One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

History tab

The Administrative Tools | Directories | History tab allows you to view or export the details of each operation that has affected the selected directory.

The History tab contains the following information:

  • Items: Total number of entries in the history log.
  • Search: For more information, see Search box.

  • Time Frame: By default the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 94: Directories: History tab properties
Property Description
Date/Time The date and time of the event.
User The display name of the user that triggered the event.
Source IP The network DNS name or IP address of the managed system that triggered the event.
Object Name The name of the selected directory.
Event

The type of operation made to the selected directory:

  • Create
  • Delete
  • Update
  • Add Membership
  • Remove Membership

NOTE: A membership operation indicates a "relationship" change with a related or parent object such as when you add or delete an account dependency. For more information, see Adding account dependencies.

Related Object The name of the related object.
Related Object Type The type of the related object.
Parent The name of the object to which the selected directory is a child.
Parent Object Type The parent object type.

Select an event to display this additional information for some types of events (for example, create and update events).

Table 95: Additional History tab properties
Property Description
Property The property that was updated.
Old Value The value of the property before it was updated.
New Value The new value of the property.

Managing Directories

Use the controls and tabbed pages on the Directories page to perform the following tasks to manage directories:

Adding a directory

It is the responsibility of the Directory Administrator to add directories to Safeguard for Privileged Passwords.

Use the Directories view to add new directories to Safeguard for Privileged Passwords.

To add a directory

  1. Navigate to Administrative Tools | Directories.
  2. Click  Add Directory from the toolbar.
  3. In the Directory dialog, provide information in each of the tabs:
    General tab

    Where you select the type of directory and add its service account information.

    Attributes tab

    Where you synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.

When you create a new directory, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules.

Related Topics

Adding directory accounts to a directory

Adding accounts to a directory profile

Modifying a directory

General tab

Use the Administrative Tools | Directories | General tab to specify the type of directory to be searched and add the required service account information.

Table 96: Directory: General tab properties
Property Description
Product

Select a type of directory:

  • Microsoft Active Directory
  • OpenLDAP 2.4

Required

Service Account Domain Name

For Active Directory, enter the fully qualified Active Directory domain name, such as example.com.

Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE.

The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.

Limit: 255 characters

Required

Network Address

For OpenLDAP, enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.

Limit: 255 characters

Required

Service Account Name

For Active Directory, enter an account for Safeguard for Privileged Passwords to use for management tasks. When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request.

Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords.

Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object which represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify.

Required

For more information, see About service accounts.

Service Account Distinguished Name

For OpenLDAP, enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com

Required

Limit: 255 characters

Service Account Password

Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.

Limit: 255 characters

Required

Description

Enter information about this external identity provider.

Limit: 255 characters

Connect

Click Connect to verify the credentials and load the schema attributes for this directory.

Advanced Open to reveal the following synchronization settings:
Port

For OpenLDAP, enter the port used for communication with the LDAP directory.

The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

Use SSL Encryption For OpenLDAP, select to enable Safeguard for Privileged Passwords to encrypt communication with an LDAP directory.
Verify SSL Certificate

For OpenLDAP, select to verify the SSL certificate. This option is only available when the Use SSL Encryption option is selected.

Sync additions every

Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

Default: 15 minutes

Range: Between 1 and 2147483647

Sync deletions every

Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

Default: 15 minutes

Range: Between 1 and 2147483647

Related Documents