Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Enable or Disable Services settings

web client only. For the desktop client, see Access Request settings.

One Identity Safeguard for Privileged Passwords allows you to enable or disable access request and password and SSH key management services. These settings control password or SSH key release requests, manual account password or SSH key validation, and reset tasks, as well as the automatic profile check and change tasks in Partitions. You can also enable or disable discovery tasks, directory sync, and the Audit Log Stream Service.

Services are enabled by default except for the Audit Log Stream Service.

By default, services are disabled for service accounts and for accounts and assets found as part of a discovery job. Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.

It is the responsibility of the Appliance Administrator to manage these settings.

  • Navigate to Enable or Disable Services to see the settings listed below.
    • Appliance Administrators can click the Disable all enabled services button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services.
    • Click a toggle to change a setting: toggle on and toggle off.
    • Click Refresh to update the information on the page.
    Table 206: Enable or Disable Services settings
    Setting Description

    Disable all enabled services

    Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually.

    Requests

    Session Requests Enabled

    Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.

    Click the Session Requests toggle to disable this service so sessions can not be requested.

    NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.

    In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details.

    Password requests

    Password requests are enabled by default, indicating that authorized users can make password release requests

    Click the Password requests toggle to disable this service so passwords can not be requested.

    NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

    SSH Key requests

    SSH key requests are enabled by default, indicating that authorized users can make SSH key release requests

    Click the SSH Key requests toggle to disable this service so SSH keys can not be requested.

    NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

    Password Management

    Check password management

    Check password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.

    Click the Check password management toggle to disable the password validation service.

    NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    Change password management

    Change password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.

    Click the Change password management toggle to disable the password reset service.

    NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    SSH Key Management

    Check SSH Key

    SSH key check is enabled by default, indicating that SSH key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Check SSH Key toggle to disable the check service.

    Change SSH Key

    SSH key change is enabled by default, indicating that SSH key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Change SSH Key toggle to disable the change service.

    Discovery

    Asset discovery

    Asset discovery is enabled by default, indicating that available Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. For more information, see Discovery.

    Account discovery

    Account discovery is enabled by default, indicating that available Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. For more information, see Discovery.

    Service discovery

    Service discovery is enabled by default, indicating that available Service Discovery jobs find Windows services that run as accounts managed by Safeguard. For more information, see Discovery.

    SSH Key discovery

    SSH key discovery is enabled by default. With the toggle on, SSH keys in managed accounts are discovered. For more information, see SSH Key Discovery.

    Directory

    Directory sync

    Directory sync is enabled by default, indicating that additions or deletions to directory assets are synchronized. You can set the number of minutes for synchronization. For more information, see Management tab (add asset desktop client).

    Audit

     

    Audit Log Stream Service

    web client

    desktop client: To set this in the desktop client, see Appliance settings.

    Use this toggle to send Safeguard for Privileged Passwords data to Safeguard for Privileged Sessions (SPS) to audit the Safeguard privileged management software suite. The feature is disabled by default.

    To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.

    SPP and SPS must be linked to use this feature. For more information, see SPP and SPS sessions appliance link guidance.

    While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.

    NOTE: This setting is also available under Security Policy Management | Settings. For more information, see Security Policy Settings.

  • External Integration settings

    The Appliance Administrator can:

    • Configure the appliance to send event notifications to various external systems.
    • Integrate with an external ticketing system or track generic ticket numbers.
    • Configure both external and secondary authentication service providers.

    However, it is the Security Policy Administrator's responsibility to configure the Approval Anywhere feature.

    Go to External Integration:

    • web client: Navigate to Appliance Management | External Integration.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration.

    Table 207: External Integration settings
    Setting Description
    Application to Application

    Where you configure application registrations to use the Application to Application service, which allows third-party applications to retrieve credentials from Safeguard for Privileged Passwords.

    NOTE: This functionality is located in a different location for the web client:

    Security Policy Management | Application to Application

    Approval Anywhere

    IMPORTANT: The Cloud Assistant feature is designed to replace the Approval Anywhere feature which will be deprecated in a future Safeguard for Privileged Passwords release. Current Approval Anywhere users are encouraged to begin switching to Cloud Assistant as soon as possible.

    Where you define the Safeguard for Privileged Passwords users who are authorized to use Approval Anywhere to approve access requests.

    NOTE: This functionality is located in a different location for the web client:

    Security Policy Management | Approval Anywhere

    Cloud Assistant

    web client

    Where you define the Safeguard for Privileged Passwords users who are authorized to use Cloud Assistant to approve access requests.

    NOTE: This functionality is located in:

    Security Policy Management | Cloud Assistant

    Email Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.
    Email Templates

    Where you configure Safeguard for Privileged Passwords email templates.

    Hardware Security Module

    Where you configure the Hardware Security Module integration, which allows Safeguard for Privileged Passwords to utilize an external Hardware Security Module device for encryption.

    Identity and Authentication

    Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords.

    NOTE: This functionality is located in a different location for the web client:

    Appliance Management | Safeguard Access | Identity and Authentication.

    SNMP Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.
    Starling Where you join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling Two-Factor Authentication (2FA).
    Syslog Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event.
    Syslog Events

    web client

    Where, using an existing syslog server, you create a subscriber and assign events.

    Ticketing systems Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system.

    Trusted Servers, CORS, and Redirects

    Where you can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

    Application to Application

    In order for third-party applications to use the Application to Application service to integrate with the Safeguard for Privileged Passwords vault, you must first register the application in Safeguard for Privileged Passwords. This can be done using the desktop client's Administrative Tools | Settings | External Integration | Application to Application page or the web client's Security Policy Management | Application to Application page described below. Once the application is registered, you can enable or disable the service. For more information, see Enable or disable A2A and audit log stream .

    Application to Application displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations. The Application to Application page displays the following details about application registrations.

    Table 208: Application to Application: Properties
    Property Description

    Name

    The name assigned to the application's registration.

    Certificate User

    The name of the certificate user associated with the registered application.

    NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified.

    Enable/Disable

    Toggle on

    Toggle off

    Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when the service is enabled, and gray with the switch to the left when the service is disabled. Click the toggle to enable or disable an application registration.

    NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again.

    Description

    Information about the application's registration.

    Use these toolbar buttons to manage application registrations.

    Table 209: Application to Application: Toolbar
    Option Description

    Add

    Add an application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration.

    Delete Selected / Remove

    Remove the selected application registration from Safeguard for Privileged Passwords. For more information, see Deleting an application registration.

    Refresh

    Update the list of application registrations.

    Edit

    Modify the selected application registration.

    ( desktop client only) API Keys

    Display the API keys that were generated for Access Request Broker or Credential Retrieval. An API key can then be copied and used in the third-party application to authenticate with Safeguard for Privileged Passwords.

    NOTE: For credential retrieval, the registration process generates an API key for each managed account. However, for access request broker, the registration process generates a single API key for all users or user groups that are added.

    In the web client, the API key information is accessed on the Credential Retrieval dialog (accessed by editing a previously configured application.

    About Application to Application functionality

    Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:

    • Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
    • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.

    NOTE: If Offline Workflow Mode is triggered, Application to Application operations will be halted for the number of minutes it takes to move to Offline Workflow Mode. For more information, see About Offline Workflow Mode.

    Credential retrieval

    A credential retrieval request using the Application to Application service allows the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.

    For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the Safeguard for Privileged Passwords vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.

    Access request broker

    An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.

    For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with Safeguard for Privileged Passwords through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in Safeguard for Privileged Passwords and the user who entered the ticket will be notified when access is granted.

    In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with Safeguard for Privileged Passwords. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to Safeguard for Privileged Passwords other than for the purpose specified. The properties associated with an application registration are:

    • API key: As part of the registration process, an API key is generated. An administrator must then copy this API key and make it available to the third-party application.
    • Certificate user: In addition to the API key, the application registration must be associated with a certificate user. The certificate that is associated with the certificate user must be signed by a certificate authority that is also trusted by Safeguard for Privileged Passwords.

      NOTE: Use your corporate PKI for issuing this certificate and installing it on the third-party application.

    The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed. An Appliance Administrator can use the desktop client or Safeguard for Privileged Passwords API to enable the service.

    Using the desktop client:

    1. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service.
    2. Click the Application to Application Enabled toggle to enable the service ( toggle on).

    Using the web client:

    1. Navigate to Security Policy Management | Application to Application.
    2. In the Enabled column for the service, move the toggle to the right to enable the service.

    Using the API, use the following URL:

    https://appliance/service/appliance/v3/A2AService/Enable

    In addition, you can check the current state of the service using this same desktop client page or using the following URL:

    https://appliance/service/appliance/v3/A2AService/Status

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating