Chat now with support
Chat with Support

One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Modifying a user group

Only the Security Policy Administrator can modify user groups.

To modify a user group

  1. Navigate to Administrative Tools | User Groups.
  2. In User Groups, select a user group.
  3. Select the view of the user group's information you want to modify (General, Users, or Entitlements).

    For example:

    • To change a local user group's name or description, double-click the General information box on the General tab or click the  Edit icon.

      Note: You can double-click a user group name to open the General settings edit window.

    • To add (or remove) users to the selected local user group, switch to the Users tab.

      Note: You can multi-select members to add or remove more than one from a user group.

    • To add (or remove) the selected user group to an entitlement, switch to the Entitlements tab.

  4. To view or Exporting data the details of each operation that has affected the selected user group, switch to the History tab.

Deleting a user group

It is the responsibility of the Security Policy Administrator to delete groups of local users from Safeguard for Privileged Passwords. It is the responsibility of the Authorizer Administrator or the User Administrator to delete directory groups.

Note: When you delete a user group, Safeguard for Privileged Passwords does not delete the users associated with it.

To delete a user group

  1. Navigate to Administrative Tools | User Groups.
  2. In User Groups, select a user group from the object list.
  3. Click Delete Selected.
  4. Confirm your request.

Disaster recovery and clusters

Safeguard for Privileged Passwords Appliances can be clustered to ensure high availability. Clustering enables the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. This reduces down time and data loss.

Another benefit of clustering is load distribution. Clustering in a managed network ensures the load is distributed to ensure minimal cluster traffic and to ensure appliances that are closest to the target asset are used to perform the task. The Appliance Administrator defines managed networks (network segments) to effectively manage assets, account, and service access requests in a clustered environment to distribute the task load.

Primary and replica appliances

A Safeguard for Privileged Passwords cluster consists of three or five appliances. An appliance can only belong to a single cluster. One appliance in the cluster is designated as the "primary". Non-primary appliances are referred to as "replicas". All vital data stored on the primary appliance is also stored on the replicas. In the event of a disaster, where the primary appliance is no longer functioning, you can promote a replica to be the new primary appliance. Network configuration is done on each unique appliance, whether it is the primary or a replica.

The replicas provide a read-only view of the security policy configuration. You cannot add, delete, or modify the objects or security policy configuration on a replica appliance. You can perform password change and check operations and make password release and session access requests. Users can log into replicas to request access, generate reports or audit the data. Also, passwords and sessions can be requested from any appliance in a Safeguard cluster.

Supported cluster configurations

Current supported cluster configurations follow.

  • 3 Node Cluster (1 Primary, 2 Replicas): Consensus is achieved when two of the three appliances are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states.
  • 5 Node Cluster (1 Primary, 4 Replicas): Consensus is achieved when three of the five appliances are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states.
Consensus and quorum failure

Some maintenance tasks require that the cluster has consensus (quorum). Consensus means that the majority of the members (primary or replica appliances) are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states.

Supported clusters have an odd number of appliances so the cluster has a consensus equal to or greater than 50% of the appliances are online and able to communicate.

If a cluster loses consensus (also known as a quorum failure), the following automatically happens:

  • The primary appliance goes into Read-only mode.
  • Password check and change is disabled.

When connectivity is restored between a majority of members in a cluster, consensus is automatically regained. If the consensus members include the primary appliance, it automatically converts to read-write mode and enables password check and change.

Health checks and diagnostics

The following tools are available to perform health checks and diagnose the cluster and appliances.

Shut down and restart an appliance

You can shut down and restart an appliance.

Run access request workflow on isolated appliance in Offline Workflow mode

You can enable Offline Workflow mode to force an appliance which no longer has quorum to process access requests using cached policy data in isolation from the remainder of the cluster. For more information, see Enable offline workflow.

Primary appliance failure: failover and backup restore

If a primary is not communicating, perform a manual failover. If that is not possible, you can use a backup to restore an appliance.

  • Unjoin and activate

    If the cluster appliances are able to communicate, you can unjoin the replica then activate the primary so replicas can be joined.

    Cluster reset

    If the appliance is offline or the cluster members are unable to communicate, you must use Cluster Reset to rebuild the cluster. If there are appliances which must be removed from the cluster but there is no quorum to safely unjoin, a cluster reset force-removes nodes from the cluster. For more information, see Resetting a cluster that has lost consensus.

    Factory reset

    Perform a factory reset to recover from major problems or to clear the data and configuration settings on an appliance. All data and audit history is lost and the appliance goes into maintenance mode. You can perform a factory reset from:

    After the factory reset, the appliance will need to be unjoined from the cluster. For more information, see Unjoining replicas from a cluster.

  • Enrolling replicas into a cluster

    Prior to the Appliance Administrator enrolling cluster members into a Safeguard for Privileged Passwords cluster, review the enrollment considerations which follow.

    Considerations to enroll cluster members

    • If there is an appliance in Offline Workflow mode, manually resume online operations before adding another replica. For more information, see Enable offline workflow.
    • Update all appliances to the same appliance build (patch) prior to building your cluster. During the cluster patch operation, access request workflow is available so authorized users can request password releases and session access.
    • To enroll an appliance into a cluster, the appliance must communicate over port 655 UDP/TCP and port 443 TCP and must have IPv4 or IPv6 network addresses (not mixed). For more information, see Appendix: Safeguard ports.
    • You can only enroll replica appliances to a cluster when logged into the primary appliance (using an account with Appliance Administrator permissions).
    • You can only add one appliance at a time. The maintenance operation must be complete before adding additional replicas.
    • Enrolling a replica can take as little as 5 minutes or as long as 24 hours depending on the amount of data to be replicated and your network.
    • During an "enroll replica" operation, the replica appliance goes into Maintenance mode. The existing members of the cluster can still process access requests as long as the member has quorum. On the primary appliance, you will see an "enrolling" notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. This cluster lock prevents you from doing additional maintenance activities.

      Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords.

      TIP: The Activity Center contains events for the start and the completion of the enrollment process.

    • The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. Any objects (such as users, assets, and so on) or security policy configuration defined on the replica will be removed during enroll. Existing configuration data from the primary will be replicated to the replica during the enroll. Future configuration changes on the primary are replicated to all replicas.

    To enroll a replica

    1. It is recommended that you make a backup of your primary appliance before enrolling replicas to a cluster.
    2. Log into the primary appliance as an Appliance Administrator.
    3. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
    4. Click  Add Replica to join a Safeguard for Privileged Passwords Appliance to a cluster. 
    5. In the Add Replica dialog, enter a network DNS name or the IP address of the replica appliance into the Network Address field and click Connect.
    6. Safeguard for Privileged Passwords connects to the replica and displays the login screen for the replica appliance.

      1. Enter a valid account with Appliance Administrator permissions.
      2. In the Add Replica confirmation dialog, enter the words Add Replica and click OK to proceed with the operation.

      Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is enrolling and puts the replica appliance in Maintenance mode while it is enrolling into the cluster.

      On all of the appliances in the cluster, you will see an "enrolling" banner at the top of the cluster view, indicating that a cluster-wide operation is in progress and all appliances in the cluster are locked down.

      Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again make access requests.

    7. Log into the replica appliance as the Appliance Administrator.

      Notice that the appliance has a state of Replica (meaning it is in a Read-Only mode); and contains the objects and security policy configuration defined on the primary appliance.

    Related Documents