Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Identity tab

To add a directory user, specify the following information:

  1. In the Identity Provider field, select a directory.
  2. After Username, click (or tap) Browse.
  3. In the next User dialog:
    1. To search the Filter Search Location, click (or tap) Browse then select a container within the directory. The Location Selected displays. Click (or tap) OK. The Filter Search Location is populated.
    2. The Include objects from sub containers check box is selected by default indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.
    3. In the Starts With (Active Directory ANR Search) field, enter a full or partial account name and press Search.

      Safeguard for Privileged Passwords will search each domain of a forest. You can search on partial strings. For example, if you enter "ad" in the search box, it will find any user Name or Distinguished Name that contains "ad". The text search is not case sensitive and does not allow wild cards.

    4. The results of the search displays in the Select the user to add grid. Select a user account to add to Safeguard for Privileged Passwords.
    5. Click (or tap) OK to use the selected account and close the dialog.
  4. Click (or tap) Next to go to the Authentication tab. For more information, see Authentication tab.

Authentication tab

When adding a directory user account, specify the following information on the Authentication tab.

  1. Authentication Provider options:
    • Keep the default Authentication Provider for the directory user which is the directory user's associated directory/domain. The user will enter their directory credentials when logging into Safeguard for Privileged Passwords.
    • Select a different Authentication Provider for the directory user from the drop-down list and enter an appropriate value for the user's Login name, Email Address, or Name Claim required for the provider.
  2. If the Authentication Provider is a Microsoft Active Directory, select the Require Certificate Authentication check box to require that the user logs into Safeguard for Privileged Passwords using their domain issued user certificate or Smart Card.

  3. Select the Require Secondary Authentication check box to require that this user logs into Safeguard for Privileged Passwords with two-factor authentication. For more information, see Requiring user to log in using secondary authentication.
  4. Choose the secondary Authentication Provider for this user. Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication.
  5. Once the secondary authentication provider is specified, choose or enter the information required for two-factor authentication based on the type:
    1. Login name: When a directory is selected for secondary authentication, Browse to select the account on the secondary authentication provider this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication. If Radius as a secondary authentication provider is selected, enter the name of the account on the secondary authentication provider this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication.
    2. When Starling Two-Factor Authentication is selected, this option is available to enter an alternate Mobile phone number. The Number on file is the mobile phone number specified on the user's Identity tab.

      NOTE: The Approval Anywhere and one-touch approval features require a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.

Adding a user to user groups

Note: It is the responsibility of the Security Policy Administrator to add users to user groups to assign to password policies.

To add a user to one or more user groups

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the User Groups tab.
  3. Click (or tap) Add User Groups from the details toolbar.
  4. Select one or more groups from the list in the User Groups dialog and click (or tap) OK.

    Note: You can also double-click (or double-tap) a group name to add it.

If you do not see the user group you are looking for, depending on your Administrator permissions, you can create it in the User Groups selection dialog. (You must have Security Policy Administrator permissions to create user groups.)

To create a new user group from the selection dialog

  1. Click (or tap) Create New.

    For more information about creating user groups, see Adding a user group.

  2. Create additional user groups, as required.
  3. Click (or tap) OK in the User Groups selection dialog to add the selected user to the user groups.

Assigning a user to partitions

Assigning a user to a partition makes that user the "Delegated Owner" of that partition, giving that person authorization to manage the assets and accounts in that partition. A delegated partition owner has a subset of the permissions that an Asset Administrator has. For more information, see Administrator permissions.

Note: It is the responsibility of the Asset Administrator to select one or more users to manage the assets and accounts in a partition.

To assign a user to one or more partitions

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Partitions tab.
  3. Click (or tap) Assign Partition(s) from the details toolbar.
  4. Select one or more partitions from the list in the Partitions selection dialog and click (or tap) OK.

    Note: You can also double-click (or double-tap) a partition name to add it.

If you do not see the partition you are looking for, depending on your Administrator permissions, you can create it in the Partitions selection dialog. (You must have Asset Administrator permissions to create partitions.)

To create a new partition in the Partitions selection dialog

  1. Click (or tap) Create New.

    For more information about creating partitions, see Adding a partition.

  2. Create additional partitions, as required.
  3. Click (or tap) OK in the Partition selection dialog to add the selected user to the partitions.
Related Documents