Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding an asset account discovery rule

When you select the Find account based on rules option in the Account Discovery Settings dialog, Safeguard for Privileged Passwords displays a list of discovery rules configured for this partition and allows you to add a new rule.

Note: Account discovery is not available for Macintosh OS X platforms.

Note: All search terms return exact matches. A user name search for "ADM" only returns "ADM", not "AADMM" or "1ADM2". To find all names that contain "ADM", you must include ".*" in the search term; like this: .*ADM.*.

All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with "adm", regardless of case, you must enter [Aa][Dd][Mm].*.

To add an asset account discovery rule

  1. Navigate to Administrative Tools | Settings | Asset Management | Account Discovery.
  2. In the Account Discovery Settings dialog, select the Find accounts based on rules option to open the Add Discovery Rule window.

    Note: For information about how to find this option, see Adding an asset account discovery setting.

  3. Click (or tap)  Add Discovery Rule to open the Account Discovery Rule dialog.
  4. Set the discovery rule search criteria:
    Name

    Enter a unique name for the account discovery rule.

    Limit: 50 characters

    Required

    RID

    Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1000, enter 5000-7000, then enter 10000.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    GID

    Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 8, enter 10-12, then enter 15.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    UID

    Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1, enter 5-7, then enter 10.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    Name

    Enter a single regular expression pattern.

    NOTE: For more information, see Regular Expression Language - Quick Reference.

    Limit: 255 alphanumeric characters

    Group

    Enter a single regular expression pattern.

    NOTE: For more information, see Regular Expression Language - Quick Reference.

    Limit: 255 alphanumeric characters

  5. To test the rule before saving it, click (or tap) Preview.

    The Assets dialog displays a list of assets assigned to this partition based on the criteria you set in this rule.

  6. Select an asset on which to run the proposed discovery rule and click (or tap) OK.

    The Accounts dialog displays a preview list of the all the accounts that meet the rule's criteria.

  7. Close the Accounts list and return to the Account Discovery Rule dialog to click (or tap) OK to save the rule, or modify the rule criteria and re-run the Preview, if necessary.

    Safeguard for Privileged Passwords adds the new rule to the Account Discovery Settings dialog.

  8. Optionally select the Automatically Manage Found Accounts check box to automatically add the discovered accounts to Safeguard for Privileged Passwords.
  9. Click (or tap) OK to save the discovery job.

When Safeguard for Privileged Passwords runs the discovery job, according to the schedule you have set, it displays the accounts it finds on the partition's Discovered Accounts tab.

Custom Platforms

The Asset Administrator adds a custom platform which includes uploading the custom platform script with the platform's commands and details. Auditors and Partition Administrators have read only rights. Custom platforms are global across all partitions. The custom platform can be selected when adding or updating an asset.

NOTE: Only SSH-based custom platforms are supported in Safeguard for Privileged Passwords 2.4. Other protocols will be added in the future.

Create and manage custom platforms in Administrative Tools | Settings | Asset Management | Custom Platforms.

The Custom Platform pane displays the following.

Table 152: Custom Platform: Properties
Property Description
Name

The name of the platform type which may be a product name.

Version

The version of the operating system to use as an identifier.

Architecture

The CPU architecture to use as an identifier.

Allow Sessions

If selected, session access requests are allowed.

Use the following toolbar buttons to manage the custom platform settings.

Table 153: Custom Platform: Toolbar
Option Description
Add

Add a custom platform. For more information, see Adding a custom platform.

Delete Selected

Remove the selected custom platform.

CAUTION: If the custom platform is associated with an asset, deleting the custom platform may halt password validation and reset. A warning displays indicating that the asset will be assigned to the Product platform type "Other". Enter "Force Delete" to confirm the deletion.

Refresh

Update the list of custom platforms.

View

View the custom platform script parameters including:

  • Transports, for example SSH.
  • Supported operations, for example Suspend and Restore Accounts, Password Management, and Session Management.
  • Details including Name, Task, Type, Default, and Description.
Download Selected Script

Download the selected custom platform JSON script.

Related Topics

Creating a custom platform script

Adding a custom platform

Creating a custom platform script

A custom platform script identifies the platform's commands and associated details. Scripts are written in JSON. Scripts include meta-data, parameters, function blocks, operations, and if/then constructs to authenticate to the platform and perform password validation and reset. The custom platform script is uploaded when adding the custom platform.

Sample scripts

Sample custom platform scripts and command details are available at the following links:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

During development, check your JSON using a validator like the one at this link: https://jsonlint.com/

The ExampleLinuxScript.json is an example of a custom platform script that can be adapted to work against an asset running Linux.

The script has meta-data including “Id” and “Backend”. “Id” is a unique name to identify the script. “Backend” will always be set to “Scriptable”.

Adding a custom platform

It is the responsibility of the Asset Administrator to configure the rules so Safeguard for Privileged Passwords handles custom platforms. The custom platform script must be available for uploading. For more information, see Creating a custom platform script.

NOTE: Only SSH custom platforms are supported.

To add a custom platform

  1. Have the custom platform script file available to upload.
  2. Navigate to Administrative Tools | Settings | Asset Management | Custom Platforms.
  3. Click (or tap)  Add.
  4. These fields display:
    1. Name: Enter the unique name of the platform type which may be a product name.
    2. Version: Enter the operating system version to use as an identifier.
    3. Architecture: Enter the CPU architecture to use as an identifier.
    4. Platform Script: Click (or tap) Browse. Navigate to and select the script file. Click (or tap) Open. The selected custom platform script file displays.

    5. Select the Allow Sessions check box to allow session access requests. This check box is typically selected for SSH. Clear the Allow Sessions check box to prohibit session access requests.
  5. Click (or tap) OK. If the custom platform script has errors, an error message like the following displays: Definition was not a valid json object .
Related Documents