立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.5.2 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding an account to an asset

Use the Accounts tab on the Assets view to add an account to an asset.

You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset..

You can add an account to an asset or add a directory account to a directory asset. Steps for both follow.

To add an account to an asset

  1. Navigate to Asset Management > Assets.

  2. Select an asset and click View Details.

  3. Open the Accounts tab.

  4. Click New Account from the details toolbar.

  5. On the General tab, enter the following information:

    • Name:

      • Local account: Enter the login user name for this account. Limit: 100 characters.

      • Directory Account: Browse to find the account.

    • Description: (Optional) Enter information about this managed account. Limit: 255 characters.

  6. On the Management tab, enter the following information:

    • Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.

    • Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which they are an authorized user.

    • (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, you can use this account as a dependent account or a service account for other assets. Potentially, you might have assets that are running services as the account, and you can update those assets when the service account changes.If not selected, partition owners and other partitions will not know that the account exists. Although archive servers are not bound by partitions, you must select this option for the directory account for the archive server to be configured with the directory account. You must also select this option to use the directory account as a service account when configuring an email server.

    • Password Profile: Browse to select a profile to govern this account.

      By default an account inherits the profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a password profile and SSH key profile..

    • (Optional) JIT Privilege Group Membership: Assign groups to grant just-in-time (JIT) privileges to the account at the time of checkout, then correspondingly remove these groups from the account at the time of check-in. To assign a group, click and enter the name of a group or role. To add multiple groups, repeat. The syntax of the group name may depend on the type of platform.

      NOTE: You can use this setting together with the Suspend account when checked in option located in Asset Management > Profiles > View Password Profile Components > Change Password. These settings, however, work independently. Adding JIT privileged groups will not automatically enable an account, for example.

      NOTE: For the CISCO ISE platform, you must flag the account as a CISCO ISE AdminUser instead of an InternalUser. Also, the account must not be a member of the service accounts group.

      NOTE: Upon check-in of the account, all JIT privileged groups that were configured will be removed from the account, regardless of whether the account was a member of those groups before the initial checkout.

  7. Click OK to save the account to the asset.

Directory assets

If you add directory user accounts to a directory asset, Safeguard for Privileged Passwords will automatically change the user passwords according to the profile schedule you set, which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.

For Active Directory, the standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). For more information, see the Microsoft publication How the Global Catalog Works.

To add a directory account to a directory asset

  1. Navigate to Asset Management > Assets.

  2. Select a directory asset and click View Details.

  3. Open the Accounts tab.

  4. Click New Account from the details toolbar.

  5. In the New Account dialog, click Select Account.

  6. In the Account Search Options dialog:

    1. Starts With (Active Directory ANR Search): Use this field to enter a full or partial account name.

    2. Search Location: Use the Browse button to select a container within the directory as the Search Location.

    3. The Include objects from sub containers check box is selected by default, indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.

    4. Click Find Account to search for the account.

  7. The results of the search displays in the Select Account grid. Select an account to add to Safeguard for Privileged Passwords.

  8. To save the selected accounts, click Select Account.

  9. Click OK to save the directory account to the directory asset.

Adding account dependencies

One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use them. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.

You can manage tasks and services on a domain controller (DC) asset. For more information, see Using a domain controller (DC) asset.

To configure account dependencies on an asset

  1. Directory accounts:

    1. You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account.

    2. From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account.

  2. Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account if the asset is a Windows Server platform. If the asset is a Windows SSH platform, then to update dependent accounts, the service account must be a domain account.

    IMPORTANT: For Windows SSH assets, a local account does not have the access necessary to discover services running as domain accounts. So if a local account is used, Safeguard for Privileged Passwords will only discover services running as local accounts, and domain account dependencies will not be updated.

    Follow these steps:

    1. Navigate to web client: Asset Management > Assets.

    2. Select the asset (such as a Windows Server instance) from the object list and open the Account Dependencies tab.

    3. Click (New Account) from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.

  3. Profiles:

    1. The target directory account must be in the same profile as the dependent asset.

    2. You must configure the dependent asset's profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a password profile.

Adding users or user groups to an asset

When you add users to an asset, you are specifying the users or user groups that have ownership of an asset.

It is the responsibility of the Asset Administrator (or delegated partition owner) to add users or user groups to assets. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions..

To add users to an account

  1. Navigate to Asset Management > Assets.
  2. In Assets, select an asset from the object list and click View Details.
  3. Open the Owners tab.
  4. Click  Add.
  5. Select one or more users or user groups from the list in the Select users and groups dialog.
  6. Click Select Owners to save your selection.

Deleting an asset

The Asset Administrator can delete an asset even if there are active access requests.

IMPORTANT: When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.

To delete an asset

  1. Navigate to Asset Management > Asset.
  2. Select the asset to be deleted.
  3. Click Delete.
  4. Confirm your request.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级