One Identity Safeguard 2.7 - User Guide

What's new in version 2.1

One Identity Safeguard for Privileged Passwords 2.1 introduces the following new features and enhancements.

Table 3: Safeguard 2.1: Features and enhancements
Feature/Enhancement Description
Additional platform support

Safeguard for Privileged Passwords now supports the management of assets on the following additional platforms:

  • ACF2 - Mainframe r14 and r15
  • ACF2 - Mainframe LDAP r14 and r15
  • Debian GNU/Linux 9
  • ESXi 6.5
  • Fedora 26
  • Fortinet FortiOS 5.2 and 5.6
  • F5 Big-IP 12.1.X and 13.0
  • MAC OS X 10.13
Cluster patching The cluster patching process now allows you to patch all cluster members without having to first unjoin a replica and re-enroll it after it has been updated. During the cluster patch operation, access request workflow is available so authorized users can request password releases and session access.
Federated login One Identity Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different Identity Provider STS servers and services, such as Microsoft's AD FS.

Immediate recording archival

One Identity Safeguard for Privileged Passwords provides the ability to immediately archive session recordings from a specific Safeguard for Privileged Passwords Appliance to a specified archive target. When an archive server is configured, session recordings are removed from the Safeguard for Privileged Passwords Appliance and stored on the archive server.

Lights Out Management (BMC) The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this enables the Appliance Administrator to power on an appliance remotely or to interact with the recovery kiosk.
Multi-request Authorized Safeguard for Privileged Passwords users can now request multiple password releases or sessions in a single request. In addition, these requests can be saved as a "favorite" access request, providing quick access to the request from the user's Home page.
Safeguard for Privileged Passwords Desktop Player enhancements

The new version of the Safeguard for Privileged Passwords Desktop Player includes the following new features:

  • Ability to display user activity as subtiltes when playing back a recorded session. The user activity that can be displayed as subtitles includes windows titles, executed commands, mouse activity, and keystrokes, as they occurred during the recorded session.
  • New timeline with user event indicators showing when user activities and screen changes occurred within the recorded session. Clicking an indicator on the timeline takes you to the relevant user event in the recording.
  • Ability to export the sessions recording file, including the user event subtitles, as a video file.
Security Policy Administrator dashboard The new Access Request dashboard allows Security Policy Administrators to review and manage access requests from a single location. From this view, the Security Policy Administrator can revoke a request, follow an active session, or terminate a session.
Restore/Suspend accounts

Safeguard for Privileged Passwords allows you to suspend Safeguard for Privileged Passwords managed accounts when they are not in use to reduce the vulnerability of password attacks on privileged accounts.

NOTE: This new feature applies to Windows platforms (Windows server and Active Directory accounts) and Unix platforms (AIX, HP-UX, Linux, Solaris, and Mac OS X accounts).
TLS 1.2 Only

To remediate security vulnerabilities identified in early versions of the TLS encryption protocol, Appliance Administrators can configure Safeguard for Privileged Passwords to respond only to TLS 1.2 requests. This allows organizations to comply with the security and strong cryptography requirements in PCI-DSS.

X11 Forwarding

When configuring the settings for SSH session access requests, Security Policy Administrators can now enable Allow X11 Forwarding, which forwards a graphical X-server session from the server to the client.

What's new in version 2.2

One Identity Safeguard for Privileged Passwords 2.2 introduces the following new features and enhancements.

Table 4: Safeguard for Privileged Passwords 2.2: Features and enhancements
Feature/Enhancement Description

Additional platform support

Safeguard for Privileged Passwords now supports the management of assets on the following additional platforms:

  • FreeBSD
  • MongoDB
  • PostgreSQL
  • RACF - Mainframe LDAP
  • SAP HANA

Application to Application (A2A) integration

Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.

Asset administrator dashboard

The Account Automation tab on the Dashboard allows Asset and Directory administrators to view information regarding accounts that are failing different types of tasks, including:

  • Accounts where password check tasks failed.
  • Accounts where password change tasks failed.
  • Accounts where SSH key change tasks failed.
  • Accounts where suspend tasks failed.
  • Accounts where restore tasks failed.

Dynamic grouping and tagging

Dynamic grouping and tagging helps classify assets allowing Safeguard for Privileged Passwords to assign automatically provisioned systems and accounts to a policy.

Tags allow Asset administrators to add additional metadata to accounts and assets to enrich the data on the object as it is added to Safeguard for Privileged Passwords. Tags can be dynamically added to assets and accounts based on tagging rules or they can be added manually.

Policy administrators can create rules based on tags or from attribute information that is on the account or asset (for example, name, platform, partition, network address, and so on) to define group membership.

Event subscription

As a Safeguard for Privileged Passwords user, you can now control the email notifications you receive. Using the Manage Email Notifications control in your My Account pane, you can remove the events for which you do not want to receive email notifications.

As a Safeguard for Privileged Passwords administrator, you can use the API to subscribe to the events for which you are interested in receiving notifications.

Audit log archive

Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to rotate audit logs from the Safeguard for Privileged Passwords appliance and archive older audit logs to a designated archive server.

Site awareness and network segmentation

As an Appliance administrator, you can define managed networks (network segments) for your organization so Safeguard for Privileged Passwords can more effectively manage assets and accounts, and service access requests. Managed network information is used for scheduling tasks, such as password change and account discovery, and for session management in a clustered environment to distribute the task load. That is, by using managed networks the load is distributed in such a way that there is minimal cluster traffic and appliances that are closest to the target asset are used to perform the task.

Attribute search The attribute search functionality in the user interface allows you to limit an object list based on the object attributes. For example, in the Accounts view, you can now filter the accounts list based on whether the specified attribute contains the search string entered.

Starling Join

The newest versions of One Identity's on-premises products offer a mandatory One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join Safeguard for Privileged Passwords with the One Identity Starling software-as-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Safeguard for Privileged Passwords. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Safeguard for Privileged Passwords to add value to your subscription.

Starling Identity Analytics & Risk Intelligence integration

The Starling Identity Analytics & Risk Intelligence service collects and evaluates information from data sources, such as Safeguard for Privileged Passwords, to provide you with valuable insights into your users and entitlements. When integrated with Safeguard for Privileged Passwords, Starling Identity Analytics & Risk Intelligence allows you to identify Safeguard for Privileged Passwords users and entitlements that are classified as high risk and view the rules and details attributing to that classification.

What's new in version 2.3

One Identity Safeguard for Privileged Passwords 2.3 introduces the following new features and enhancements.

Table 5: Safeguard for Privileged Passwords 2.3: Features and enhancements
Feature/Enhancement Description

Synchronized passwords

As an Asset Administrator, you now have the ability to synchronize passwords so accounts can use the same password on the same or different assets.

What's new in version 2.4

One Identity Safeguard for Privileged Passwords 2.4 introduces the following new features and enhancements.

Custom platform (770747)

Asset Administrators now have the ability to add a custom platform for use when adding or updating an asset. A custom platform allows Safeguard for Privileged Passwords to connect to and manage password operations on platforms that are not supported by Safeguard for Privileged Passwords out of the box. You can upload a custom platform script file to add support for any system that you want to manage. In this release, only SSH-based custom platforms are supported; other protocols will be added in future releases. To access examples of custom scripts and view commands, visit:

Auditors and Partition Administrators have read only rights to custom platforms. However, Partition Administrators retain the ability to add or remove assets.

Authentication options (765396)

With appropriate administration credentials, you can change the primary and secondary identity and authentication providers for authentication to Safeguard for Privileged Passwords. The feature enables customers to integrate Safeguard for Privileged Passwords with their existing identity and authentication services. For example, a customer can use Radius for primary authentication and rely upon their own company policies for functions like 2FA.

Safeguard Sessions Appliance join (770739)

CAUTION: The SPS/SPP join feature in the Safeguard for Privileged Passwords 2.4 release is intended for proof of concept and preview purposes only. This feature should not be used in production.

The Asset Administrator can now join a Safeguard Sessions Appliance with a standalone primary Safeguard for Privileged Passwords Appliance. Once joined, all sessions are recorded via the Safeguard Sessions Appliance and the embedded sessions module for Safeguard for Privileged Passwords is no longer available.

The user initiates the join by connecting to the Safeguard Sessions Appliance over SSH, selecting Join to SPP, and providing the requested information. After the join is complete, the user restarts the desktop client to complete the connection and update settings and entitlement policy details.

Sessions recorded prior to joining the Safeguard Sessions Appliances are available to play back from local storage and in accordance with the permissions of the Safeguard for Privileged Passwords Appliance. Sessions that are archived are also available to play back.

Once a Safeguard for Privileged Passwords Appliance has been configured to use the Safeguard Sessions Appliance, it can only be reversed by a factory reset of the Safeguard Passwords Appliance or restoring a backup that was taken before the first join of Safeguard for Privileged Sessions (SPS). Either method unjoins the Sessions Appliance and redeploys the Safeguard for Privileged Passwords Appliance sessions module.

Related Documents