One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Asset administrator permissions

An asset administrator manages all partitions, assets, and accounts:

  • Creates (or imports) local assets and accounts.
  • Creates partitions and partition profiles.
  • Delegates partition ownership to users.

    NOTE: A delegated partition owner has a subset of permissions that an Asset Administrator has. That is, the delegated partition owner is authorized to manage a specific partition and the assets and accounts assigned to that partition.

  • Assigns assets to partitions.
  • Manages account password rules.

NOTE: Asset Administrators can only view the user object history for their own account.

Table 255: Asset administrator: Permissions
Navigation Permissions

Dashboard | Account Automation

Full control for accounts related to all Safeguard for Privileged Passwords assets.

NOTE: Delegated partition owners have control for accounts related to the assets and directories managed through delegated partition profile.

Activity Center

View and export asset activity events.

Administrative Tools | Toolbox

Access to the Accounts, Assets, Partitions and Users view.

Access to the Tasks pane.

Administrative Tools | Accounts

Add, modify, delete and import accounts.

Check, change, and set account passwords.

Access password archive.

Enable or disable the access request services for an account.

Administrative Tools | Assets

Add, modify, delete and import assets.

Configure and manage asset discovery jobs.

Download SSH Key.

Administrative Tools | Partitions

Add, modify and delete partitions and partition profiles.

Set partition as default.

Add assets to the scope of a partition profile.

Administrative Tools | Settings:

 

  • Asset Management | Account Discovery

Add, modify and delete account discovery settings.

  • Messaging

Login notification: View only.

Set message of the day.

  • Profile | Account Password Rules

Add, modify and delete account password complexity rules.

  • Profile | Change Password

Add, modify and delete change password settings.

  • Profile | Check Password

Add, modify and delete check password settings.

  • Profile | Password Sync Groups

Add, modify, and delete password sync groups.

  • Safeguard for Privileged Passwords Access | Password Rules
View only.

Administrative Tools | Users

Delegate partition ownership to users.

Auditor permissions

The Auditor administrator has read-only access to all features, giving him the ability to review all access request activity:

  • Monitors appliance information.
  • Reviews everything.
  • Exports object history.
  • Runs entitlement reports.
Table 256: Auditor administrator: Permissions
Navigation Permissions

Dashboard

View only.

Activity Center

View and export activity events.

Audit access request workflow.

Reports

View and export entitlement reports.

Administrative Tools | Toolbox

Access to all Administrative Tools views and the Tasks pane.

Administrative Tools | Accounts

View only.

Administrative Tools | Account Groups

View only.

Administrative Tools | Assets

View asset discovery jobs.

Administrative Tools | Asset Groups View only.

Administrative Tools | Directories

View only.

Administrative Tools | Entitlements

View only.

Administrative Tools | Partitions

View only.

Administrative Tools | Settings:

 

  • Access Request
View only.
  • Appliance

View Appliance Information.

Run diagnostics on appliance.

View licensing information.

View Lights Out Management (BMC) settings.

View Networking settings.

View Time settings.

View update history.

  • Backup and Retention
View only.
  • Certificates
View only.
  • Cluster
View only.
  • Asset Management
View only.
  • External Integration
View only.
  • Messaging

Login notification: View only.

Set message of the day.

  • Profile

View only.

  • Safeguard for Privileged Passwords Access
View only.
  • Sessions
View only.

Administrative Tools | Users

View only.

Administrative Tools | User Groups

View only.

Authorizer administrator permissions

The "permissions" administrator:

  • Creates (or imports) Safeguard for Privileged Passwords users.
  • Adds directory groups, including the associated directory users, if a directory has been added to Safeguard for Privileged Passwords.
  • Grants administrator permissions to users.
  • Sets passwords, unlocks, and enables or disables both local and directory user accounts.
  • Creates and maintains the Password Rules.

NOTE: Also has User Administrator and Help Desk Administrator permissions.

Important: Authorizer Administrators can change the permissions for their own account which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.

Table 257: Authorizer administrator: Permissions
Navigation Permissions

Activity Center

View and export user activity events, including authentication events.

Administrative Tools | Toolbox

Access to the Users and User Groups view.

Access to Tasks pane.

Administrative Tools | Settings

 
  • External Integration | Identity and Authentication
View only of directories used for identity and authentication. External Federation and Radius providers can be configured for authentication use.
  • Messaging

Login notification: View only.

Set message of the day.

  • Safeguard for Privileged Passwords Access | Password Rules
Configure user password rules.

Administrative Tools | Users

Add, modify, delete, and import users.

Set administrator permissions.

Set passwords and unlock administrator accounts.

Delete administrator users.

Enable or disable administrator users.

Administration Tools | User Groups

Add or delete directory groups, if a directory has been added to Safeguard for Privileged Passwords.

Directory administrator permissions

The Directory administrator configures and manages directory integration and synchronization including adding directory accounts to make them available for password request policies. This administrator also manages the profiles that govern the password validation and reset settings for the accounts assigned to each directory and which account password rule to use.

  • Adds directories and their associated accounts.
  • Creates directory profiles.
  • Defines directory account password rules.
  • Configures directory account password settings.
Table 258: Directory administrator: Permissions
Navigation Permissions

Dashboard | Account Automation

Full control for accounts related to the directories managed by Safeguard for Privileged Passwords.

NOTE: Delegated partition owners have control for accounts related to the assets and directories managed through delegated partition profile.

Activity Center

View and export directory activity events.

Administrative Tools | Toolbox

Access to the Directories view.

Access to the Tasks pane.

Administrative Tools | Directories

Add, modify or delete directories.

Add directory accounts to directories.

Enable or disable access request services for directory accounts.

Set directory account passwords.

Access password archive.

Define and maintain directory account discovery jobs.

Add and maintain directory profiles.

Administrative Tools | Settings:

 

  • Messaging

Login notification: View only.

Set message of the day.

  • Profile | Directory Account Password Rules

Add, modify or delete directory account password rules.

  • Profile | Directory Change Password

  • Add, modify or delete directory change password settings.
    • Profile | Directory Check Password

    Add, modify or delete directory check password settings.

    • Safeguard Access | Password Rules
    View only.
    Related Documents