Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Deleting an asset group

Note: When you delete an asset group, Safeguard for Privileged Passwords does not delete the associated assets.

To delete an asset group

  1. Navigate to Administrative Tools | Asset Groups.
  2. In Asset Groups, select an asset group from the object list.
  3. Click (or tap) Delete Selected.
  4. Confirm your request.

Directories

You can leverage your existing directory infrastructure (such as Microsoft Active Directory) in One Identity Safeguard for Privileged Passwords. Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.

Safeguard for Privileged Passwords supports the RBAC model of separation of duties. With directory integration there are three distinct roles in play: the Directory Administrator, the User Administrator, and the Security Policy Administrator.

  • The Directory Administrator integrates the directory with Safeguard for Privileged Passwords by specifying the credentials Safeguard for Privileged Passwords should use to read from the directory. They also add the directory accounts to make them available for use in access request policies.
  • The User Administrator adds directory users and directory groups to Safeguard for Privileged Passwords.
  • The Security Policy Administrator assigns directory users and groups to access request policies to get access to privileged passwords.

The Auditor and the Directory Administrator have permission to access Directories.

The Directories view displays the following information about the selected directory.

Table 83: Directories: Tabs
Tab Description
General tab

Displays general and attribute settings information.

Accounts tab

Displays the user accounts associated with the selected directory.

Profiles tab

Displays the profiles associated with the selected directory.

Discovered Accounts tab

Displays the accounts Safeguard for Privileged Passwords discovers when it runs a directory account discovery job. For more information, see Directory account discovery job workflow.

History tab

Displays the details of each operation that has affected the selected directory.

Use these toolbar buttons to manage directories.

Table 84: Directories: Toolbar
Option Description
Add Directory

Add an external identity provider, such as Active Directory, to Safeguard for Privileged Passwords. For more information, see Adding a directory.

Delete Selected

Remove the selected directory. For more information, see Deleting a directory.

Refresh

Update the list of directories.

Sync Now

Click (or tap) Sync Now to:

Use these context menu options to manage directories:

Table 85: Directories context menu options
Option Description
Check Connection

Select to verify that Safeguard for Privileged Passwords can log into the directory using the current service account credentials. For more information, see Checking a directory's connectivity.

Delete Selected

Remove the selected directory from Safeguard for Privileged Passwords. For more information, see Deleting a directory.

General tab

The General tab lists information about the selected directory.

Large tiles at the top of the tab display the number of directory Accounts, Profiles, and Discovered Accounts associated with the selected directory.

Table 86: Directories General tab: General properties
Property Description
Forest Root Domain Name The forest root domain name.
Domains A list of domain names in the forest.
Service Account Domain Name The service account's fully qualified directory domain name.
Service Account Name An account Safeguard for Privileged Passwords uses for management tasks.
Sync additions every The interval for synchronizing additions to the directory object (group membership and user account attributes) properties.
Sync deletions every The interval for synchronizing deletions from the directory object properties.
Last Sync The last date and time Safeguard for Privileged Passwords synchronized its database with the selected directory object properties.
Last Delete Sync The last date and time Safeguard for Privileged Passwords synchronized deletions from the directory object properties.

Last Failure Sync

The last date and time Safeguard for Privileged Passwords failed to synchronize its database with the selected directory.

Last Success Sync The last date and time Safeguard for Privileged Passwords successfully synchronized its database with the selected directory.

Last Failure Delete Sync

The last date and time Safeguard for Privileged Passwords failed to synchronize deletions from the directory object properties.

Last Success Delete Sync

The last date and time Safeguard for Privileged Passwords successfully synchronized deletions from the directory object properties.

Last Failure Account Discovery

The date and time of the last failed account discovery job.

Last Success Account Discovery The date and time of the last successful account discovery job.
Table 87: Directories General tab: Attribute properties
Safeguard for Privileged Passwords Attribute Directory Attribute

User Attributes
Object Class

inetOrgPerson, the default user object class.

User Name

cn, the user's common name.

Password

userPassword, the user's password.

First Name

givenName, the user's given name.

Last Name

sn, the user's last name.

Work Phone

telephoneNumber, the user's work telephone number.

Mobile Phone

mobile, the user's primary mobile telephone number.

Email Address

mail, the user's email address.

Description

description, the description of the user.


Computer Attributes
Object Class

ipHost, the default computer object class.

Name

cn, the computer's common name.

Network Address

ipHostNumber, the network DNS name or IP address of the LDAP server.

Operating System

operatingSystem, the default operating system.

Operating System Version

operatingSystemVersion, the default operating system version.

Description

description, the description of the computer.


Group Attributes
Object Class

groupOfNames, the default group object class.

Name

cn, the group's common name.

Member

member, the group's member name.

Description

description, the description of the group.

Note: For more information about how to synchronize the objects in Safeguard for Privileged Passwords to directory schema attributes, see Adding a directory.

Description: Information about the selected directory.

Related Topics

Modifying a directory

Accounts tab

The Accounts tab displays the user accounts associated with the selected directory.

Table 88: Directories: Accounts tab properties
Property Description
Name

Name of a user account you can use to log into the selected directory.

Domain Name The forest root domain name for the selected directory.
Profile The name of the profile that manages the selected directory account.
Service Account A check in this column indicates that the selected account is a service account.
Password Request

A check in this column indicates that password release requests are enabled for this account.

NOTE: Click (or tap)  Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected directory account.

Session Request

A check in this column indicates that session access requests are enabled for this account.

NOTE: Click (or tap)  Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected directory account.

Needs a Password Displays if a password is not set for the selected directory account. For more information, see Setting directory account passwords.
Distinguished Name

The distinguished name for the selected directory.

Description

Information about the selected account.

NOTE: Safeguard for Privileged Passwords may truncate the description when it imports the directory account if the description contains more than 255 characters.

When you add a directory, Safeguard for Privileged Passwords adds its service account to the list of accounts in the Accounts tab. By default, Safeguard for Privileged Passwords automatically manages the service account password according to the Check and Change settings in the profile that governs the directory. For more information, see Creating a directory profile. If you do not want Safeguard for Privileged Passwords to manage the service account password, add the account to a profile that is set to never change passwords.

Note: When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click (or tap) Access Requests and select Enable Password Request from the details toolbar. If you want to enable session access, select Enable Session Request.

Use these buttons on the details toolbar to manage your directory accounts.

Table 89: Directories: Accounts tab toolbar
Option Description
Add Account

Add directory accounts to the selected directory. For more information, see Adding directory accounts to a directory.

Delete Selected

Remove the selected directory account. For more information, see Deleting a directory.

Refresh

Update the list of directory accounts.

Manage Discovery

Add or modify directory account discovery jobs. For more information, see Managing directory account discovery jobs.

Account Security

Menu options include: Check Password, Change Password, and Set Password. For more information, see Checking, changing, or setting an account password.

Password Archive

Display the password history for the selected directory account. For more information, see Viewing password archive.

Access Requests

Select an option to enable or disable a user's ability to request the selected directory account's password or session access. Menu options include:

  • Enable Password Request
  • Disable Password Request
  • Enable Session Request
  • Disable Session Request
Set Profile

Select a profile to manage the selected directory account.

Add to Account Groups

Add the selected account to one or more account groups.

Details

View the general details and tags associated with the selected account.

Search

To locate a specific directory account or set of accounts in this list, enter the character string to be used to search for a match. For more information, see Search box.

Related Documents