Regenerating an API key
If, as the Security Policy Administrator, you discover that the API key has been stolen or misplaced, you can regenerate the API key at any time. When you regenerate an API key, it invalidates the old API key and prevents any services from using that key to access the Application to Application service.
To regenerate an API key
- Log into the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
- Navigate to Administrative Tools | Settings | External Integration | Application to Application.
- Select an application registration from the list.
- Click
from the toolbar.
- On the API Keys dialog, select the API key to be replaced.
- Click
.
You can now view or copy the new API key to the clipboard and use this new API key in your third-party application to access the Application to Application interfaces. See How do I make a request using the Application to Application service.
Approval Anywhere
The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication, allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.
The Approval Anywhere feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Approval Anywhere to approve access requests. This can be done using the Administrative Tools | Settings | External Integration | Approval Anywhere pane.
|
|
NOTE: In previous versions of Safeguard for Privileged Passwords, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process. |
Navigate to Administrative Tools | Settings | External Integration | Approval Anywhere. The Approval Anywhere pane displays the following about the users authorized to use the Approval Anywhere feature.
| Setting | Description | ||
|---|---|---|---|
|
Name |
Name of the Safeguard for Privileged Passwords user.
| ||
|
Mobile Phone |
Valid mobile phone number in E.164 format for the authorized user. | ||
|
Alternate Mobile Phone |
Alternate mobile phone number in E.164 format. | ||
|
Email Address |
Valid email address for the authorized user. |
Use these toolbar buttons to manage the users authorized to use Approval Anywhere.
| Setting | Description | ||||
|---|---|---|---|---|---|
|
|
Add Safeguard for Privileged Passwords users who are authorized to use this feature to approve (or deny) access requests.
| ||||
 Remove |
Remove the selected user as an authorized user. | ||||
|
|
Update the list of users authorized to use Approval Anywhere. |
Adding authorized user for Approval Anywhere
Once Safeguard for Privileged Passwords is joined to Starling, use the Approval Anywhere pane to add the Safeguard for Privileged Passwords users that can use the Approval Anywhere feature to approve access requests.
|
|
NOTE: If you upgraded from a previous version of Safeguard for Privileged Passwords where you have already configured Approval Anywhere, your existing configure will continue to work. However, you will not be able to manage your Approval Anywhere users until you join Safeguard for Privileged Passwords to Starling. Once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process. |
|
|
TIP: Ensure OneTouch approvals is enabled on the two-factor authentication app on your mobile device. |
To add users who are authorized to use Approval Anywhere
- Log into the Safeguard for Privileged Passwords desktop client as a Security Policy administrator.
- Navigate to Administrative Tools | Settings.
- Select External Integration | Approval Anywhere.
- Click
Add.
-
In the Users dialog, select users from the list and click OK.
NOTE: Approval Anywhere approvers must have a valid mobile phone number in E.164 format and a valid email address defined. If a user does not display a valid mobile phone number or email address, edit the user record before proceeding. For more information, see Modifying a user.
E.164 format: +<country code><area code><phone number>
-
Add these Approval Anywhere users as "approvers" in the appropriate access request policy. For more information, see Creating an access request policy.
Once a user is added as an Approval Anywhere user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's Starling 2FA mobile app. The approver can either approve or deny the access request directly from the Starling 2FA mobile app.
|
|
NOTE: Revoking an access request that has already been approved is not available via the mobile app. You must use the Safeguard for Privileged Passwords desktop or web client to perform that action. |
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.
Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.
|
|
TIP: You must configure the DNS Server and set up the user's email address correctly. |
To configure the SMTP Server
- Navigate to Administrative Tools | Settings | External Integration | Email.
- To configure the email notifications, enter these global settings for all Safeguard for Privileged Passwords emails:
SMTP Server Address Enter the IP address or DNS name of the mail server. When unspecified, Safeguard for Privileged Passwords disables the email client.
NOTE: When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].
NOTE: If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.
SMTP Port Enter the TCP port number for the email service.
Default: 25
Range: 1 to 32767
Sender Email Enter an email address to use as the "From" address for all emails originating from the appliance.
Required if you specify the SMTP Server Address.
Limit: 512 characters
Require Transport Layer Security Select this option to require that Safeguard for Privileged Passwords uses TLS to provide communication security over the internet.
To validate your setup
- Select the Test Email Settings link.
- Enter a Send To email address of where to send the test message and click Send.
Safeguard for Privileged Passwords sends an email using the configuration settings.
The grid at the bottom of this pane lists the email templates used to define the content to be included in email notifications. Use these toolbar buttons to manage email templates.
| Property | Description | ||
|---|---|---|---|
 New |
Add an email template.
| ||
 Delete |
Remove the selected email template. | ||
 Refresh |
Update the list of email templates. | ||
 Edit |
Modify the selected email template. For more information, see Modifying an email template. |