Welcome to the One Identity Safeguard for Privileged Sessions 6.5 Administrator Guide.
This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.
You can now restrict users to access audit data only for sessions for which they are granted permission.
For more information, see Creating rules for restricting access to search audit data.
The following menu items have been renamed. Note that there is no functionality change.
|Old name||New name|
|AAA||Users & Access Control|
|Group Management||Local User Groups|
|Access Control||Appliance Access|
|Permission Query||Access Rights Report|
Permissions settings for user groups under <Protocol name> Control > Connections > Access Control > Permission have also been renamed from Search&Authorize to Follow&Authorize and Search to Follow.
The User idle timeout option has been added to ICA, RDP, SSH, Telnet and VNC Control > Settings. If no user activity is detected, it terminates the session after the configured time has passed since the last user activity.
A new, experimental SPP fetcher role has been added to the Cluster management roles. It fetches the workflow from SPP. The fetched data can be viewed on the Search interface.
This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to firstname.lastname@example.org.
For more information, see Cluster roles
NOT FETCHED has been added as a new status to Basic Settings > Cluster management > Cluster management status.
For more information, see Monitoring the status of nodes in your cluster
Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication.
For more information, see Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database
The RDP login screen now allows you to paste text-based clipboard contents. It also provides a warning if Caps Lock is on.
For more information, see Usernames in RDP connections.
SPS now checks if the Certificate Revocation List (CRL) has expired and that the CRL has been signed by the same Certificate Authority (CA).
For more information, see Verifying certificates with Certificate Authorities.
One Identity Safeguard for Privileged Sessions (SPS) now supports the MSSQL protocol.
For more information, see MSSQL-specific settings.
The value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is now limited to 50-98 percent.
For more information, see Preventing disk space fill-up.
After the release of SPS version 6.4, installation packages of the external indexer application can only be downloaded from the SPS web interface.
Unicode characters for password encrypted private keys are now supported.
For more information, see Replaying encrypted audit trails in your browser.
The Asian language package is included in the basic license.
The SPS user interface has changed. The change includes the main menu, user menu, and about page.
For more information, see The structure of the web interface.
When verifying certificates with Certificate Authorities, DER format Certificate Revocation Lists are now accepted too, in addition to PEM format CRLs.
SPS now supports the Ed25519 SSH hostkey.
For more information, see SSH hostkeys.
Configuring the internal indexer has been updated.
For more information, see Configuring the internal indexer.
CEF messages, JSON messages and JSON_CIM messages have been updated.
The Virtual disk resize section has been simplified in the Installation Guide.
For more information, see "Modifying the disk size of a SPS virtual appliance" in the Installation Guide.
If you do not specify the username or the address in nontransparent SSH and Telnet connections, One Identity Safeguard for Privileged Sessions (SPS) displays an interactive prompt where you can enter the username and the server address.
Kerberos-based authentication in SSH sessions has been improved.
For more information, see Kerberos authentication settings.
Transferring files between the target server and the client host using the Clipboard can now be audited. The transferred files can be extracted from the audit trail using a command-line tool.
Section Using SPS with SPP has been restructured and extended with information about sessions-initiated workflows.
For more information, see Using SPS with SPP.
Section Collecting logs and system information of the boot process for error reporting has been added to the document.
For more information, see Collecting logs and system information of the boot process for error reporting.
Trend analysis allows you to use the timeline to find changes over time.
For more information, see Specifying time ranges.
The Search interface has been extended with the Basic view, which allows you to select the filters that you need from the appropriate columns.
For more information, see Using search filters.
Creating a new authentication policy on SSH has been simplified.
For more information, see Creating a new authentication policy.
The WebSocket channel is now supported.
For more information, see Supported HTTP channel types.
The document has been updated with information about how you can configure your SPS cluster to enable Configuration synchronization without a central search or Central search with configuration synchronization.
Added information about joining your One Identity Safeguard for Privileged Passwords (SPP) deployment to your One Identity Safeguard for Privileged Sessions (SPS) deployment.
For more information, see Using SPS with SPP.
This section introduces One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.
One Identity Safeguard for Privileged Sessions (SPS) is part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, SPS is a privileged session management solution which provides industry-leading access control, session recording and auditing to prevent privileged account misuse and accelerate forensics investigations.
SPS is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:
SPS acts as a centralized authentication and access-control point in your IT environment which protects against privileged identity theft and malicious insiders. The granular access management helps you to control who can access what and when on your critical IT assets.
SPS monitors privileged user sessions in real-time and detects policy violations as they occur. In case of detecting a suspicious user activity (for example entering a destructive command, such as the "rm"), SPS can send you an alert or immediately terminate the connection.
SPS audits "who did what", for example on your database- or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record in encrypted, timestamped, and digitally signed audit trails, finger-pointing issues can be eliminated.
SPS makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or audit reports.
When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.