Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Permissions tab

On the Permissions tab, select the user's Administrator permissions, if applicable. When assigning permissions to a user, you set the following access controls:

  • Authorizer: Allow the user to grant permissions to other users.

    NOTE: This permission allows the user to change their own permissions.
  • User: Allow the user to create new users, unlock and reset passwords for non-administrative users.
  • Help Desk: Allow the user to unlock and set passwords for non-administrative users.
  • Appliance: Allow the user to edit and update the appliance and to configure external integration settings, such as email, SNMP, Syslog, Ticketing, and Approval Anywhere.
  • Operations: Allow the user to reboot and monitor the appliance.
  • Auditor: Allow the user read-only access.
  • Asset: Allow the user to add, edit and delete partitions, assets and accounts.
  • Directory: Allow the user to add, edit and delete directories.
  • Security Policy: Allow the user to add, edit and delete entitlements and polices that control access to accounts and assets.

For a more detailed list of permissions available, see Administrator permissions.

Requiring user to log in using secondary authentication

You can require a user to log in using two-factor authentication by enabling the Require Secondary Authentication option in the user record.

To require a user to log in using secondary authentication

  1. Setup a secondary authentication provider in Settings | External Integration | Identity and Authentication. For more information, see Adding identity and authentication providers.
  2. Configure the Safeguard for Privileged Passwords user to Require Secondary Authentication. For more information, see Authentication tab.
    1. On the Authentication tab of a user's properties, select the Require Secondary Authentication check box.
    2. Choose the Authentication Provider.
    3. Depending on the type of authentication provider selected, specify the additional information this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication.

  3. Log in with secondary authentication.

    When you log into Safeguard for Privileged Passwords with a user account that requires secondary authentication, you log in as usual, using the password that is set for the Safeguard for Privileged Passwords user account. Safeguard for Privileged Passwords then displays one or more additional login screens. Depending on how the system administrator has configured the secondary authentication provider, you must enter additional credentials for your secondary authentication service provider account, such as a secure password and/or security token code.

    Note: The type and configuration of the secondary authentication provider (RSA SecureID, One Identity Starling Two-Factor Authentication, etc.) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log into Safeguard for Privileged Passwords with secondary authentication.

Configuring user to use Starling Two-Factor Authentication when logging into Safeguard for Privileged Passwords

It is the responsibility of the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords.

TIP: If you want to use one-touch approvals, download and install the Starling 2FA app onto your mobile device.

To configure users to use Starling Two-Factor Authentication when logging into Safeguard for Privileged Passwords

  1. Log into Safeguard for Privileged Passwords as an Authorizer Administrator or User Administrator.
  2. Navigate to Administrative Tools | Users.
  3. Add or edit users, ensuring the following settings are configured:
    1. Authentication tab:
      • Require Secondary Authentication: Select this check box.
      • Authentication Provider: Select the Starling 2FA service provider.

        NOTE: If the Starling 2FA service provider is not listed, you must first join Safeguard for Privileged Passwords to Starling. For more information, see Starling.

      • Use alternate mobile phone number: Optionally, select this check box and enter an alternate mobile number to be used for two-factor authentication notifications.

        NOTE: If you want to use one-touch approvals, this feature requires a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.

    2. Contact Information tab:
      • Mobile Phone: Enter a valid mobile phone number in E.164 format.
      • Email Address: Enter a valid email address.

Now whenever any of these users attempt to log into Safeguard for Privileged Passwords, after entering their password, a message appears on the login screen informing them that an additional authentication step is required.

NOTE: If the Safeguard for Privileged Passwords user is required to use Starling Two-Factor Authentication and has the Starling 2FA mobile app installed, Safeguard for Privileged Passwords sends a push notification to their mobile device where they can complete the login by pressing a button in the app. If the user does not have the Starling 2FA app, they have the option to receive a one-time password via SMS or a phone call.

Adding a directory user account

It is the responsibility of either the Authorizer Administrator or User Administrator to add directory users to Safeguard for Privileged Passwords.

Note: You must add directories (Active Directory or LDAP) to Safeguard for Privileged Passwords before you can add directory user accounts.

IMPORTANT: The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

To add a directory user account

  1. Navigate to Administrative Tools | Users.
  2. In Users, click (or tap)  Add User from the toolbar.
  3. In the User dialog, provide information in each of these tabs:

    Identity tab

    Where you choose the user from the specified directory service whose contact information will be used and synchronized in Safeguard for Privileged Passwords.

    Authentication tab

    Where you choose the authentication provider, user name, and password and set any additional information required for that provider type. You can also configure the user to Require Secondary Authentication.

    Location tab Where you set the user's time zone.
    Permissions tab Where you set the user's administrator permissions.
Related Documents