One Identity Safeguard 2.5 - Evaluation Guide

Sessions access request exercises

One Identity Safeguard for Privileged Passwords enables you to issue privileged access to users for a specific period or session and gives you the ability to record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements.

Before you begin:
  • Appliance Administrator: Ensure the embedded sessions module for Safeguard for Privileged Passwords is licensed (Settings | Appliance | Licensing).
  • Appliance Administrator: Ensure the Network Interface X1 is configured (Settings | Appliance | Networking).
  • Appliance Administrator: Ensure the session request service is enabled (Settings | Access Request | Enable or Disable Services).
  • Appliance Administrator: Safeguard for Privileged Passwords ships with default session certificates; however, it is recommended that you replace the default certificate with your own (Settings | Certificates | Session Certificates).
  • Security Policy Administrator: Ensure there is an entitlement with an access request policy for both SSH and RDP sessions defined. For more information, see Writing entitlements.
  • Ensure Remote Desktop is enabled for Windows machines that are going to be using RDP.
  • Ensure the necessary SSH algorithms are configured for any Unix or Linux machines that are going to be using SSH.

    NOTE: Safeguard for Privileged Passwords ships with default SSH algorithms configured for Unix and Linux machines. To add new algorithms, use the API endpoint:

    https://<Appliance IP>/service/core/swagger/SessionsSSHAlgorithm

These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords session request workflow process:

Exercise 1: Testing the SSH session request workflow

This exercise demonstrates the SSH session request workflow from request to approval to review.

To test the SSH session request process

Request session
  1. As Joe, the "Requester" user.
  2. On your Home page, select New Request.
    • Request an SSH session for a Linux account.
    • Notice how the policy configuration dictates the user experience. For example, you are required to enter a reason and a comment.
  3. Open Requests and review your pending request.
Approve sessions request

NOTE: Did you receive a notification on your mobile phone? You can approve the request from your mobile device without being logged into Safeguard for Privileged Passwords.

If you'd rather approve it using the desktop client proceed to the steps below.

  1. As Abe, the "Approver" user.

    NOTE: Notice Abe has an additional authentication step to take in order to log into Safeguard for Privileged Passwords. In addition, since we have set up Approval Anywhere you can use the Starling 2FA app on your mobile phone to complete the login process.
  2. Open Approvals and review the request waiting for your approval.
  3. Select Approve/Deny to approve Joe's session request.

Launch the SSH session
  1. As Joe.
  2. Once the session becomes Available, open the session request and select Launch SSH client.

    The PuTTy Configuration dialog displays pre-populated with the required information, click Open.

  3. Accept the security certificate to continue.
  4. Perform various commands on the test server.
  5. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  6. Select Check-In to complete the checkout process for the sessions request.
Review a completed sessions request
  1. As Ralph, the "Reviewer" user.
  2. Open Reviews and review the request that is waiting for your review. 
  3. Select Workflow to view the transactions that took place as part of the request.

    1. Since Record Sessions is enabled in the policy, on the Initialize Session event, click Play to replay the session.
    2. Since Enable Command Detection is enabled in the policy, on the Initialize Session event, click the events link to view a list of the commands and programs run during the session.
  4. Select Review to complete the review process.

Exercise 2: Testing the RDP session request workflow

This exercise demonstrates the RDP session request workflow from request to approval to review. Since the entitlement's policy specified that you will provide your own credentials, you will need to enter those before you launch the RDP session.

To test the RDP session request process

Request session
  1. As Joe, the "Requester" user.
  2. On your Home page, select New Request.
    • Request an RDP session for a Windows account.
    • Notice how the policy configuration dictates the user experience. For example, you are not required to enter a reason and a comment for this policy.
  3. Open Requests and review your pending request.
Approve sessions request

Since the access request policy was set to Auto-approved, there is no approval required.

Did you get an email notification of the auto-approved access request?

Launch the RDP session
  1. As Joe.
  2. Once the session becomes Available, open the session request.
  3. Enter the credentials to be used (user name and password) and click Apply.

    Clicking Apply retrieves the information required to log in: Computer ID and Username Connection String.

  4. Select Launch RDP.
  5. Accept the security certificate to continue.
  6. Run programs (for example, launch a browser and browse the internet) on the test server.
  7. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  8. Select Check-In to complete the checkout process for the sessions request.
Review a completed sessions request
  1. As Ralph, the "Reviewer" user.
  2. Open Reviews and review the request that is waiting for your review. 
  3. Select Workflow to view the transactions that took place as part of the request.

    1. Since Record Sessions is enabled in the policy, on the Initialize Session event, click Play to replay the session.
    2. Notice that since Enable Window Title Detection is not enabled in the policy, a list of the windows opened on the desktop during the session are not available for review.
  4. Select Review to complete the review process.

Auditing exercises

Now that you have performed some password request activities, you can audit the transaction data.

The appliance records all activities performed within One Identity Safeguard for Privileged Passwords. Any administrator has access to the audit log information; however, your administrator permission set determines what audit data you can access.

Safeguard for Privileged Passwords provides several ways to audit transaction activity.

Table 5: Safeguard for Privileged Passwords' auditing tools
Option Description

Password Archive

Where you access a previous password for an account for a specific date.

Check and Change Log

Where you view an account's password validation and reset history.

History

Where you view the details of each operation that has affected the selected item.

Activity Center

Where you can search for and review any activity for a specific time frame.

Workflow

Where you can audit the transactions performed as part of the workflow process from request to approval to review for a specific access request.

Reports

Where you can view and export entitlement reports that show you which assets and accounts a selected user is authorized to access.

The exercises in this section demonstrate Safeguard for Privileged Passwords's auditing capabilities. But before we start, let's create some password check and change activity.

These exercises will guide you through a step-by-step evaluation of the Safeguard for Privileged Passwords auditing features.

Related Documents