Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Access Request settings

Use the Access Request settings to enable (or disable) access request and password management services and to define global reason codes that can be used when creating access request policies.

Navigate to Administrative Tools | Settings.

Table 132: Access Request settings
Setting Description
Enable or Disable Services (Access request and password management services)

Where you enable or disable the following Safeguard for Privileged Passwords services:

  • Session requests
  • Password requests
  • Check password management
  • Change password management
Reasons

Where you configure access request reason codes, which can then be used when creating access request policies.

Enable or Disable Services

One Identity Safeguard for Privileged Passwords allows you to enable or disable access request and password management services. These settings control session and password release requests, manual account password validation and reset tasks as well as the automatic profile check and change tasks in Directories and Partitions.

All services are enabled by default. The toggles appear blue with the switch to the right when a service is enabled and gray with the switch to the left when a service is disabled.

NOTE: Even though these global settings are enabled by default. By default, these services are disabled for service accounts and for accounts and assets found as part of a discovery job.

Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.

It is the responsibility of the Appliance Administrator to manage the access request and password management services.

Navigate to Administrative Tools | Settings | Access Request | Enable or Disable Services.

Table 133: Enable or Disable Services settings
Setting Description
Session Requests Enabled

Session requests are enabled by default indicating that authorized users can make session access requests.

Click (or tap) the Session Requests Enabled toggle to disable this service so sessions can not be requested.

NOTE: When the Privileged Sessions module is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that Sessions is not available.

In addition, current session access requests cannot be launched. Again a message appears informing you Sessions is not available. For example, you may see the following message "This feature is temporarily disabled. See your appliance administrator for details".

Password Requests Enabled

Password requests are enabled by default indicating that authorized users can make password release requests

Click (or tap) the Password Requests Enabled toggle to disable this service so passwords can not be requested.

NOTE: Disabling the password request service will place any open requests on hold until this service is re-enabled.

Check Password Management Enabled

Check password management is enabled by default indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.

Click (or tap) the Check Password Management Enabled toggle to disable the password validation service.

Note: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

Change Password Management Enabled

Change password management is enabled by default indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.

Click (or tap) the Change Password Management Enabled toggle to disable the password reset service.

Note: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

Reasons

In an access request policy, a Security Policy Administrator can require that a requester provide a reason for requesting access to a password or session. Then, when requesting access, the user can select a predefined reason from a list. For example, you might use these access request reasons:

  • Software Updates
  • System Maintenance
  • Hardware Issues
  • Problem Ticket

To configure access request reasons

  1. Navigate to Administrative Tools | Settings | Access Request | Reasons.
  2. Click (or tap) Add Reason to add a new reason.
  3. In the Reason dialog, enter the following:
    1. Name: Enter a name for the reason.

      Limit: 50 characters

      Required

    2. Description: Enter a description for the reason.

      Limit: 255 characters

      Required

  4. Click (or tap) Add Reason.
  5. To edit a reason, click (or tap) Edit Reason.

    The Reason dialog appears allowing you to modify the name or description.

  6. To delete a reason, click (or tap) Delete Reason.

    In the confirmation dialog, click (or tap) Yes.

Related Topics

Creating an access request policy

Appliance settings

Use the Appliance settings to view general information about the appliance, run diagnostic tools, and reset or update the One Identity Safeguard for Privileged Passwords appliance.

Navigate to Administrative Tools | Settings | Appliance.

One Identity Safeguard for Privileged Passwords provides the following information to help you resolve many common problems you may encounter as you deploy and use your appliance.

Table 134: Appliance settings
Setting Description

Appliance Information

Where you view general information about the appliance, as well as its performance utilization and the memory usage. This page also contains power controls to shut down or restart your appliance.

Diagnostics

Where you run diagnostic tests on your appliance.

Enable or Disable Services (Application to Application service)

Where you enable or disable the Application to Application functionality.

Factory Reset from the desktop client

Where you perform a factory reset to revert your appliance to its original state when it first came from the factory.

Licensing

Where you add or update a Safeguard for Privileged Passwords license.

Lights Out Management (BMC)

Where you enable and disable lights out management, which allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC).

Networking

Where you view and configure the primary network interface, and if applicable, the sessions network interface.

Support Bundle

Where you create a support bundle containing system and configuration information to send to One Identity Support to analyze and diagnose issues with your appliance.

If you have the Privileged Sessions module licensed, this is where you enable (and disable) session debug logging to be included in a support bundle.

Time

Where you enable Network Time Protocol (NTP) and set the primary and secondary NTP servers.

NOTE: A replica in the cluster will always reference the primary appliance as its NTP server.

Updates

Where you upload and install an update file. For more information, see Updates.

In addition to the appliance options, One Identity Safeguard for Privileged Passwords provides these troubleshooting tools:

Table 135: Additional troubleshooting tools
Tool Description

Activity Center

View the details of specific events or user activity. For more information, see Activity Center.

LCD status messages

An LCD screen on the appliance to view the status of the appliance as it is starting up or shutting down. For more information, see LCD status messages.

Recovery kiosk

A terminal or laptop connected directly to the appliance to view basic appliance information, restart the appliance remotely, shut down the appliance, reset the bootstrap administrator’s password to its initial value, perform a factory rest, or to generate and send a support bundle to a Windows share. For more information, see Recovery kiosk.
Related Documents