One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Account Password Rules

Account password rules govern the construction of a new password created by Safeguard for Privileged Passwords during an automatic account password change. Some companies impose requirements on passwords, such as:

  • The use of both upper- and lower-case letters
  • Inclusion of one or more numerical digits
  • Inclusion of special characters, such as @, #, $ and so forth

Note: You select an account password rule set when defining a partition's profile. For more information, see Creating a partition profile. An account password rule applies to all accounts governed by the profile.

Navigate to Administrative Tools | Settings | Profile | Account Password Rules.

Use these toolbar buttons to manage your account password rules.

Table 207: Account Password Rules: Toolbar
Option Description
Add Account Password Rule

Add an account password complexity rule. For more information, see Adding an account password rule.

Delete Selected

Remove the selected rule.

Refresh

Update the list of account password rules.

Edit

Modify the selected rule.

Copy

"Clone" the selected rule.

Adding an account password rule

It is the responsibility of the Asset Administrator, or a partition's delegated administrator, to configure account password complexity rules.

To add an account password rule

  1. Navigate to Administrative Tools | Settings | Profile | Account Password Rules.
  2. Click  Add Account Password Rule to open the Account Password Rule dialog.
  3. Browse to select the partition.
  4. Enter a Name of up to 50 characters for the account password rule.
  5. Enter a Description of up to 255 characters for the password rule.
  6. Set the Password Length from 3 to 255 characters.

    Default: 6 to 10 characters. The maximum length must be equal to or greater than the sum of minimum characters described in the next step.

    Important:

    Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136-character password is stored in Safeguard for Privileged Passwords. This causes the following issues:


    • Check Password for that account will fail. When Safeguard for Privileged Passwords compares the password on the Unix host with the password in Safeguard for Privileged Passwords, they never match because the Unix host truncated the password generated by Safeguard for Privileged Passwords.


    • A user will not be able to log into the Unix host account successfully with the password provided by Safeguard for Privileged Passwords unless he truncates the password to the allowable length imposed by the operating system.
  7. Set the character Requirements:
    First Character Type

    Choose one of the following:

    • All: Alphabetical, numeric, or symbols
    • Alphanumeric: Alphabetical or numeric
    • Alphabetic: Only alphabetical characters

    Default: All

    Last Character Type

    Choose one of the following:

    • All: Alphabetical, numeric, or symbols
    • Alphanumeric: Alphabetical or numeric
    • Alphabetic: Only alphabetical characters

    Default: All

    Allow Consecutively Repeated Characters

    Select this option to allow Safeguard for Privileged Passwords to create a password with consecutively repeated characters.

    Clear this option to disallow consecutively repeated characters.

    Default: Not allowed

    Allow Uppercase

    Select this option to allow Safeguard for Privileged Passwords to create a password with uppercase characters.

    Set the minimum number of required uppercase characters, or set it to zero if there is no minimum requirement

    Clear this option to disallow consecutively repeated characters.

    Default: Require a minimum of 1

    Allow Lowercase

    Select this option to allow Safeguard for Privileged Passwords to create a password with lowercase characters.

    Set the minimum number of required lowercase characters, or set it to zero if there is no minimum requirement.

    Clear this option to disallow consecutively repeated characters.

    Default: Require a minimum of 1

    Allow Numeric (0-9)

    Select this option to allow Safeguard for Privileged Passwords to create a password with numeric characters.

    Set the minimum number of required numeric characters, or set it to zero if there is no minimum requirement.

    Clear this option to disallow consecutively repeated characters.

    Default: Require a minimum of 1

    Allow Symbols (e.g @ # $ % &)

    Select this option to allow Safeguard for Privileged Passwords to create a password with special characters.

    Set the minimum number of required symbolic characters, or set it to zero if there is no minimum requirement.

    Clear this option to disallow numeric characters.

    Default: Not allowed

    Valid Symbols

    Enter allowable special characters, such as: ~!@#$%^*()_+-=;'?/\|><.,`[]{}.

    You must have the Allow Symbols option selected to enable this box.

Change Password

Change password settings are the rules Safeguard for Privileged Passwords uses to reset account passwords.

Navigate to Administrative Tools | Settings | Profile | Change Password.

The Change Password pane displays the following about the listed change password setting rules.

Table 208: Change Password: Properties
Property Description
Name

The name of the rule.

Partition The partition that uses the rule.
Description

Information about the rule.

Schedule Displays the selected rule's schedule.

Use these toolbar buttons to manage the change password setting rules.

Table 209: Change Password: Toolbar
Option Description
Add Change Password Setting Add a change password rule. For more information, see Adding change password settings.
Delete Selected

Remove the selected rule.

Refresh Update the list of change password rules.
Edit Modify the selected rule.
Copy "Clone" the selected rule.

Adding change password settings

It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules Safeguard for Privileged Passwords uses to reset account passwords.

IMPORTANT: Passwords for accounts associated with a password sync group are managed based on the profile change schedule and processed via the sync group. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue. For more information, see Password Sync Groups.

To add a password reset schedule

  1. Navigate to Administrative Tools | Settings | Profile | Change Password.
  2. Click  Add Change Password Setting to open the Change Password Settings dialog.
  3. Browse to select a partition.
  4. Enter a Name of up to 50 characters for the rule.
  5. Enter a Description of up to 255 characters for the rule.
  6. Optionally, select Change Passwords Manually.

    For more information, see How do I manage accounts on unsupported platforms.

  7. Click the Schedule button and choose an interval.
  8. In the Schedule dialog,
    1. Interval: Choose Never, Minute, Hour, Day, Week, or Month.

      NOTE: Best Practice: Do not use the Minute interval.

    2. Time of day: Set the start time.
    3. Repeat interval: Select the interval you would like to repeat the password reset task.

      • If Weekly, select which days of the week you want to repeat the change password task.
      • If Monthly, set the task recurrence pattern: Day of month or week of month and day of week.
    4. Time Zone: Select the time zone.
  9. Optionally select any of these options:
    1. Change the Password Even if a Release is Active: Select this option to allow a password change even when a password release is active.
    2. Update Service on Password Change (Windows Only): For service accounts that run system services, select this option to ensure that the password change is also applied to each service the account runs.
    3. Restart Service on Password Change (Windows Only): For service accounts that run system services, select this option to ensure that the services automatically restart after the password is changed.
    4. Update Task on Password Change (Windows Only): For service accounts that run scheduled system tasks, select this option to ensure that the password change is also applied to each task the account runs.
    5. Suspend account when not checked out (supported platforms): Select this option to automatically suspend managed accounts that are not in use. That is, the account on a managed asset is suspended until a request is made for it through Safeguard for Privileged Passwords, at which time Safeguard for Privileged Passwords restores the account. Once the request is checked in or closed, the account is again suspended.

      Click the supported platforms link to display a list of platforms that support this feature.

      NOTE: When managing passwords for Windows service accounts, do not select this option. Create a separate Profile with Change Password settings that do not have this option selected for managing Windows service accounts.

    6. Manage SSH Key: Select this option to allow Safeguard for Privileged Passwords to rotate the SSH key it uses to communicate with an asset configured to use SSH Key Authentication. For more information, see SSH Key.

      NOTE: Clear this option to only manage passwords.

Related Documents