Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding a password sync group

The Asset Administrator or a partition's delegated administrator defines the password sync group. An account can belong to only one password sync group. To assign sync groups and related accounts when adding the profile to a partition, see Creating a partition profile

To create a password sync group

  1. Navigate to Administrative Tools | Settings | Profile | Password Sync Groups.
  2. Click (or tap) Add to open the Password Sync Group dialog.

  3. Click (or tap) Browse to select a Profile. The Profile name displays.

    NOTE: Multiple password sync groups can be added to a profile. The profile change schedule is applied to the sync group. The sync group controls the tasks to change the passwords for the accounts in the sync group. Change tasks occur in the order of password sync group priority. For more information, see Password sync group priority.

  4. Enter a Name of up to 100 characters.
  5. Enter a Description of up to 255 characters.
  6. Click (or tap) Add and select one or more Accounts to be synchronized.

    The Accounts list displays with the following information about the account: Name, Parent, Service Account, Needs a Password ( if yes or if no), and Description. Click (or tap) any columns to sort the accounts.

  7. Click (or tap) OK. The following values display:
    • Status: Displayed as if the password is not the same as the sync group, if the password is the same, or if the account is ignored and possibly should not be in the sync group.
    • Priority: The default is priority 0 (the highest). To change the priority, double-click the Priority value, enter the new priority, and click (or tap) OK. For more information, see Password sync group priority.
    • System Name: Name of the system (asset) assigned that is associated with the account.
    • Account Name: Name of the account.
    • Last Sync Time: The date and time of the last sync.
  8. Click OK.

Modifying a password sync group

You can make modifications to the priority of a password sync group, the accounts assigned to a password sync group, or sync the selected account password.

To modify the priority of a password sync group or perform other modifications

  1. Navigate to Administrative Tools | Settings | Profile | Password Sync Groups.
  2. In the Password Sync Group dialog, select the password sync group then click (or tap) Edit.
  3. Modify the Name or Description, if desired.
  4. Click (or tap) any column in the account list to sort the accounts.
  5. To modify an account priority, select the account then click (or tap) Edit.

  6. Enter the Priority then click (or tap) OK. For more information, see Password sync group priority.

  7. Perform any of the following account modifications:
    • Click (or tap) Add to add an account to the password sync group.
    • Click (or tap) Remove Selected to remove the selected account from the password sync group. This does not delete the account from Safeguard for Privileged Passwords.
    • Click (or tap) Refresh to update the account list.
    • Click (or tap) Sync Now to sync the selected account password to match the sync group password. The Status follow:
      • displays when the account password is in sync with the password sync group.
      • displays if the password is not in sync.

Access settings

Safeguard for Privileged Passwords allows you to configure these settings related to accessing One Identity Safeguard for Privileged Passwords. Navigate to Administrative Tools | Settings | Profile | Safeguard Access.

Table 219: Safeguard for Privileged Passwords Access settings
Setting Description
Login Control Where you configure the user login control settings.
Password Rules Where you configure user password complexity rules.

Login Control

It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged Passwords user login control settings, such as the number of failed sign-in attempts before locking out an account.

To configure the login controls

  1. Navigate to Administrative Tools | Settings | Safeguard for Privileged Passwords Access | Login Control.
  2. Provide the following information:
    Token Lifetime

    Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.

    Range: 10 minutes to 28800 minutes (20 days)

    Default: 1440 minutes (1 day)

    Lockout Duration

    Set the number of minutes a locked out account remains locked.

    Range: 1 to 9999 minutes; A setting of 9999 requires an administrator to manually unlock the account.

    Default: 15 minutes

    Lockout Threshold

    Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.

    If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.

    Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins.

    Default: 5 consecutive failures

    TIP: Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

    Lockout Window

    Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.

    Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.

    Default: 10 minutes

    Disable After

    Set the number of days to wait before automatically disabling an inactive user account.

    If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.

    NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.

    Range: 14 to 365 days

    Default: 365 days

    Inform User of Disabled Account

    Select this option to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user.

    Default: Not set

    Inform User of Locked Account

    Select this option to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account.

    Default: Not set

    Minimum Password Age

    Set the number of days a user must wait before changing his or her password.

    Range: 0 to 14 days

    Default: 0

    Maximum Password Age

    Set the number of days users can use their current password before they must change it.

    Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.

    Default: 42 days

    Password Age Reminder

    Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.

    Range: 0 to 30 days

    Default: 14 days

    Password History

    Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in first-out basis.

    NOTE: Administrators are not restricted by the password history setting.

    Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.

    Default: 5 stored passwords

Related Documents