Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding a user to entitlements

When you add users to an entitlement, you are specifying which people can request access governed by the entitlement's policies.

Note: It is the responsibility of the Security Policy Administrator to add users to entitlements.

To add a user to one or more entitlements

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Entitlements tab.
  3. Click (or tap) Add Entitlement from the details toolbar.
  4. Select one or more entitlements from the list in the Entitlements selection dialog and click (or tap) OK.

    Note: You can also double-click (or double-tap) an entitlement name to add it.

If you do not see the entitlement you are looking for, depending on your Administrator permissions, you can create it in the Entitlements selection dialog. (You must have Security Policy Administrator permissions to create entitlements.)

To create a new entitlement from the Entitlements selection dialog

  1. Click (or tap) Create New.

    The Entitlement dialog displays. For more information about creating entitlements, see Adding an entitlement.

  2. Create additional entitlements, as required.
  3. Click (or tap) OK in the Entitlements selection dialog to add the selected user to the entitlements.

Linking a directory account to a user

NOTE: It is the responsibility of the Security Policy Administrator to link directory accounts to a user. Once linked, these linked accounts can be used to access assets and accounts within the scope of an access request policy.

To link a directory account to a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Linked Accounts tab.
  3. Click (or tap) Add Linked Account from the details toolbar.

    The Directory Account dialog displays, listing the directory accounts available in Safeguard for Privileged Passwords. This dialog includes the following details about each directory account listed:

    • Name: Displays the name of the directory account.
    • Domain Name: Displays the name of the domain where this account resides.
    • Password Request: Indicates whether password release requests are allowed.
    • Needs a Password: Indicates whether the account needs a password.
    • Description: Displays descriptive text about the directory account.
  4. Select one or more accounts from the list in the Directory Account selection dialog and click (or tap) OK.

Modifying a user

The Authorizer Administrator and the User Administrator can modify the general information for a user.

To modify a user's information

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list.
  3. Double-click (or double-tap) the user's name to open the User settings edit window.

    Note: You can also double-click (or double-tap) the Identity, Authentication, Location, or Permissions edit box on the General tab (or click (or tap) the  Edit icon) to go directly to that view.

    For example:

    • To modify a user's authentication provider, change the user's password, or enter an alternate mobile phone number, double-click (or double-tap) the Authentication box, or click (or tap) the  Edit icon.
    • To change a local user's contact information, double-click (or double-tap) the Identity box on the General tab or click (or tap) the  Edit icon.

      Note: You cannot modify a directory user's contact information that is managed in the directory, such as Active Directory. If you need to add a valid mobile phone number, use the alternate mobile phone number option on the Authentication tab instead.

    • To modify the administrator permissions, double-click (or double-tap) the Permissions box on the General tab or click (or tap) the  Edit icon.

      TIP: As a best practice, to prevent users from gaining access to information after you change their administrative permissions, ensure that the user closes all connections to the appliance (or reboot the appliance).

      NOTE:  Help Desk Administrators, Asset Administrators, and Security Policy Administrators can only view the user object history for their own account.

  4. The Security Policy Administrator can modify a user's group membership on the user's User Groups tab.

    Note: You can multi-select user groups to add or remove more than one user on a user's group membership.

  5. The Asset Administrator can delegate partition ownership to a user on the user's Partitions tab.
  6. The Security Policy Administrator can add the selected user to an entitlement on the user's Entitlements tab.
  7. The Security Policy Administrator can add (or remove) linked accounts to an entitlement on the user's Linked Accounts tab.
  8. The Authorizer Administrator and the User Administrator can view or  Export the details of each operation that has affected the selected use on the History tab.

    Note: Help Desk Administrators, Asset Administrators, and Security Policy Administrators can only view the user object history for their own account.

Deleting a user

Typically, it is the responsibility of the Authorizer Administrator to delete administrator users and the User Administrator to delete non-administrator users.

Important: When you delete a local user, Safeguard for Privileged Passwords deletes it permanently. If you delete a directory user that is part of a directory group, next time it synchronizes its database with the directory, Safeguard for Privileged Passwords will add it back in.

To delete a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list.
  3. Click (or tap) Delete Selected.
  4. Confirm your request.

TIP: As a best practice, disable the directory user instead of deleting the account. For more information, see Enabling or disabling a user.

Related Documents