One Identity Safeguard 2.5 - Evaluation Guide

Adding assets and accounts

Now let's add some systems so that you can see how Safeguard for Privileged Passwords manages them.

To add partitions, assets, and accounts to Safeguard for Privileged Passwords

  1. Log in as AssetAdmin and navigate to  Administrative Tools.
  2. In Partitions, click  Add Partition to add these partitions:
    Partition Description Delegated Owner
    Linux Servers The Linux Administrator's workspace. Pete
    Windows Servers The Windows Administrator's workspace. none

    Note: A partition is a named container for assets that can be used to segregate assets for delegated management. It is the responsibility of the Asset Administrator to add partitions to Safeguard for Privileged Passwords. Partitions allow you to set up multiple asset managers, each with the ability to define password guidelines for the managed systems in their own workspace. Typically you would partition assets by geographical location, owner, function, or by operating system. For example, Safeguard for Privileged Passwords can enable you to group Unix assets in a partition and delegate the Unix administrator to manage it.

  3. Configure the Profile check and change schedules to run daily:
    1. Navigate to Settings | Profile | Check Password (and Change Password).
    2. Double-click each schedule to modify the schedule.
    3. Select Schedule and choose the Day interval, set the time of day, and leave the daily repeat interval set to 1 day.
  4. In Assets, add some Linux and Windows servers. Be sure to put them into the appropriate partition.

    Note: To observe how Safeguard for Privileged Passwords automatically changes passwords, setup assets from your test lab, with actual network addresses, service accounts, and passwords.

    Run Test Connection on the Connection tab to ensure that Safeguard for Privileged Passwords can communicate with the asset.

    1. Once you add an asset, go to the Accounts tab and add one or more unique accounts for each asset.

      NOTE: These are the accounts Safeguard for Privileged Passwords will use to give people access to the asset.
    2. After you add the account, right-click (or press and hold) the new account to set the password (Account Security | Set Password).
  5. Log out.

Writing entitlements

Now that we have demonstrated that Safeguard for Privileged Passwords is actually managing your account passwords, let's define some rules for requesting password release and session access requests, such as the maximum duration, how many approvals are required, and so forth.

To write the entitlements that govern access requests

  1. Log in as PolicyAdmin and navigate to Administrative Tools.
  2. In Settings, select Access Request | Reasons and add these access request reason codes:
    Reason Description
    SU Software Updates
    Sys Maint System Maintenance
    SSH Session SSH Session Request
    RDP Session RDP Session Request
  3. In User Groups add these user groups:
    User Groups Description User
    Approvers Users authorized to approve password release requests. Abe
    Requesters Users authorized to request passwords. Joe
    Reviewers Users authorized to review password release requests. Ralph
    1. On the Users tab, add each user to the specified user group.
  4. In Account Groups, add the following account groups:
    Account Group Description
    Linux Server Accounts Accounts for the Linux machines
    Windows Server Accounts Accounts for the Windows machines.
    1. On the Accounts tab, add the appropriate accounts to each account group.
  5. In Entitlements, add the following entitlements:

    Note: At this time, do not set entitlement time restrictions.

    Entitlement Description
    Linux Password Requests The rules that govern password release requests for the Linux Servers.
    Windows Password Requests The rules that govern password release requests for the Windows Servers.
    Sessions Requests The rules that govern session access requests.
  6. Stay logged in as the Security Policy Administrator (PolicyAdmin) and proceed to the next exercise.

Now let's add access request policies to each of these entitlements that restrict system access to authorized users.

Adding password release request policies

We now need to define the users who are authorized to make password release requests and add access request policies to define the scope (accounts that can be accessed) and rules for checking out passwords.

To add a policy to the Linux Password Requests Entitlement

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements .
  2. Select the Linux Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the "user" for this entitlement.

    An entitlement "User" is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Linux Servers Password Release Request Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Linux Server Accounts.
      • Access Type: Password Release
    2. Scope tab:

      • Linux Server Accounts group
    3. Requester tab:

      • Select the following reasons: SU and Sys Maint
      • Require a Reason.
      • Require a Comment.
      • Select the Allow Requester to Change Duration option.
    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.
    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.
    6. Access Config tab

      • Select the Change password after check-in option.
    7. Time Restrictions tab:

      • Do not set policy Time Restrictions.

    8. Emergency tab:

      • Enable Emergency Access.

To add a policy to the Windows Password Requests Entitlement

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements.
  2. Select the Windows Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the "user" for this entitlement.

    An entitlement "User" is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Weekday Maintenance Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Windows Server Accounts on weekdays.
      • Access Type: Password Release
    2. Scope tab:

      • Windows Server Accounts group
    3. Requester tab:

      • Do not require a Reason.
      • Do not require a Comment.
      • Select the Allow Requester to Change Duration option.
    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.
    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.
    6. Access Config tab

      • Select the Change password after check-in option.
    7. Time Restrictions tab:

      • Allow users to access passwords in the scope of this policy anytime Monday through Friday.

    8. Emergency tab:

      • Do not Enable Emergency Access.

Adding session request policies

Prior to requesting a session, you must create a session request policy that defines the users who are authorized to access an asset or account. As part of this request policy you will also define the protocol (SSH or RDP) to be used as well as the type of account credentials to be specified to access the asset or account.

To write the policies that govern session requests

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements.
  2. Select the Sessions Requests entitlement.
  3. On the Users tab, add the Requesters user group as the "user".
  4. On the Access Request Policies tab, create the following access request policies for the sessions request entitlement:
    1. Create a policy for SSH sessions:

      General tab:

      • Policy Name: SSH Session Request Policy
      • Description: The rules that define the request, approval, and review of session requests using SSH protocol.
      • Access Type: SSH

      Scope tab:

      • Linux Server Accounts group

      Requester tab:

      • Select the following reason: SSH Session.
      • Require a Reason.
      • Require a Comment.
      • Select the Allow Requester to Change Duration option.

      Approver tab:

      • Require one person from the Approvers user group to approve a session request.

      Reviewer tab:

      • Require one person from the Reviewers user group to review a session release.

      Access Config tab

      • Use the default settings (None is selected by default).

      Session Settings tab

      • Select Record Sessions.
      • Select Enable Command Detection.
      • Leave the SSH Controls selected:
        • Allow SFTP
        • Allow SCP
        • Allow X11 Forwarding

      Time Restrictions tab:

      • Do not set policy time restrictions.

      Emergency tab:

      • Do not enable emergency access.
    2. Create a policy for RDP sessions:

      General tab:

      • Policy Name: RDP Session Request Policy
      • Description: The rules that define the request, approval, and review of session requests using RDP protocol.
      • Access Type: RDP

      Scope tab:

      • Windows Server Accounts group.

      Requester tab:

      • Do not select or require a reason.
      • Do not require a comment.
      • Select the Allow Requester to Change Duration option.

      Approver tab:

      • Select Auto-approved.
      • Click the To button to Notify when Account is Auto-Approved and select the Safeguard for Privileged Passwords user to receive the email notification.

      Reviewer tab:

      • Require one person from the Reviewers user group to review a past session release.

      Access Config tab:

      • Select User Supplied.

      Session Settings tab:

      • Select Record Sessions.
      • Leave the RDP In-Session Controls selected:
        • Allow Clipboard

      Time Restrictions tab:

      • Do not set policy time restrictions.

      Emergency tab:

      • Do not enable emergency access.
  5. Log out.
Related Documents