One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

General tab

Use the Directory Account Discovery General tab to specify the following details about the discovery job.

Table 98: Directory Account Discovery: General tab properties
Property Description
Name

Enter a name for the directory account discovery job.

Limit: 50 characters

Required

Description

Enter a description of the directory account discovery job.

Limit: 255 characters

Directory Profile

Browse to select the Directory Profile you want to govern the accounts the discovery job adds to Safeguard for Privileged Passwords.

Rules tab

Use the Directory Account Discovery Rules tab to define the search criteria to be used to discover directory accounts.

When using the Property Constraint search option, if multiple values are entered for an individual property (for example, GID), Safeguard for Privileged Passwords uses the 'OR' operator and returns accounts that match any of the specified values.

However, when search values are entered for multiple properties (for example, RID and GID), Safeguard for Privileged Passwords first evaluates the search criteria for each individual property and then chains the results of each individual search using the 'AND' operator, returning only those accounts that meet all of the search properties specified.

To define a new directory account discovery rule

  1. Click  Add from the details toolbar.
  2. Provide the following in the Rule dialog:
    Name

    Enter a name for the directory account discovery rule.

    Limit: 50 characters; cannot contain special characters such as an apostrophe.

    Required

    Find By

    Choose one of these search options and enter the search criteria to be used:

    1. Name

      Select this option to search by account name.

      • Filter Search Location: Browse to select a container to search within the directory.
      • Contains: Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.

    2. Group

      Select this option to search by group name.

      • Click  Add to launch the Group dialog.
      • Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

      • Filter Search Location: Browse to select a container to search within the directory.
      • Include objects from sub containers: Select this check box to include child objects.
      • Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
    3. Property Constraint

      Select this option to search for accounts based on an account's property.

      • Filter Search Location: Browse to select a container to search within the directory.
      • RID: Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1000, enter 5000-7000, then enter 10000. Spaces and commas are not allowed. RID property only applies to Microsoft Active Directory.

        Limit: 255 numeric characters

      • GID: Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 8, enter 10-12, then enter 15. Spaces and commas are not allowed.

        Limit: 255 numeric characters

      • UID: Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1, enter 5-7, then enter 10. Spaces and commas are not allowed.

        Limit: 255 numeric characters

      • Name: Enter a single regular expression pattern. For more information, see Regular Expression Language - Quick Reference.

        Limit: 255 alphanumeric characters

      • Group: Enter a single regular expression pattern. For more information, see Regular Expression Language - Quick Reference.

        Limit: 255 alphanumeric characters

    4. LDAP Filter

      Select this option to search for accounts using an LDAP query.

      • Filter Search Location: Browse to select a container to search within the directory.
      • LDAP Filter: Type an LDAP query into the field.
    5. Find All

      This option is selected by default and will find all accounts in the selected directory.

      • Filter Search Location: Browse to select a container to search within the directory.
    Preview

    Click Preview, to verify the rule.

    The Preview button displays a list of directory accounts Safeguard for Privileged Passwords will find based on the criteria you set in this rule.

  3. Optionally select the Automatically Manage Found Accounts option to automatically add the discovered accounts to Safeguard for Privileged Passwords.
  4. Click Add Discovery to save the discovery rule.

Safeguard for Privileged Passwords runs the directory account discovery job according to the directory's Synchronization Interval, and displays the accounts it finds in the directory's Discovered Accounts tab.

Note: You can view or modify the Synchronization Interval on the directory's General tab.

Setting directory account passwords

When you set an account password you are manually setting the account password in the Safeguard for Privileged Passwords database so Safeguard for Privileged Passwords can synchronize it with the password in the external identity provider, such as Microsoft Active Directory.

It is the responsibility of the Directory Administrator to set directory account passwords.

To set directory account passwords

  1. Navigate to Administrative Tools | Directories.
  2. In Directories, select a directory from the object list and open the Accounts tab.
  3. Select one or more accounts that require a password, indicated by the symbol in the Needs a Password column.
  4. Click Account Security from the details toolbar and select Set Password.
  5. The Set Password option provides two options:
    1. Generate Password: Select this option to have Safeguard for Privileged Passwords generate a new random password that complies with the password rule that is set in the account's profile.

      • Click Generate Password to display the Generate Password dialog.
      • Click Show Password to reveal the new password.
      • Click  Copy to put it into your copy buffer.
      • Log into your device, using the old password, and change it to the password in your copy buffer.
      • Click OK to change the password in the Safeguard for Privileged Passwords database or click Cancel to close the dialog without changing the current password in Safeguard for Privileged Passwords.
    2. Manual Password - select this option to manually set the account password in the Safeguard for Privileged Passwords database.

      • Click Manual Password to display the Set Password dialog.
      • In the Set Password dialog, enter the password and click OK.

        Clicking OK updates the Safeguard for Privileged Passwords database.

      • Set the account password on the physical device to synchronize it with the Safeguard for Privileged Passwords database.

Creating a directory profile

A directory profile is similar to a partition profile, only it governs the accounts assigned to a directory. For more information, see About profiles.

It is the responsibility of the Directory Administrator to add profiles to directories.

To add a profile to a directory

  1. Navigate to Administrative Tools | Directories.
  2. In Directories, select a directory from the object list and open the Profiles tab.
  3. Click Create Profile from the details toolbar.
  4. On the General tab, enter the following information:
    1. Name: Enter a unique name for the profile.

      Limit: 50 characters

      Required

    2. Description: Enter information about this profile. You can expand the Description to see information about the account password rule.

      Limit: 255 characters

    Note: The options on the following tabs are read-only. You change the options in Settings at the links provided below.

  5. On the Check Password tab, select a check password setting or click to create one. For more information, see Adding directory check password settings.

    Directory Check Password Settings are the rules Safeguard for Privileged Passwords uses to verify directory account passwords.

  6. On the Change Password tab, select a change password setting or click to create one. For more information, see Adding directory change password settings.

    Directory Change Password Settings are the rules Safeguard for Privileged Passwords uses to reset directory account passwords.

  7. On the Account Password Rules tab, select a directory account password rule or click to create one. For more information, see Adding a directory account password rule.

    This is a complexity rule that governs the construction of the new password created by Safeguard for Privileged Passwords during an automatic password change.

Related Topics

Adding accounts to a directory profile

Setting a default directory profile

Account Password Rules

Related Documents