One Identity Safeguard 2.5 - Evaluation Guide

Exercise 1: Discovering assets

Safeguard for Privileged Passwords allows you to set up asset discovery jobs to run automatically against the directories you have added to Safeguard for Privileged Passwords. Therefore you must first add a directory to Safeguard for Privileged Passwords before you can create an asset discovery job.

To add a directory

  1. Log in as the Directory Administrator and navigate to  Administrative Tools.
  2. In Directories, click  Add Directory.
  3. In the General tab, choose a directory type and provide the service account information.
  4. In the Attributes tab, accept the defaults and click Add Directory.
  5. Log out.

Now that you have a directory, you are ready to create an asset discovery job.

To create an asset discovery job

  1. Log in as the Asset Administrator and navigate to  Administrative Tools.
  2. In Assets, click  Discovery and select Manage to open the Asset Discovery Jobs dialog.
  3. Click  Add to create an asset discovery job.
  4. Provide information for the discovery job on the following tabs:
    Tab Description
    General tab
    1. Enter a name for the asset discovery job.
    2. Use the default partition.
    3. Choose the Directory scan.
    Information tab Browse to select search location.
    Rules tab

    Click  Add to create an asset discovery rule:

    1. Enter a name for the rule.
    2. In Conditions, define search criteria.
    3. In Connection, configure the authentication credentials or choose the None authentication type.
    4. In Profile, choose the default password profile to govern the discovered assets.
    Schedule tab

    Optionally, schedule the discovery job.

    NOTE: You can run the discovery job manually, rather than wait for it to run automatically. So, for this POC, you can skip this step.

    Summary tab Review the discovery job and save it.
  5. In the Asset Discovery Jobs dialog, select the job and click  Run Now.
  6. When the Progress column indicates that the job is successful, close the Asset Discovery Jobs dialog.
  7. Click  Refresh to display the discovered assets.
  8. Open the context menu and choose Ignore on one or more discovered assets.

    Note: When you ignore an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to Manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.

  9. Click  Hide Ignore to hide the ignored assets; click  Show Ignored to redisplay them.
  10. Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the "Asset Discovery" events in the Asset Discovery category.

If you selected None as the authentication type, the discovered assets will not have a service account, which is necessary for the next exercise.

To set asset authentication credentials

  1. In Assets, select one of the newly discovered assets.
  2. On the General tab, double-click the Connection information box or click the  Edit icon next to it.
  3. Choose an Authentication Type and provide the service account credentials.

    Note: Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage passwords for the accounts on that asset.

Exercise 2: Discovering accounts

Safeguard for Privileged Passwords allows you to set up account discovery jobs to run automatically against the assets it manages in the scope of a partition.

To create an account discovery job

  1. As the Asset Administrator, navigate to Partitions.
  2. Select a partition and switch to the Profiles tab.
  3. Double-click a profile, and switch to the Account Discovery tab.
  4. Click  Add to create a new Account Discovery Setting.
    1. Enter a Name for the setting, such as "Daily".
    2. Schedule the discovery job to run daily starting in about 5 minutes.
    3. Allow it to Find All accounts and click OK to save the schedule.

      Note: If you opt to experiment with finding accounts based on rules, note that all search terms return exact matches and are case sensitive.

  5. Save the profile and wait for it to run.
  6. After the account discovery job runs, switch to the partition's Discovered Accounts tab.
  7. Click  Refresh from the details toolbar to display the discovered accounts.
  8. Select an account and click  Manage to have Safeguard for Privileged Passwords manage that account password.
  9. In Accounts, set the password for the new account, if you know it.

    Now you can check and change the account password successfully.

    Note: If you do not know the password, you can run Check Password and observe that the check fails.

  10. Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the "Account Discovery" events in the Password Management category.

Exercise 3: Discovering directory accounts

Directory account discovery jobs run automatically each time Safeguard for Privileged Passwords synchronizes with the directory, which is every 15 minutes by default. (You set the synchronization interval in the directory's General tab, under Advanced.)

To create a directory account discovery job

  1. From Directories select a directory and switch to the Accounts tab.
  2. Click  Manage Discovery from the details toolbar.
  3. In the Manage Discovery dialog, click  Add to open the Directory Account Discovery dialog.
  4. In the General tab,
    1. Enter a name for the directory account discovery job.
    2. Select a profile to govern the accounts Safeguard for Privileged Passwords discovers.
  5. In the Rules tab, click  Add to add a new discovery rule:
    1. Enter a rule name.
    2. Select to Find All.
    3. Browse to select the Filter Search Location.
  6. Save the directory account discovery job and click  Sync Now.
  7. After the job runs, switch to the directory's Discovered Accounts tab.
  8. Click  Refresh from the details toolbar to display the discovered accounts.
  9. Select an account and click  Manage to have Safeguard for Privileged Passwords manage that account password.
  10. Switch to the Accounts tab to set the password for the new account, if you know it.

    Now you can check and change the account password successfully. If you do not know the password, you can still run Check Password to watch it fail.

  11. Search the Activity Center for information about discovery jobs that have run (Account Discovery Activity).
Related Documents