立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 6.7.4 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Linking a directory account to a user

It is the responsibility of the Security Policy Administrator to link directory accounts to a user. Once linked, these linked accounts can be used to access assets and accounts within the scope of an access request policy.

To link a directory account to a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Linked Accounts tab.

  3. Click Add Linked Account from the details toolbar.

    The Directory Account dialog displays, listing the directory accounts available in Safeguard for Privileged Passwords. This dialog includes the following details about each directory account listed:

    • Name: Displays the name of the directory account.
    • Domain Name: Displays the name of the domain where this account resides.
    • Service Account: A check mark indicates the account is a service account.
    • Password Request: A check mark indicates password release requests are allowed.
    • Session Request: A check mark indicates the account is enabled for session requests.
    • SSH Key Request: A check mark indicates SSH key release requests are allowed.
    • Password: A check in this column indicates that a password is set for the selected account. For more information, see Checking, changing, or setting an account password.
    • SSH Key: A check in this column indicates that an SSH key is set for the selected account. For more information, see Checking, changing, or setting an SSH key.
    • Description: Displays descriptive text about the directory account.

  4. Select one or more accounts from the list in the Directory Account dialog and click OK.

Related Topic

Adding an account

Modifying a user

The Authorizer Administrator can modify the General information for a user. The User Administrator can modify the General information for a Help Desk User. Other administrators can view information for users.

You cannot modify a directory user's contact information that is managed in the directory, such as Active Directory. If you need to add a valid mobile phone number, use the alternate mobile phone number option on the Authentication tab instead.

TIP:As a best practice, if you change a user's administrative permissions, ensure the user closes all connections to the appliance (or reboot the appliance) to prevent users from gaining access to information.

To modify a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user. Perform the following, as needed.

  • On the General tab, click the  Edit icon next to Identity, Authentication, Location, and Permissions or double-click the user's name to open the User dialog and update the information on the tabs.

  • On the User Group tab, the Security Policy Administrator can modify a user's group membership. You can multi-select user groups to add or remove more than one user on a user's group membership.

  • On the Partitions tab, the Asset Administrator can delegate partition ownership to a user.
  • On the Entitlements tab, the Security Policy Administrator can add the selected user to an entitlement.
  • On the Linked Accounts tab, the Security Policy Administrator can add (or remove) linked accounts associated with the user to link the user to an entitlement.
  • Right-click the user and select Permissions to change permissions.

  • The Authorizer Administrator and the User Administrator can view or  Export the details of each operation that has affected the selected use on the History tab. For more information, see History (user).

Enabling or disabling a user

Typically, it is the responsibility of the Authorizer Administrator to enable or disable administrator users and the User Administrator to enable or disable non-administrator users. You can modify a disabled user's information. If a directory user is disabled in the directory asset, the user cannot be enabled in Safeguard.

Disabling a user prevents from logging in to Safeguard for Privileged Passwords; however, if you disable a directory user, that does not prevent that user from logging in to the directory.

When re-enabling a disabled account, the Authorizer Administrator must reset the user's password. Simply enabling the account does not permit the user to log in with the previous password.

You configure the number of days you want Safeguard for Privileged Passwords to wait before automatically disabling an inactive user account in the Disable After Login Control Setting. For more information, see Local Login Control.

To enable or disable a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list.
  3. In the upper-right corner of the window, click Enabled ( toggle on) or Disabled ( toggle off) to toggle to the setting.

Deleting a user

Typically, it is the responsibility of the Authorizer Administrator to delete administrator users and the User Administrator to delete non-administrator users.

Important: When you delete a local user, Safeguard for Privileged Passwords deletes the user permanently. If you delete a directory user that is part of a directory user group, the next time it synchronizes its database with the directory, Safeguard for Privileged Passwords will add it back in. As a best practice, disable the directory user instead of deleting the account. For more information, see Enabling or disabling a user.

To delete a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list.
  3. Click Delete Selected.
  4. Confirm your request.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级