Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Checking a directory's connectivity

After you add a directory you can verify that Safeguard for Privileged Passwords can log into it using the Check Connection option.

Note: When you run Connect from the directory's General tab (such as when you add the directory initially), you must enter the service account credentials. Once you add the directory to Safeguard for Privileged Passwords it saves these credentials.

The Check Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log into that asset.

To check a directory’s connectivity

  1. Navigate to Administrative Tools | Directories.
  2. From Directories, right-click a directory to open its context menu.
  3. Choose the Check Connection option.

    Safeguard for Privileged Passwords displays a Toolbox task pane that shows the results.

Related Topics

About Test Connection

About service accounts

Adding directory accounts to a directory

This topic explains how to add a directory account to a directory. Safeguard for Privileged Passwords also allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.

Note: You must add a directory to Safeguard for Privileged Passwords before you can add directory accounts.

Important: Ensure that you add accounts that you want Safeguard for Privileged Passwords to manage. If you add directory user accounts to a directory, Safeguard for Privileged Passwords will automatically change the user passwords according to the directory profile schedule you set which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a directory user account.

Important: The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

To add directory accounts to a directory

  1. Navigate to Administrative Tools | Directories.
  2. In Directories, select a directory from the object list and open the Accounts tab.
  3. Click (or tap) Add Account from the details toolbar.
  4. In the Find Accounts dialog, Browse to select a container within the directory as the Filter Search Location.
  5. The Include objects from sub containers check box is selected by default indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.
  6. In the Contains field, enter a full or partial account name and click (or tap) Search.

    To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches the entire forest root using the global catalog. You can search on partial strings. For example, if you enter "ad" in the Contains box, it will find any user Name or Distinguished Name that contains "ad".

    Note: The text search is not case sensitive and does not allow wild cards.

  7. The results of the search displays in the Select the Account(s) to Add grid. Select one or more accounts to add to Safeguard for Privileged Passwords.
  8. Browse to select the Directory Profile you want to govern the accounts you added to Safeguard for Privileged Passwords.
  9. Click (or tap),
    1. OK to add the selected accounts to Safeguard for Privileged Passwords.

      -OR-

    2. Reoccur to configure a directory account discovery job using the search criteria. For more information, see Managing directory account discovery jobs.
Related Topics

Adding account dependencies

Adding a directory

Adding accounts to a directory profile

Managing directory account discovery jobs

Safeguard for Privileged Passwords allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.

To setup a directory account discovery job

  1. Navigate to Administrative Tools | Directories.
  2. From Directories select a directory from the object list and open the Accounts tab
  3. Click (or tap)  Manage Discovery from the details toolbar.
  4. In the Manage Discovery dialog, click (or tap)  Add to open the Directory Account Discovery dialog.

    Note: This dialog also opens when you select Reoccur in the Find Accounts dialog. For more information, see Adding directory accounts to a directory.

  5. Add information to these tabs:
    General tab

    Where you enter the directory account discovery job name and designate the directory profile to govern the accounts the discovery job adds to Safeguard for Privileged Passwords.

    Rules tab

    Where you configure the search criteria for the discovery job.

General tab

Use the Directory Account Discovery General tab to specify the following details about the discovery job.

Table 98: Directory Account Discovery: General tab properties
Property Description
Name

Enter a name for the directory account discovery job.

Limit: 50 characters

Required

Description

Enter a description of the directory account discovery job.

Limit: 255 characters

Directory Profile

Browse to select the Directory Profile you want to govern the accounts the discovery job adds to Safeguard for Privileged Passwords.

Related Documents