Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Privileged access requests

One Identity Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.

In order for a request to progress through the workflow process, authorized users perform "assigned" tasks. These tasks are performed from the user's Home page in the desktop client or web client.

As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, Safeguard for Privileged Passwords can be configured to alert you when you have pending tasks awaiting your attention. For more information, see Configuring alerts.

The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:

  • Designated "requesters" see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions and checking in completed requests).

    Requesters can also define favorite requests, which then appear on their Home page for subsequent use. For more information, see Creating, editing, or removing a favorite request.

  • Designated "approvers" see tasks related to approving (or denying) and revoking access requests.
  • Designated "reviewers" see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.

Password release requests and session requests use the same workflow engine; however, the actions taken on a session request are slightly different than those taken on a password release request. Therefore, we will cover each of these access request workflows separately:

Creating, editing, or removing a favorite request

If designated as a requester, Safeguard for Privileged Passwords allows you to add an access request as a Favorite to your Home page. Favorites are unique for the user; they are available when you log into the desktop client or the web client.

You can create a favorite request from your Favorites pane on your Home page or from the New Access Request dialog when creating or editing an access request.

To create a favorite request from your Home page

  1. In the Favorites pane, click New Favorite.
  2. In the New Access Request dialog, specify the assets, accounts, and type of asset to be included in the access request.

    1. On the Asset Selection tab, select the assets to be included in the access request.
    2. On the Account & Access Type tab, select the accounts to be included in the access request and the type of access being requested for each selected account.

      • Account: The available account appears in the Account column. When an asset has multiple accounts available, click Select Account(s) to select an account from the displayed list.
      • Access Type: The type of access request appears in the Access Type column. When multiple access request types are available, this value appears as a hyperlink. Click this hyperlink to select the access type.
  3. Click the Add to Favorites button.
  4. In the Add to Favorites dialog, specify the following:

    1. Name: Enter a name for the request.

      Required

    2. Description: Enter descriptive text about the request.
    3. Color: Select the icon color to be used to display the request in your Favorites pane.

    Click Add.

    The dialogs will close and the new favorite will be added to the Favorites pane on your Home page.

To create a favorite request from the New Access Request dialog

  1. At the bottom of the New Access Request dialog, click the Add to Favorites button when you are creating a new request. The Add to Favorites button is enabled when you have selected the minimum required information (that is, at least one asset, account, and an access type) for the access request.

  2. In the Add to Favorites dialog, specify the following:

    1. Name: Enter a name for the request.

      Required

    2. Description: Enter descriptive text about the request.
    3. Color: Select the icon color to be used to display the request in your Favorites list.
  3. Click Add.

To change a favorite request's icon color

  1. At the top of the Favorites pane, click the button to display the Color Selected button.
  2. Select the check box to the left of the favorite request to be changed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.

  3. Click Color Selected.
  4. In the Settings dialog, choose a color and select OK.

    The icon for the favorite now appears in the color you selected.

To remove a favorite request

  1. At the top of the Favorites pane, click the button to display the Remove Selected button.

  2. Select the check box to the left of the favorite request to be removed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.

  3. Click the Remove Selected button.
  4. Select Yes to confirm.

Configuring alerts

All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.

  • Access Request Approved
  • Access Request Denied
  • Access Request Expired
  • Access Request Pending Approval
  • Access Request Revoked
  • Password was Changed
  • Review Needed

There are two ways to configure One Identity Safeguard for Privileged Passwords to send event alerts to Safeguard for Privileged Passwords users:

Table 27: Notification types
Notification Description
Toast notifications

Configure alerts that appear on your console when the desktop client application is not the active foreground application.

Email notifications

Configure email notifications.

Toast notifications

Toast notifications are alerts that appear on your console when the desktop client application is not the active foreground application; for example, when you are in another application or when you have minimized the One Identity Safeguard for Privileged Passwords desktop client.

To enable toast notifications

  1. Open  Console Settings.
  2. Select the Enable Toast Notifications check box.

Note: When you select the Run in the System Tray check box, you cannot modify the toast notifications option because in that mode, you always get notifications.

Related Documents