Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Exporting data

You can export history, activity log, or access request data to a file.

To export data

  1. Click  Export to create a file in a location of your choice of all data in the results grid.
    • When you export historical information from a History tab or License history, Safeguard for Privileged Passwords creates a .csv file.
    • When you export activity log data from the Activity Center and Reports, Safeguard for Privileged Passwords creates a .json file.

    • When you export access request data from the Access Requests view, Safeguard for Privileged Passwords creates a .csv file.
  2. Open a .csv file in a spreadsheet program such as Microsoft Excel where you can perform data searches.
  3. JSON is a language-independent data format. Code for parsing and generating JSON data is readily available in many programming languages.

Managing accounts

Use the controls and tabbed pages on the Accounts page to perform the following tasks to manage Safeguard for Privileged Passwords accounts:

Adding an account

It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords.

Note: Safeguard for Privileged Passwords allows you to set up account discovery jobs that run automatically. For more information, see Account and service discovery job workflow.

To add an account

  1. Navigate to Administrative Tools | Accounts.
  2. Click  Add Account from the toolbar.
  3. In the Account dialog, supply the following information:

    • Asset Name: Browse to select an asset to associate with this account.

      NOTE: While an asset can have multiple accounts, you can only associate an account with one asset.

    • Name: Enter the login user name for this account.

      Limit: 100 characters

    • Description: (Optional) Enter information about this managed account.

      Limit: 255 characters

    • Profile: Browse to select a profile to govern this account.

      NOTE: By default an account inherits the profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile.

    • Enable Password Request: This check box is selected by default indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account.

      NOTE: By default a user can request the password for any account in the scope of the entitlements in which he or she is an authorized "user".

    • Enable Session Request: This check box is selected by default indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account.

      NOTE: By default a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized "user".

Note: When you add an account to Safeguard for Privileged Passwords you are not adding it to the asset, you are simply adding an existing account to the Safeguard for Privileged Passwords database. The new account displays on the Accounts list.

Related Topics

Checking, changing, or setting an account password

Assigning assets or accounts to a partition profile

Account and service discovery job workflow

Adding a cloud platform account

Adding a cloud platform account

One Identity Safeguard for Privileged Passwords can manage cloud platform accounts such as Facebook, Twitter, Amazon Web Services (AWS), etc.

Before you add cloud platform accounts to Safeguard for Privileged Passwords, you must first add an asset with which to associate the accounts.

To add a cloud platform to Safeguard for Privileged Passwords

  1. Log into Safeguard for Privileged Passwords and navigate to Administrative Tools.
  2. In Assets, click  Add Asset from the toolbar.
  3. In the General tab,
    1. Name: Enter an asset name that is meaningful to you, such as "Cloud Account Server" which you can use to manage all cloud platform accounts. (You might add separate assets for Facebook accounts and Twitter accounts.)
    2. Description: (Optional) Enter a description for the asset.
    3. Partition: Select the partition you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
    4. Profile: Select the profile you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
  4. In the Management tab,

    1. Product: Select the appropriate product, such as Amazon Web Services, Facebook, or Twitter.
    2. Version: For Amazon Web Services, select the version.
    3. Network Address: For Amazon Web Services, enter the AWS Account ID or Alias which can be found on the AWS IAM User's view.
  5. For Amazon Web Services, in the Connection tab, select:

    1. Access Key to authenticate to the asset using an access key. Enter the following information:

      • Service Account Name: Enter the configured IAM service account.
      • Access Key ID: Enter the Access Key ID created for the IAM service account.
      • Secret Key: Enter the Secret Key created for the IAM service account.

      -OR-

    2. None to not authenticate to the asset and manually manage the asset.
  6. For Facebook and Twitter, in the Connection tab, select Account Password to authenticate using the current account password.

Once you add the cloud platform asset, you can associate accounts with it.

To add an account to the cloud platform

  1. In Assets, select the cloud platform asset and switch to the Accounts tab.
  2. Click  Add Account from the details toolbar.
  3. In the User Name field, enter the cloud platform account username, email address, or phone number. For example, for a Twitter account, enter the "@User" account name.
  4. In the Password field, enter the account password for the user name you provided.
  5. Click Test Connection to verify that Safeguard for Privileged Passwords can communicate with this cloud platform using the credentials that you have provided.
  6. Optionally enter a Description.
  7. Browse to select a profile to govern this account
  8. Ensure the Enable Password Request option is checked and click Add Account.

Now you can manually check, change, or set the cloud platform account password; and, Safeguard for Privileged Passwords can automatically manage the password according to the Check and Change settings in the profile governing the account.

To resolve a Twitter requirement for additional verification

Twitter may prompt for additional verification on the next login if suspicious activity is detected (for example, the login originated from a new device or there were too many failed logins from a device). The additional verification may require entry of the email address associated with the Twitter account or entry of a temporary password sent via email. Safeguard for Privileged Passwords detects the Twitter prompt and displays the login requirement in a status message when the password change fails. The Activity Center Event may display Password Change Failed with the following Checking detail: Additional account verification requested:’RetypeEmail’.

To resolve the request for verification so that Twitter trusts the Safeguard for Privileged Passwords Appliance:

  1. Open a browser on the same network as the Safeguard for Privileged Passwords Appliance.
  2. Log into Twitter as the account.
  3. Enter the additional verification requested.

To checkout the cloud platform account

  1. Add a cloud platform Account Group and add the accounts to the group.
  2. Add an entitlement for the cloud platform accounts.
  3. Add users to the entitlements.
  4. Add a password release policy to the entitlement.
  5. Add the cloud platform Account Group to the scope of the policy.
Related Documents