Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.8 - Release Notes

One Identity Safeguard for Privileged Passwords Release Notes

One Identity Safeguard for Privileged Passwords 2.8

Release Notes

July 2019

These release notes provide information about the One Identity Safeguard for Privileged Passwords 2.8 release.

About this release

One Identity Safeguard for Privileged Passwords Version 2.8 is a minor release with new features and resolved issues. The new features include:

  • Virtual appliance and web management console (770749, 781091, 798013, 798014, 798527)

  • Application to Application (A2A) enhancement: API visible to certificate user (794148)

  • Custom platforms: Telnet and HTTP support (799699, 787583)

  • Advanced password complexity rules (780274)

  • Job scheduler enhancements (753203)

  • Safeguard for Privileged Sessions (SPS) initiated session (797262)
  • Support for additional ServiceNow ticket types (793493)

For more detail, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Passwords, see the One Identity Safeguard for Privileged Passwords Administration Guide.

About the Safeguard product line

The One Identity Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

A Safeguard for Privileged Passwords virtual appliance is also available.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs
  • Easy to deploy and integrate
  • Unparalleled depth of recording
  • Comprehensive risk analysis of entitlements and activities
  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

New features

Virtual appliance and web management console (770749, 781091, 798013, 798014, 798527)

The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.

  • Initial Setup: Used to set up the virtual appliance for the first time including naming, OS licensing, and networking.
  • Setup: After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console, Setup.
  • Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support.

Security and backups

To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. Recommendations:

  • X0 hosts the public API and is network adapter 1 in the virtual machine settings. Connect this to your internal network.
  • MGMT hosts the web management console and is network adapter 2 in the virtual machine settings. This interface always has the IP address of 192.168.1.105. Connect this to a private, restricted network accessible to administrators only or disconnect it from the network to restrict unauthenticated actions such as rebooting or shutting down the appliance. The web management console is also available via the VMware console.

Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT.

To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Additionally, to ensure the security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

Application to Application (A2A) enhancement: API visible to certificate user (794148)

When registering a third-party application configured for credential retrieval, the Policy Administrator can make the registration, including the API keys, visible to the certificate user that is configured for the A2A registration. The third-party application can discover the API key and other information needed. The Visible to certificate user check box can be selected when adding an application registration via Administrative Tools | Settings | External Integration | Application to Application.

Custom platform: Telnet and HTTP support (799699, 787583)

Custom HTTP, SSH, Telnet, and TN3270 transports are available. For more information, see Safeguard for Privileged Passwords Administration Guide,Custom Platforms and Creating a custom platform script.

CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.

Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

Advanced password complexity rules (780274)

Separate password complexity rules can be set for local users and managed accounts. Password rules can be finely managed.

  • Set the allowable password length in a range from 3 to 225 characters.
  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

Passwords are validated against the password rules before they are saved.

Job scheduler enhancements (753203)

An Appliance Administrator can finely tune backup and password check and change job schedules including the ability to ensure changes occur after hours. The administrator can create time windows including start and end times, days of the week, and days in a month by a static day of month or the first through fourth day of the month.

Safeguard for Privileged Sessions (SPS) initiated session (797262)

CAUTION: This functionality supports a future release of Safeguard for Privileged Sessions (SPS). For information on feature availability and use, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.

Once the future release of SPS is joined to SPP, the Safeguard for Privileged Passwords (SPP) Asset Administrator can enable an SPS initiated session to get the session credentials from SPP.

  • The administrator will navigate to Administrative Tools | Settings | External Integration | Sessions Management and set the Session Module Password Access Enabled toggle on or off. When the toggle is on (), SPS will create an access request and check out a password from SPP on behalf of another user. When the toggle is switched off (), this ability is revoked. (The toggle displays in SPP 2.8 but has no impact.)

    CAUTION: On the Session Settings tab, SPS Connection Policy, do not select Sps initiated. This is reserved for a future release of SPS if an access policy is used by SPS to create an SPS initiated access request.

Support for additional ServiceNow ticket types (793493)

System integrators designing privileged account access based on ServiceNow tickets can include ticket types for validation during access request workflow. The following tickets types are supported in addition to INC tickets:

  • PRB (problem) tickets
  • CHG (change) tickets
  • RITM (request) tickets

If the ticket number is found in any of the ServiceNow tables searched (INC, CHG, RITM, or PRB) and the ServiceNow API property for the ticket is "Active", the user can make the access request.

Administrators can search by a ticket number in the Activity Center to find the access request.

See also:

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved Issue Issue ID

It is now possible to enable and disable accounts from the Accounts view.

796079

Submitting a request through the web client when a policy expiration date is set now works as intended.

796866

Support bundles now include rSMS service logs.

797504

Increased the amount of time that the primary will wait for replicas to finish patching during a cluster patch.

800031

The user interface no longer reports an error with large backup archives even when the archive operation is successful.

800419

Clicking the Template Assistant link when importing assets no longer causes an error.

800524

In the discovery user interface, the partition is now more apparent in the discovered accounts and discovered services tiles.

800565

Unsent emails no longer cause the patch to stall.

800727

During a cluster patch, the scope of the repair operation on the replica has been reduced to prevent timeouts.

801035

Fixed a rare internal crash which could lead to quarantine.

801421,

802063

It is now possible to map Active Directory attributes from auxiliary classes.

801532

Profile names have been limited to 50 characters as intended.

801560

Editing account discovery jobs when more than 500 assets are present no longer causes an error.

802033

The option for User Supplied credentials now appears in access requests as intended.

802119

The account discovery tab on assets no longer shows account discovery details from the profile if the asset does not support account discovery.

802123, 802182

CheckPassword succeeds on a managed SYS account when a non-SYSDBA service account is used.

802173

Safeguard sends Syslog events to ArcSight in an RFC3164 or CEF compatible format.

802288

Acknowledging expired or revoked access requests after upgrading now works as intended.

802310

Safeguard for Privileged Passwords (SPP) now correctly locates the Safeguard for Privileged Sessions (SPS) Player executable.

802402

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents