Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding an asset account discovery setting

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account and service discovery job workflow.

Note:

Safeguard for Privileged Passwords supports account discovery on the following platforms:

  • AIX
  • HP-UX
  • Linux
  • MAC OS X
  • Solaris
  • Windows

To add an asset account discovery setting

  1. Navigate to Administrative Tools | Settings | Asset Management | Account Discovery.
  2. Click  Add Account Discovery Setting to open the Account Discovery Settings dialog.
  3. In the Account Discovery Settings dialog, provide the following:
    1. Partition: Browse to select a partition.
    2. Name: Enter a name for the account discovery setting.

      Limit: 50 characters

      Required

    3. Description: Enter descriptive text about the account discovery setting.

      Limit: 255 characters

    4. Schedule: Click the Schedule button and choose an interval.

      In the Schedule dialog,

      • Interval: Choose Never, Minute, Hour, Day, Week, or Month.

        NOTE: Best Practice: Do not use the Minute interval.

      • Time of day: Set the start time.
      • Repeat interval: Select the interval you would like to repeat the account discovery task.
        • If Weekly, select which days of the week you want to repeat the account discovery task.
        • If Monthly, set the task recurrence pattern: Day of month or week of month and day of week.
      • Time Zone: Select the time zone.
    5. Find all accounts: Select this option to discover all accounts assigned to the assets in the selected partition.
    6. Find accounts based on rules: Select this option to discover only accounts that match a discovery rule's criteria. When you select this option Safeguard for Privileged Passwords displays a list of discovery rules configured for this partition and allows you to add a new rule. For more information, see Adding an asset account discovery rule.
    7. Automatically Manage Found Accounts: Select this check box to automatically add the discovered accounts to Safeguard for Privileged Passwords.

Adding an asset account discovery rule

When you select the Find account based on rules option in the Account Discovery Settings dialog, Safeguard for Privileged Passwords displays a list of discovery rules configured for this partition and allows you to add a new rule.

Note: Account discovery is not available for Macintosh OS X platforms.

Note: All search terms return exact matches. A user name search for "ADM" only returns "ADM", not "AADMM" or "1ADM2". To find all names that contain "ADM", you must include ".*" in the search term; like this: .*ADM.*.

All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with "adm", regardless of case, you must enter [Aa][Dd][Mm].*.

To add an asset account discovery rule

  1. Navigate to Administrative Tools | Settings| Asset Management | Account Discovery.
  2. In the Account Discovery Settings dialog, select the Find accounts based on rules option to open the Add Discovery Rule window.

    Note: For information about how to find this option, see Adding an asset account discovery setting.

  3. Click  Add Discovery Rule to open the Account Discovery Rule dialog.
  4. Set the discovery rule search criteria:
    Name

    Enter a unique name for the account discovery rule.

    Limit: 50 characters

    Required

    RID

    Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1000, enter 5000-7000, then enter 10000.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    GID

    Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 8, enter 10-12, then enter 15.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    UID

    Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example: enter 1, enter 5-7, then enter 10.

    NOTE: Spaces and commas are not allowed.

    Limit: 255 numeric characters

    Name

    Enter a single regular expression pattern.

    NOTE: For more information, see Regular Expression Language - Quick Reference.

    Limit: 255 alphanumeric characters

    Group

    Enter a single regular expression pattern.

    NOTE: For more information, see Regular Expression Language - Quick Reference.

    Limit: 255 alphanumeric characters

  5. To test the rule before saving it, click Preview.

    The Assets dialog displays a list of assets assigned to this partition based on the criteria you set in this rule.

  6. Select an asset on which to run the proposed discovery rule and click OK.

    The Accounts dialog displays a preview list of the all the accounts that meet the rule's criteria.

  7. Close the Accounts list and return to the Account Discovery Rule dialog to click OK to save the rule, or modify the rule criteria and re-run the Preview, if necessary.

    Safeguard for Privileged Passwords adds the new rule to the Account Discovery Settings dialog.

  8. Optionally select the Automatically Manage Found Accounts check box to automatically add the discovered accounts to Safeguard for Privileged Passwords.
  9. Click OK to save the discovery job.

When Safeguard for Privileged Passwords runs the discovery job, according to the schedule you have set, it displays the accounts it finds on the partition's Discovered Accounts tab.

Custom Platforms

The Asset Administrator adds a custom platform which includes uploading the custom platform script with the platform's commands and details. Auditors and Partition Administrators have read only rights. Custom platforms are global across all partitions. The custom platform can be selected when adding or updating an asset.

NOTE: Only SSH-based custom platforms are supported in Safeguard for Privileged Passwords 2.4. Other protocols will be added in the future.

Create and manage custom platforms in Administrative Tools | Settings | Asset Management | Custom Platforms.

The Custom Platform pane displays the following.

Table 152: Custom Platform: Properties
Property Description
Name

The name of the platform type which may be a product name.

Version

The version of the operating system to use as an identifier.

Architecture

The CPU architecture to use as an identifier.

Platform Script

The name of the custom platform script file displays once selected.

Allow Sessions Requests

If selected, session access requests are allowed.

Use the following toolbar buttons to manage the custom platform settings.

Table 153: Custom Platform: Toolbar
Option Description
Add

Add a custom platform. For more information, see Adding a custom platform.

Delete Selected

Remove the selected custom platform.

CAUTION: If the custom platform is associated with an asset, deleting the custom platform may halt password validation and reset. A warning displays indicating that the asset will be assigned to the Product platform type "Other". Enter "Force Delete" to confirm the deletion.

Refresh

Update the list of custom platforms.

View

View the custom platform script parameters including:

  • Transports, for example SSH.
  • Supported operations, for example Suspend and Restore Accounts, Password Management, and Session Management.
  • Details including Name, Task, Type, Default, and Description.
Download Selected Script

Download the selected custom platform JSON script.

Related Topics

Creating a custom platform script

Adding a custom platform

Creating a custom platform script

A custom platform script identifies the platform's commands and associated details. Scripts are written in JSON. Scripts include meta-data, parameters, function blocks, operations, and if/then constructs to authenticate to the platform and perform password validation and reset. The custom platform script is uploaded when adding the custom platform.

Sample scripts

Sample custom platform scripts and command details are available at the following links:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

During development, check your JSON using a validator like the one at this link: https://jsonlint.com/

The ExampleLinuxScript.json is an example of a custom platform script that can be adapted to work against an asset running Linux.

The script has meta-data including “Id” and “Backend”. “Id” is a unique name to identify the script. “Backend” will always be set to “Scriptable”.

Related Documents