with an "Other" operating system, but Safeguard for Privileged Passwords cannot automatically check or change the passwords, test connection, etc. because it cannot connect to the asset.
  • Other Linux - Safeguard for Privileged Passwords can manage an asset with "Other Linux" on a best effort basis.

Any "Other" platform type can be changed to different platform type. Conversely, any platform type can be changed to "Other", however, any property values specific to the current platform type will be lost. For example, you may want to change an "Other Linux" operating system to any type of Linux, such as AIX, HP-UX, or Solaris. Then, the specific platform type can be changed back to "Other", if needed. For more information, see Modifying an asset.

Version

Select the operating system version. When adding a Linux or Macintosh OS X system, Safeguard for Privileged Passwords allows you to choose an "Other" version.

NOTE: Safeguard for Privileged Passwords does not manage passwords for accounts on domain controllers. Manage accounts on domain controllers through the directory that hosts the domain controller. For more information, see Adding directory accounts to a directory.

Architecture

When applicable, select the operating system architecture.

Network Address

Enter a network DNS name or the IP address used to connect to the managed system over the network.

NOTE: For Amazon Web Services assets, enter the Amazon AWS Account ID or Alias.

Advanced

Click (or tap) to display settings specific to the custom platform.

Session Access Properties

Use the following settings to enable session access for this asset.

Enable Session Request

This check box is selected by default indicating that authorized users can request session access for this asset.

Clear this check box if you do not want to allow session requests for this asset.

RDP Session Port

Specify the access port on the target server to be used for RDP session requests.

Default: Port 3389

SSH Session Port

Specify the access port on the target server to be used for SSH session requests.

Default: Port 22

Connection tab

On the Connection tab, choose an authentication type and specify the service account credentials. The type of asset specified in the Product field on the Management tab determines the authentication types available for the asset. If the asset has a custom platform, the Custom Properties elements are displayed. For more information, see Custom Platforms.

Table 64: Asset authentication types
Authentication Type Description
SSH Key To authenticate to the asset using an SSH authentication key.
Directory Account

To authenticate to the asset using an account from an external identity store such as Microsoft Active Directory.

NOTE: In order to use this authentication type, you must first add a directory to Safeguard for Privileged Passwords and add domain user accounts. For more information, see Directories.
Local System Account

For SQL Server assets, to authenticate to the asset using a local system account, which is a Windows user account on the server that is hosting the SQL database.

Password

To authenticate to the asset using a local service account and password.

Account Password

For Facebook and Twitter assets, to authenticate using the current account password. For more information, see Adding a cloud platform account.

Access Key

For Amazon Web Services assets, to authenticate to the asset using an access key. For more information, see Adding a cloud platform account.

None To authenticate to the asset manually.

Client ID: For SAP assets, enter the client ID.

Custom platform properties

If the the Product field on the Management tab identified a custom platform, complete the dialog based on the custom properties of the custom platform script. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms. For more information, see Creating a custom platform script.

About service accounts

Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage accounts and passwords on that asset. Therefore a service account needs sufficient permissions to edit the passwords of other accounts.

When you add an asset, Safeguard for Privileged Passwords adds its service account to the list of Accounts and designates it with a Service Account icon. By default, Safeguard for Privileged Passwords automatically manages the service account password according to the check and change schedules in the profile that governs its asset. For more information, see Creating a partition profile.

TIP: As a best practice, if you do not want Safeguard for Privileged Passwords to manage a service account password, add the account to a profile that is set to never change passwords.

Note: When adding a service account, Safeguard for Privileged Passwords automatically disables it from access requests. If you want the password to be available for release, click (or tap) Access Requests and select Enable Password Request. If you want to enable session access, select Enable Session Request.

If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None which disables automatic password management for all accounts that are associated with this asset. A user can continue to checkout the passwords, however, if the policy that governs the account requires that it change the password after release, the password can get stuck in a 'pending password reset' state. For more information, see Password is pending a reset.

Using a directory account as a service account for an asset

To use a directory account as a service account for an asset, you must first add the account to the directory. For more information, see Adding directory accounts to a directory.)

Test connectivity

The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts. If you experience issues, first verify that you can access the managed system from another system (independent of Safeguard for Privileged Passwords), using the service account. For more information about troubleshooting connectivity issues, see Test Connection failures and Connectivity failures.

Related Documents