One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Add Condition

On the Discovery dialog, Rule dialog, use Add Conditions to add one or more search conditions.

A discovery rule can have more than one condition and each condition can have one or more constraints. When you select Preview, Safeguard for Privileged Passwords considers all the search constraints in the current condition and returns the assets it finds based only on that condition.

When Safeguard for Privileged Passwords runs the discovery job, it finds all assets that meet all of the search conditions.

To add a condition to Find All

  1. In the Rule dialog, select Add Condition.
  2. In the Condition dialog,
    1. Find By: Choose Find All.
    2. Filter Search Location: Browse to select a container within the directory to search for assets. The Filter Search Location is only available for Directory discovery jobs.

  3. Click Preview to test the conditions you have configured.

    Preview displays a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified in the Information tab based on these conditions.

  4. Click OK to save your selections.

To add a condition with constraints

  1. In the Rule dialog, select Add Condition.
  2. In the Condition dialog, in Find By: Choose Constraints. You will enter the search criteria to use.
  3. To change the Filter Search Location, click Browse and select the search location.
  4. Optionally, select Include objects from sub containers to search for assets in sub-containers.

  5. To apply constraints (search criteria):
    1. Select a property:

      • Name
      • Description
      • Network Address
      • Operating System
      • Operating System Version

      NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.

    2. Select an operation:

      • Equals
      • Not Equals
      • Starts With
      • Ends With
      • Contains
    3. Type a value of up to 255 characters. The search is case sensitive and does not allow wild cards.
  6. Click Preview to test the conditions you have configured.

    Preview displays a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified in the Information tab based on these conditions.

  7. You can add or delete search constraints:
    1. Click Add to additional constraints to your search criteria.
    2. Click Delete to remove the corresponding constraint from your search criteria.
  8. Click OK to save your selections.

To add a condition (Filter Search Base) for LDAP or Active Directory

Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).

  1. In the Rule dialog, select Add Condition.
  2. In the Condition dialog,
    1. Find By: Choose LDAP Filter and enter the search criteria to be used. 
    2. Filter Search Location: Browse to select a container within the directory to search for assets.

      TIP: Do not select the Directory Root for asset discovery jobs.

    3. Include objects from sub containers: Optionally select this check box to search for assets in sub-containers.
  3. Click Preview to test the conditions you have configured.
  4. Click OK to save your selections.

To add a condition (Group) for a Directory

This condition is only available for a Directory discovery job.

  1. In the Rule dialog, select Add Condition.
  2. In the Condition dialog,
    1. Find By: Choose Group.
    2. Click Add to launch the Group dialog.
    3. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

    4. Filter Search Location: Browse to select a container to search within the directory.
    5. Include objects from sub containers: Select this check box to include child objects.
    6. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
  3. Click Preview to test the conditions you have configured.

    Preview displays a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified in the Information tab based on these conditions.

  4. Click OK to save your selections.

Add Connection

You must configure how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an asset discovery job. When Safeguard for Privileged Passwords runs the discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To add connection information

  1. In the Rule dialog, click Edit next to Connection.
  2. In the Connection dialog, select an Authentication Type:

    • SSH Key: To authenticate to the asset using an SSH authentication key.

      Browse to select an SSH Key and provide the account name.

    • Directory Account: To authenticate to the assets using the account from an external identity store such as Microsoft Active Directory, select the service account. Click Select Account to choose the directory account.

    • Password: To authenticate to the assets using a local service account and password. Enter the account name and password.

    • None: To authenticate to the assets manually.
  3. To verify the connection setting, click Test Connection.

    Test Connection returns a list of assets Safeguard for Privileged Passwords will find in the directory you set in the Information tab.

  4. Choose an asset and click OK.
  5. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.
  6. You can click Test Connection again to verify the connection setting on another asset or OK to return to the Rule dialog to continue configuring the discovery rule. Assets that fail the test connection during the asset discovery are created with a authentication type of NONE.

Add Profile

During discovery, Safeguard for Privileged Passwords automatically adds the assets that it finds and begins to manage them according to the settings in the profile you set on the Rules tab.

Discovery details
  • Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an asset discovery job. When Safeguard for Privileged Passwords runs the discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To add the profile information

  1. Click Edit next to Profile.

  2. Browse to select a profile to govern the discovered assets.

    Note: You can only choose a profile that is associated with the partition selected in the General tab.

  3. Click OK to save your selection.

Schedule tab

From the Discovery dialog, Schedule tab, configure when you want to run the asset discovery job.

To schedule an asset discovery job

  1. On the Schedule tab,

    1. Interval: Choose Never, Minute (best practice: do not use), Hour, Day, Week, or Month.

      NOTE: If you selected Never, click Next to proceed to the Summary tab. For all other intervals, proceed with step 1b.

    2. Time of day: Set the start time.
    3. Repeat interval: Select the interval you would like to repeat the asset discovery job.

      • If Weekly, select which days of the week to run the asset discovery job.
      • If Monthly, set the task recurrence pattern: Day of month or week of month and day of week.
    4. Time Zone: Select the time zone.
Related Documents