One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding users or user groups to an entitlement

When you add users to an entitlement, you are specifying which people can request passwords to the accounts governed by the selected entitlement's access request policies, or which people can request sessions for the accounts and assets governed by the selected entitlement's access request policies. A user can be a Sessions Appliance certificate user. For more information, see Sessions management.

It is the responsibility of the Security Policy Administrator to add users to entitlements. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions.

To add "requester" users to an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement from the object list and open the Users tab.
  3. Click  Add User or User Group from the details toolbar.
  4. Select one or more users or user groups from the list in the Users/User Groups selection dialog, and click OK. You can also double-click a name to add it.

If you do not see the user or user group you are looking for, depending on your Administrator permissions, you can create them in the Users/User Groups selection dialog. (You must have Authorizer Administrator or User Administrator permissions to create users; or Security Policy Administrator permissions to create user groups.)

To create new users or user groups in the Users/User Groups selection dialog

  1. Click  Create New, then select Create a New User or Create a New User Group.

    For more information about creating users or user groups, see Adding a user or Adding a user group.

  2. Create additional users or user groups, as required.
  3. Click OK in the Users/User Groups selection dialog to add the new users and user groups to the selected entitlement's membership.

Creating an access request policy

It is the responsibility of the Security Policy Administrator to define access request policies in Safeguard for Privileged Passwords.

A policy defines the scope (that is, which assets, asset groups, accounts, or account groups), the access type (that is, password, SSH or remote desktop), and the rules for checking out passwords, such as the duration, how many approvals are required, and so forth.

Note: An access request policy is only used in the entitlement in which it is created. If you delete an entitlement, Safeguard for Privileged Passwords deletes all access request policies associated with that entitlement. You cannot copy an access request policy and add it to another entitlement; access request policies are entitlement-specific.

To add an access request policy to an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab.
  3. Click Create Access Policy from the details toolbar.
  4. In the Access Request Policy dialog, provide information in each of the tabs:

    General tab

    Where you add general information about the access request policy as well as specify the type of access being requested.

    Scope tab

    Where you assign assets, asset groups, accounts, or account groups to an access request policy.

    Requester tab

    Where you configure the access request policy requester settings.

    Approver tab

    Where you configure the access request policy approver settings.

    Reviewer tab

    Where you configure the access request policy reviewer settings.

    Access Config tab

    Where you define the access settings for the selected type of request.

    Session Settings tab

    Where you configure the recording settings for session access requests.

    Time Restrictions tab

    Where you indicate policy time restrictions.

    Emergency tab

    Where you enable emergency access for the accounts governed by the access request policy.

Related Topics

Deleting an access request policy

Modifying an access request policy

Copying an access request policy

Viewing and editing policy details

Reasons

General tab

On the General tab, enter the following information for the access request policy.

Table 111: Access Request Policy: General tab properties
Property Description
Name

Enter a unique name for the access request policy.

Limit: 50 characters

Required

Description

Enter descriptive text that explains the access request policy.

Limit: 255 characters

Priority

The priority of this policy compared to other policies in this entitlement.

If a user desires to access an account in the scope of two different request polices within an entitlement, then the policy with the highest priority (that is, the lowest number) takes precedence. For more information, see About priority precedence.

Access Type

Specify the type of access being requested:

  • Password Release
  • RDP
  • SSH

NOTE: You can configure an access request policy for a password release, however, if the Privileged Passwords module license is not installed, you will not be able to submit a password release request.

Similarly, you can configure an access request policy for a session request, but if the embedded sessions module for Safeguard for Privileged Passwords license is not installed, you will not be able to initiate an RDP or SSH session request.

Have the Policy Expire on Date and Time If applicable, select this check box to enforce an expiration date for the policy. Enter the expiration date and time.

Scope tab

Use the Scope tab to assign accounts, account groups, assets and asset groups to an access request policy.

  1. On the Scope tab,

    1. Click Add from the details toolbar and select one of the following options:

      • Add Account Group
      • Add Account
      • Add Asset Group: Only available for a session access request (that is, when access type RDP or SSH is selected on the General tab.
      • Add Asset: Only available for a session access request (that is, when access type RDP or SSH is selected on the General tab.
    2. In the selection dialog, choose one or more accounts, account groups, assets, or asset groups.

      When adding accounts to a policy, both asset and directory accounts can be selected for a password release request policy; however, only asset accounts can be selected for an RDP or SSH sessions request policy.

    3. Click OK to save your selection and close the dialog.

    If you do not see the account, account group, asset or asset group you are looking for, depending on your Administrator permissions, you can create it in the selection dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)

  2. Repeat step one to add additional account groups, accounts, asset groups, or assets. You can add multiple types of objects to a policy; however, you can only add one type of object (accounts, account groups, assets or asset groups) at a time.

All of the accounts, account groups, assets and asset groups selected appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click Delete.

Related Documents