Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Approver tab

Use the Approver tab to specify the approver settings for an access request policy.

Table 113: Access Request Policy: Approver tab properties
Property Description

Auto-Approved

Select this option to automatically approve all access requests for accounts and assets governed by this policy.

Notify when Account is Auto-Approved | To

(Optional) When no approvals are required, enter an email address or select To to choose a user to notify when access is auto-approved.

If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Approvals Required

Select this option to require approval for all access requests for accounts and assets governed by this policy. Enter the following information:

  • Qty: Enter or select the minimum number of approvals required from the selected users or user groups listed as Approvers.
  • Approvers: Browse to select one or more users or user groups who can approve access requests for accounts and assets governed by this policy.

    Use the Clear icon to remove an individual "approver" user or user group from this list or right-click and select Remove All to clear all users from the list.

    Click (or tap)  Add or  Delete to add or remove approver sets.

    NOTE: The order of the approver sets is not significant, but all requirements must be met; that is, a request must obtain the number of approvals from each approver set defined.

    TIP: As a best practice, add user groups as approvers rather than individuals. This makes it possible to add an individual approver to a pending access request. In addition, you can modify an approvers list without editing the policy.

    NOTE: The users you authorize as "approvers" receive alerts when an access request requires their approval if they have Safeguard for Privileged Passwords configured to send alerts.

Notify if approvers have pending requests after

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before notifying the escalation notification contact list about pending approvals.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user.

    If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

NOTE: You can enter email addresses for non-Safeguard for Privileged Passwords users.

Important: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Approval Anywhere has been enabled. View enabled users.

Indicates that the Approval Anywhere feature has been configured. Click (or tap) the users link to view a list of the users who are authorized to approve requests using this feature.

NOTE: You can add users as Approval Anywhere approvers by clicking the Add toolbar button in the Approval Anywhere Users dialog.

Reviewer tab

Use the Reviewer tab to define the reviewer settings for an access request policy.

Table 114: Access Request Policy: Reviewer tab properties
Property Description

Review Not Required

This check box is selected by default indicating that no review is required for completed access requests for accounts and assets governed by this policy.

NOTE: When this option is selected, no other options are available.

Review Required

Select this check box to require a review of completed access requests for accounts and assets governed by this policy.

  • Qty: Enter or select the minimum number of people required to review a completed access request.
  • Reviewers: Browse to select one or more users or groups of users who can review access requests for accounts and assets governed by this policy.

    Use the Clear icon to remove an individual "reviewer" user or user group from this list or right-click and select Remove All to clear all users from the list.

NOTE: A reviewer can only review an access request once it is completed.

TIP: As a best practice, add user groups as reviews rather than individuals. This makes it possible to add an individual reviewer to a pending access request. In addition, you can modify a reviewers list without editing the policy.

NOTE: The users you authorize as "reviewers" receive alerts when an access request requires their review if they have Safeguard for Privileged Passwords configured to send alerts.

Require Comment

Select this check box if the reviewer is required to enter a comment when reviewing an access request.

Notify if reviewers have pending reviews after

To

(Optional) Select this check box to enable notifications.

  • Set the amount of time (days, hours, and minutes) to wait before reminding the escalation notification contact list about pending reviews.
  • Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user.

    If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

NOTE: You can enter email addresses for non-Safeguard for Privileged Passwords users.

Important: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Access Config tab

Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.

Table 115: Access Request Policy: Access Config tab properties

Property

Description

Access Type

This is a read-only field displaying the type of access selected on the General tab:

  • Password Release
  • SSH
  • RDP

Include password release with sessions requests

Select this check box to include a password release with session access requests.

NOTE: This setting is only available for SSH and RDP session requests.

Terminate expired sessions

Select this check box to terminate sessions that have expired.

NOTE: This setting is only available for SSH and RDP session requests.

Change password after check-in

Select this check box if the password is to be changed after the user checks it back in.

NOTE: For password release requests, this option is selected by default.

Allow simultaneous access

Select this check box to allow multiple users access to the accounts and assets governed by this policy.

Maximum users at one time

When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time.

Asset-Based Session Access

Select one of the following options to define the type of account credentials to be used to access the asset or account when a session is requested:

  • None (default): The credentials are retrieved from the vault when the session is requested.
  • User Supplied: The "requester" user must provide the credentials when the session is requested.
  • Linked Account: The "requester" user's account is linked to an asset account that will be used when the session is requested.
  • Directory Account: Use the Browse button to select the directory account to be used when the session is requested.

NOTE: This setting is only available for SSH and RDP session requests.

Session Settings tab

Navigate to Administrative Tools | Entitlements | Session Settings.

If Safeguard for Privileged Passwords is joined to the Safeguard Sessions Appliance, you will select a Connection Policy.

If you are using the embedded sessions module for Safeguard for Privileged Passwords, use the Session Settings tab to configure the settings for session access requests (below). The settings on this tab only apply to RDP and SSH (session) access requests.

Property

Description

Record sessions

For SSH and RDP, this check box is selected by default indicating that all sessions for the accounts and assets governed by this policy are to be recorded.

Enable Command Detection (SSH)

For SSH session requests, select the Enable Command Detection check box to enable command detection, which means commands that are executed on the target host are detected and logged.

SSH Controls

If SSH is selected as the access type on the General tab, select one or more of the following options to create a session that uses the specified protocol:

  • Allow SFTP (Secure File Transfer)
  • Allow SCP (Secure Copy)
  • Allow X11 Forwarding (Forwards the graphical X-server session from the server to the client.)

NOTE: The data transferred during a session using one of these protocols is currently not available for play back in this initial release of Safeguard.

Enable Windows Title Detection (RDP)

For RDP session requests, select the Enable Windows Title Detection check box to enable windows title detection, which means the titles of all windows opened on the desktop during a privileged session are detected and logged.

You can configure Safeguard for Privileged Passwords to send these actions to a syslog server, in an email message, or via an SNMP trap. For more information, see External Integration settings.

RDP In-Session Controls

If RDP is selected as the access type on the General tab, select the following option if you want to allow the user to transfer data via the clipboard:

  • Allow Clipboard

Selecting this option allows the users to copy a file or text from the client machine and paste it to the remote server. The data copied during a session using this option is currently not available for play back in this initial release of Safeguard.

Related Documents