One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Starting the desktop client

The following steps assume the Safeguard for Privileged Passwords 2000 Appliance has been configured and licensed. As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator.

To start the desktop client application

  1. From the Windows Start menu, choose Safeguard for Privileged Passwords.
  2. On the server selection screen, enter or select the server's network DNS name or IP address to connect to the appliance over the network and click Connect.

    Note: When entering an IPv6 address, enclose the IPv6 address in square brackets.

  3. On the user login screen, enter your credentials and click Log in.

    • User Name: Enter your user or display name. Do not include spaces in the User Name.

      NOTE: When using directory account credentials, enter your domain\name.
    • Password: Enter the password associated with the user entered above.
  4. If your Safeguard for Privileged Passwords user account requires you to log in with secondary authentication, enter the secure password (or token code) for your authentication service provider account and click Submit.

    Note: The type and configuration of the secondary authentication provider (RSA SecureID, One Identity Starling Two-Factor Authentication, etc.) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log into Safeguard for Privileged Passwords with secondary authentication.

Uninstalling the desktop client

To uninstall the desktop client

  1. In the Windows Control Panel, open Programs and Features.
  2. Right-click the Safeguard for Privileged Passwords application and choose Uninstall.

Setting up Safeguard for Privileged Passwords for the first time

Before One Identity Safeguard for Privileged Passwords can manage your privileged account passwords and privileged sessions, you must first add all the objects you need to write access request policies, such as users, accounts, and assets. By following these procedures you will set up a hierarchy of administrators that ensures your company follows role-based access control. For more information, see Administrator permissions.

NOTE: The setup steps in this section assume you have already performed the initial One Identity Safeguard for Privileged Passwords 2000 Appliance installation and configuration steps in the One Identity Safeguard for Privileged Passwords Appliance Setup Guide provided with your hardware equipment and have added a user with Authorizer Administrator permissions.

In addition:

  • If you have not already done so, it is highly recommended that you change the default password for your bootstrap administrator account.
  • Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy to disable "User Account Control: Run all administrators in Admin Approval Mode".
  • Sessions module: For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config). For example, in the debian sshd_config file, set the following parameter: PasswordAuthentication yes.

Step 1: Authorizer Administrator creates administrators

  1. Log into the desktop client using the Authorizer Administrator account.
  2. Customize the Password Rules. (Settings | Safeguard for Privileged Passwords Access | Password Rules)
  3. Add users for the following administrator permissions (Adding a user):
    1. User Administrator
    2. Help Desk Administrator
    3. Appliance Administrator
    4. Operations Administrator
    5. Auditor
    6. Asset Administrator
    7. Directory Administrator
    8. Security Policy Administrator

    Note: A user can have more than one set of permissions. For a list of permissions granted to the different Safeguard for Privileged Passwords administrators, see Administrator permissions.

Related Documents