Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Session Settings tab

Navigate to Administrative Tools | Entitlements | Session Settings.

External sessions module

If Safeguard for Privileged Passwords is joined to one or more Safeguard Sessions Appliances, you will select a Connection Policy to identify the Safeguard Sessions Appliance to use, based on the connection type: SSH or RDP.

For more information on initiating and reversing the Safeguard for Privileged Passwords (SPP) to Safeguard for Privileged Sessions (SPS) join, see Sessions management.

Embedded sessions module

If you are using the embedded sessions module for Safeguard for Privileged Passwords, use the Session Settings tab to configure the settings for session access requests (below). The settings on this tab only apply to RDP and SSH (session) access requests.

Property

Description

Record sessions

For SSH and RDP, this check box is selected by default indicating that all sessions for the accounts and assets governed by this policy are to be recorded.

Enable Command Detection (SSH)

For SSH session requests, select the Enable Command Detection check box to enable command detection, which means commands that are executed on the target host are detected and logged.

SSH Controls

If SSH is selected as the access type on the General tab, select one or more of the following options to create a session that uses the specified protocol:

  • Allow SFTP (Secure File Transfer)
  • Allow SCP (Secure Copy)
  • Allow X11 Forwarding (Forwards the graphical X-server session from the server to the client.)

NOTE: The data transferred during a session using one of these protocols is currently not available for play back in this initial release of Safeguard.

Enable Windows Title Detection (RDP)

For RDP session requests, select the Enable Windows Title Detection check box to enable windows title detection, which means the titles of all windows opened on the desktop during a privileged session are detected and logged.

You can configure Safeguard for Privileged Passwords to send these actions to a syslog server, in an email message, or via an SNMP trap. For more information, see External Integration settings.

RDP In-Session Controls

If RDP is selected as the access type on the General tab, select the following option if you want to allow the user to transfer data via the clipboard:

  • Allow Clipboard

Selecting this option allows the users to copy a file or text from the client machine and paste it to the remote server. The data copied during a session using this option is currently not available for play back in this initial release of Safeguard.

Time Restrictions tab

Use the Time Restrictions tab to specify time restrictions for the access request policy.

Table 116: Access Request Policy: Time Restriction tab properties
Property Description
Use Time Restrictions

Select this option to specify time restrictions for access requests for accounts and assets governed by this policy.

Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see About time restrictions.

Daily calendar

Select and drag the days and hours you want to allow the policy to be effective.

Reset

Click Reset to remove any time restrictions set in the daily calendar.

Emergency tab

Use the Emergency tab to enable emergency access for the accounts and assets governed by the access request policy.

Table 117: Access Request Policy: Emergency tab properties
Property Description

Enable Emergency Access

Select this check box to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access.

Emergency Access overrides the Approver requirements. That is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met such as the Requester settings.

Multiple users are allowed to request emergency access simultaneously for the same account or asset.

Notify When Account is Released with Emergency access | To

(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user.

If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.

You can enter email addresses for non-Safeguard for Privileged Passwords users.

To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.

Important: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.

Ignore Time Restrictions

This check box is selected by default indicating that Safeguard for Privileged Passwords is to ignore time restrictions when a user requests emergency access. Clear this check box if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period.

Deleting an access request policy

Important: When you delete a policy, Safeguard for Privileged Passwords deletes it permanently; but it does not delete the accounts governed by the policy.

To delete an access request policy from an entitlement

  1. Navigate to Administrative Tools | Entitlements.
  2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab.
  3. Select a policy.
  4. Click Delete Selected.
  5. Confirm your request.
Related Documents