Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Creating an access request policy

It is the responsibility of the Security Policy Administrator to define access request policies in Safeguard for Privileged Passwords.

A policy defines the scope (that is, which assets, asset groups, accounts, or account groups), the access type (that is, password, SSH or remote desktop), and the rules for checking out passwords, such as the duration, how many approvals are required, and so forth.

Note: An access request policy is only used in the entitlement in which it is created. If you delete an entitlement, Safeguard for Privileged Passwords deletes all access request policies associated with that entitlement. You cannot copy an access request policy and add it to another entitlement; access request policies are entitlement-specific.

To add an access request policy to an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab.
  3. Click (or tap) Create Access Policy from the details toolbar.
  4. In the Access Request Policy dialog, provide information in each of the tabs:

    General tab

    Where you add general information about the access request policy as well as specify the type of access being requested.

    Scope tab

    Where you assign assets, asset groups, accounts, or account groups to an access request policy.

    Requester tab

    Where you configure the access request policy requester settings.

    Approver tab

    Where you configure the access request policy approver settings.

    Reviewer tab

    Where you configure the access request policy reviewer settings.

    Access Config tab

    Where you define the access settings for the selected type of request.

    Session Settings tab

    Where you configure the recording settings for session access requests.

    Time Restrictions tab

    Where you indicate policy time restrictions.

    Emergency tab

    Where you enable emergency access for the accounts governed by the access request policy.

Related Topics

Deleting an access request policy

Modifying an access request policy

Copying an access request policy

Viewing policy details

Reasons

General tab

On the General tab, enter the following information for the access request policy.

Table 111: Access Request Policy: General tab properties
Property Description
Name

Enter a unique name for the access request policy.

Limit: 50 characters

Required

Description

Enter descriptive text that explains the access request policy.

Limit: 255 characters

Priority

The priority of this policy compared to other policies in this entitlement.

If a user desires to access an account in the scope of two different request polices within an entitlement, then the policy with the highest priority (that is, the lowest number) takes precedence. For more information, see About priority precedence.

Access Type

Specify the type of access being requested:

  • Password Release
  • RDP
  • SSH

NOTE: You can configure an access request policy for a password release, however, if the Privileged Passwords module license is not installed, you will not be able to submit a password release request.

Similarly, you can configure an access request policy for a session request, but if the embedded sessions module for Safeguard for Privileged Passwords license is not installed, you will not be able to initiate an RDP or SSH session request.

Have the Policy Expire on Date and Time If applicable, select this check box to enforce an expiration date for the policy. Enter the expiration date and time.

Scope tab

Use the Scope tab to assign accounts, account groups, assets and asset groups to an access request policy.

  1. On the Scope tab,

    1. Click (or tap) Add from the details toolbar and select one of the following options:

      • Add Account Group
      • Add Account
      • Add Asset Group
      • Add Asset

      NOTE: Add Asset Group and Add Asset are only available for a session access request (that is, when access type RDP or SSH is selected on the General tab).

    2. In the selection dialog, choose one or more accounts, account groups, assets, or asset groups.

      NOTE: When adding accounts to a policy, both asset and directory accounts can be selected for a password release request policy; however, only asset accounts can be selected for an RDP or SSH sessions request policy.

    3. Click (or tap) OK to save your selection and close the dialog.

    If you do not see the account, account group, asset or asset group you are looking for, depending on your Administrator permissions, you can create it in the selection dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)

  2. Repeat step one to add additional account groups, accounts, asset groups, or assets.

    NOTE: You can add multiple types of objects to a policy; however, you can only add one type of object (accounts, account groups, assets or asset groups) at a time.

All of the accounts, account groups, assets and asset groups selected appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click (or tap) Delete.

Requester tab

Use the Requester tab to configure the requester settings for an access request policy.

Table 112: Access Request Policy: Requester tab properties
Property Description
Reasons

Click (or tap) Select Reason to add reasons to the selected access request policy. Then when requesting access to a password or a session, a user can select a predefined reason from a list.

NOTE: You must have reasons configured in Safeguard for Privileged Passwords to use this option. For more information, see Reasons. If you do not see the reason you are looking for, you can create a reason from the Reasons selection dialog by clicking the Create New toolbar button.

Require Reason

Select this check box to require that a requester provide a Reason when requesting access.

If you add reasons to a policy, and leave this option cleared, the users will have the option of choosing a reason; but they will not be required to select a reason.

NOTE: This option is only available if you have selected Reasons for the policy.

Require Comment

Select this check box to require that a requester provide a Comment when making an access request.

Require Ticket Number

Select this check box to require that a requester provide a ticket number when making an access request.

NOTE: You must have the ticketing system configured in Safeguard for Privileged Passwords to use this option. For more information, see Ticketing.

Duration of Access Approval

Enter or select the default duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy.

NOTE: The access duration cannot exceed a total of 7 days (10080 minutes).

Allow Requester to Change Duration Select this check box to allow the requester the ability to modify the access duration.
Maximum Time Requester Can Have Access

If you select the Allow Requester to Change Duration option, you can set the maximum duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy.

The default access duration is 7 days. The maximum access duration is 31 days.

NOTE: The user can change the access duration, but he cannot access the accounts or assets governed by this policy for longer than the maximum access duration time.

Related Documents