One Identity Safeguard 2.5 - User Guide

Reviewing a session request

The Security Policy Administrator can configure an access request policy to require a review of completed session requests for assets or accounts in the scope of the policy.

Note: You can configure Safeguard for Privileged Passwords to notify you of an access request that requires your review. For more information, see Configuring alerts..

To review a completed sessions request

  1. From your  Home page, the Reviews widget has these controls:
    1. Click  (expand down) to open the list of pending reviews.
    2. Click  Popout to float the Reviews pane.

      You can then select and drag the pane to any location on the console and re-size the window.

    Note: You enable or disable the Home page widgets in the  Console Settings menu.

  2. Open the list of pending reviews and select an account name to see the details of the sessions request.
  3. Take the following action on sessions requests:

    1. Select Workflow to review the transactions that took place in the selected request.

      • If Record Sessions is enabled in the policy, click Play on the Initialize Session event to play back the session.

        A (green dot) indicates the session is "live". A user with Security Policy administrator permissions can click this icon to follow an active session.

        If the session recording has been archived from the local Safeguard file system or was recorded prior to joining a Sessions Appliance, you will see a Download button instead of a Play button. Click Download to download the recording and then click Play.

      • If Enable Command Detection is enabled in the policy, expand to show the details and click the events link on the Initialize Session event to view a list of the commands and programs run during the session.

        For an RDP session, the setting is Enable Windows Title Detection. When enabled, you can view a list of windows that were opened during the privileged session.

    2. Select  Review to complete the review process.

      Optionally, enter a comment of up to 255 characters.

    Once the review is complete, it no longer appears on the Reviews pane.

Replaying a session

You can play back a recorded session from the Request Workflow dialog, which can be accessed by clicking the Workflow button that appears to reviewers for completed session requests and in the Activity Center view when an access request event is selected in an activity audit log report. In addition, you can play back a recorded session by clicking the icon displayed to the left of an access request session event on the activity audit log report in the Activity Center view.

NOTE: This feature is only available for session requests that have Record Session enabled in the access request policy (Access Config tab).

To play back a session (Request Workflow dialog)

  1. Open the Request Workflow dialog using the Workflow button.

    NOTE: If accessing the Request Workflow dialog from the Activity Center, select an Access Request Session event from the activity audit log report.

  2. Locate an Initialize Session event and click Play to launch the Safeguard for Privileged Passwords Desktop Player.

    A (green dot) indicates the session is "live". A user with Security Policy administrator permissions can click this icon to follow an active session.

    If the session recording has been archived from the local Safeguard file system or was recorded prior to joining a Sessions Appliance, you will see a Download button instead of a Play button. Click Download to download the recording and then click Play.

  3. Accept the certificate to continue.

    In the Certificate error message, click Continue to use the default Session Recording Signing certificate shipped with Safeguard for Privileged Passwords. To use a different SSL certificate, click Abort and then import the appropriate certificates including the root CA.

  4. Use one of the following methods to play back the session recording:

    • Click Play Channel from the toolbar at the top of the player.
    • Click in the thumbnail in the upper right corner of the Information page.
    • Click Play Channel next to a channel in the Channels pane.

For more information about the Safeguard for Privileged Passwords Desktop Player and navigating through a recording, see Recording navigation.

Safeguard Desktop Player

The Safeguard for Privileged Passwords Desktop Player is installed with the Windows desktop client. When the player is launched from the desktop client, the recording is being streamed from the Safeguard appliance. It only exists on the disk for the lifetime of the player session. That is, when you shut down the player, the recording file is removed from the cache.

When you launch the Safeguard for Privileged Passwords Desktop Player, the main view displays, which consists of the following tabbed pages:

  • Information: Displays detailed information about the recorded session and allows you to play back the recording.
  • Warnings: Displays warnings associated with the recording.
Information tab

The information tab displays the following details for the session recording.

Table 12: Safeguard Desktop Player: Information tab
Control Description
Session recording location

Displays the path of where the recording is currently stored.

Thumbnail

Click the thumbnail in the right corner of the screen to play back the recording.

NOTE: The thumbnail is only available for RDP Drawing and SSH Session Shell channels.

NOTE: A blinking red recording button in the upper right corner of the thumbnail indicates that the session is "live" allowing you watch the session in follow mode. Follow mode is only available to users with Security Policy Administrator permissions.

Validation indicators

The Safeguard for Privileged Passwords Desktop Player checks the upstream and downstream traffic from the recording and validates the digital signature and timestamp. The indicators across the top of the screen show the results of this validation process, where all indicators should display a green check mark.

If the Signature or Timestamp indicators are red Xs, this indicates that the corresponding certificate has not been validated. Contact your Appliance Administrator.

Recording details

Displays details about the recording, such as:

  • Date
  • Duration
  • File size
  • Session ID
User Displays the name of the user that authenticated to the remote machine..
Connections Displays connection information, including the address and port of client computer and the remote machine.
Channels

The Channels pane displays the different types of data streams available for a recorded session.

An SSH session recording will contain a single channel. Valid channels for an SSH session recording are:

  • Session Shell: This is the only SSH channel that can be played back using the desktop player and it contains the actions performed during the session.
  • Session SFTP: Contains data that was transferred using the Secure File Transfer protocol (SFTP). Since this is a file transfer protocol, there is no recording file available for play back.

    NOTE: This channel is only available when Allow SFTP is selected on the Sessions Settings tab in an access request policy.

  • Session SCP: Contains data that was transferred using the Secure Copy protocol (SCP). Since this is a file transfer protocol, there is no recording file available for play back.

    NOTE: This channel is only available when Allow SCP is selected on the Sessions Settings tab in an access request policy.

  • X11: Use this channel to play back the graphical X-server session that was forwarded from the server to the client.

    NOTE: This channel is only available when Allow X11 Following is selected on the Sessions Settings tab in an access request policy.

An RDP session may contain multiple channels. Valid channels for an RDP session recording are:

  • Clipboard: Contains any data that was transferred through the clipboard; there is no recording file available for play back.

    NOTE: This channel is only available when Allow Clipboard is selected on the Session Settings tab in an access request policy.
  • Drawing: All RDP sessions will have a Drawing channel, which contains the actions taken during the session. This type of channel is most likely to be replayed.
  • Sound: Contains any audio associated with the recording.

Click the Play button next to the channel to play back the session recording.

Clicking the expansion button next to a channel displays a list of key details.

Warning tab

The warning tab displays any warnings encountered when opening and processing the recording.

Toolbar

Use the toolbar buttons located at the top of the main view as described below.

Table 13: Safeguard Desktop Player toolbar
Option Description

Back

Displays the previous view. For example, if you clicked play and are in the video view, clicking this button returns you to the recording information view.

NOTE: When no recording is loaded, there is an additional view that prompts you to drag and drop a recording file onto the player. Once you add the recording file, the recording information view displays.

Play Channel

Plays back the selected sessions recording.

NOTE: This button is disabled in follow mode.

NOTE: For more information on navigating the video view, see Recording navigation.

Export Video

Exports the sessions recording file as a video file (WEBM format).

NOTE: To play back the WEBM video, use any standard video player, such as the one available with Firefox or Google Chrome.

Settings

Allows you to import keys and certificates, access the One Identity support web site for help, and view version information about the player.

Recording navigation

Once the play back window opens you can use the controls at the bottom of the screen or keyboard shortcuts to navigate through the recording.

Recording navigation controls

Use the controls at the bottom of the screen to navigate through the sessions recording.

Table 14: Navigation controls: Playback mode
Control Action

Timeline

Shows you where you are within the recording. The timeline can also show indicators for user events that occurred during a recorded session. Clicking an indicator on the timeline takes you to the relevant user event in the recording.

For more information on showing or hiding the user event indicators on the timeline, see Configure seeker indicators below.

Play speed

Allows you to increase or decrease the replay speed.

Skip back

Allows you to jump back to the previous user event in the recording.

Play

Pause

Play allows you to play the recording.

Pause allows you pause the recording.

Skip forward

Allows you to jump forward to the next user event in the recording.

Closed Captioning

Allows you to display subtitles for the video that list user events as they occurred within the recorded session.

User events that may appear as subtitles include windows titles, executed commands, mouse activity, and keystrokes.

Configure seeker indicators

Allows you to configure the visibility of user event indicators on the timeline. To show a user event indicator move the toggle to the right; to hide a user event indicator move the toggle to the left.

NOTE: The type of user events that can be included in the timeline depends on the type of session:

  • RDP: Windows titles, keystrokes, mouse activity, and on-screen changes
  • SSH: Commands, keystrokes, and on-screen changes

Scaled video

Allows you to view the recording in a smaller or larger window. Clear this check box to play the video using the original resolution.

NOTE: The video is rendered at the same resolution as the original session. This setting adjusts the video size based on the size of the viewing screen.

When you are watching a "live" session, the playback navigation controls are replaced with different follow mode navigation controls.

NOTE: Follow mode is only available to users with Security Policy administrator permissions.
Table 15: Navigation controls: Follow mode
Control Action
Terminate Allows you to end the current session you are following.
Live Indicates you are following a "live" session.
Keyboard shortcuts

You can also use the following shortcut keys to navigate through the recording.

Table 16: Keyboard shortcuts: Playback mode
Shortcut keys Action
SPACE Play/pause recording
Ctrl+Z Enable video scaling
f Toggle full screen replay
[ Decrease replay speed
] Increase replay speed
= Reset replay speed
Shift + Left Arrow Jump backwards - short
Alt + Left Arrow Jump backwards - medium
Ctrl + Left Arrow Jump backwards - long
Shift + Right Arrow Jump forward - short
Alt + Right Arrow Jump forward - medium
Ctrl + Right Arrow Jump forward - long
Related Documents