立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

What's new in version 2.3.0.7426

One Identity Safeguard for Privileged Passwords 2.3.0.7426 introduces the following new features and enhancements.

Table 224: Safeguard for Privileged Passwords 2.3: Features and enhancements
Feature/Enhancement Description

Synchronized passwords

As an Asset Administrator, you now have the ability to synchronize passwords so accounts can use the same password on the same or different assets.

What's new in version 2.4.0.7846

One Identity Safeguard for Privileged Passwords 2.4.0.7846 introduces the following new features and enhancements.

Custom platform (770747)

Asset Administrators now have the ability to add a custom platform for use when adding or updating an asset. A custom platform allows Safeguard for Privileged Passwords to connect to and manage password operations on platforms that are not supported by Safeguard for Privileged Passwords out of the box. You can upload a custom platform script file to add support for any system that you want to manage. In this release, only SSH-based custom platforms are supported; other protocols will be added in future releases. To access examples of custom scripts and view commands, visit:

Auditors and Partition Administrators have read only rights to custom platforms. However, Partition Administrators retain the ability to add or remove assets.

Authentication options (765396)

With appropriate administration credentials, you can change the primary and secondary identity and authentication providers for authentication to Safeguard for Privileged Passwords. The feature enables customers to integrate Safeguard for Privileged Passwords with their existing identity and authentication services. For example, a customer can use Radius for primary authentication and rely upon their own company policies for functions like 2FA.

Safeguard Sessions Appliance join (770739)

CAUTION: The SPS/SPP join feature in the Safeguard for Privileged Passwords 2.4 release is intended for proof of concept and preview purposes only. This feature should not be used in production.

The Asset Administrator can now join a Safeguard Sessions Appliance with a standalone primary Safeguard for Privileged Passwords Appliance. Once joined, all sessions are recorded via the Safeguard Sessions Appliance and the embedded sessions module for Safeguard for Privileged Passwords is no longer available.

The user initiates the join by connecting to the Safeguard Sessions Appliance over SSH, selecting Join to SPP, and providing the requested information. After the join is complete, the user restarts the desktop client to complete the connection and update settings and entitlement policy details.

Sessions recorded prior to joining the Safeguard Sessions Appliances are available to play back from local storage and in accordance with the permissions of the Safeguard for Privileged Passwords Appliance. Sessions that are archived are also available to play back.

Once a Safeguard for Privileged Passwords Appliance has been configured to use the Safeguard Sessions Appliance, it can only be reversed by a factory reset of the Safeguard Passwords Appliance or restoring a backup that was taken before the first join of Safeguard for Privileged Sessions (SPS). Either method unjoins the Sessions Appliance and redeploys the Safeguard for Privileged Passwords Appliance sessions module.

What's new in version 2.5.0.8356

One Identity Safeguard for Privileged Passwords 2.5.0.8356 introduces the following new features and enhancements.

Directory based user discovery (713614 and 761638)

When adding a new directory based user group, the Authorizer Administrator or the User Administrator now have the option to:

  • Configure primary and secondary authentication providers and
  • Set administrator permissions on the imported or updated Safeguard for Privileged Passwords users.

In addition, any managed directory accounts that exist in Safeguard for Privileged Passwords at the time of the import process (or during the background synchronization of the directory), can automatically be assigned to a Safeguard user as a linked account. That association will be dependent upon the value of an attribute from the directory (such as "managedObjects" or "directReports" in Active Directory or "seeAlso" in OpenLDAP 2.4).

Offline Workflow (782735)

To ensure password consistency and individual accountability for privileged accounts, when an appliance loses consensus in the cluster access requests are disabled. In the event of an extended network partition, the Appliance Administrator can manually place an appliance in Offline Workflow Mode to run access request workflow on that appliance in isolation from the rest of the cluster. When the network issues are resolved and connectivity is reestablished, the Appliance Administrator can manually resume online operations to merge audit logs, drop any in flight access requests, and return the appliance to full participation in the cluster.

It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow Mode. The Appliance Administrator must manually restore the online operations before adding other nodes to ensure the appliance can seamlessly reintegrate with the cluster.

What's new in version 2.6.0.8961

One Identity Safeguard for Privileged Passwords 2.6.0.8961 introduces the following new features and enhancements.

Automatic Offline Workflow Mode (794644)

To reduce potential downtime, the Appliance Administrator can configure Offline Workflow Mode to be performed automatically. Offline Workflow Mode allows an appliance that has lost consensus (quorum) to operate in isolation from the cluster to process access requests using cached policy data.

To ensure the outage is not a short-lived outage, the default time before the appliance is automatically switched to Offline Workflow Mode is 15 minutes. The time threshold can be changed to 5 minutes or more.

If automatic Offline Workflow Mode is enabled, you can enable automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. The minutes to wait after consensus is restored before automatically resuming online workflow defaults to 15 minutes. The time threshold can be changed to 5 minutes or more.

When Offline Workflow Mode settings are configured to run automatically, an Appliance Administrator can override the automatic settings and manually place an appliance in Offline Workflow Mode or manually restore an appliance to online workflow, as needed.

The user views status messages that clearly communicate the appliance state and the ability to request passwords.

This new feature is available via Settings | Cluster | Offline Workflow.

Export a report as a .csv or .json file (788932)

Administrators and users can export a report to a .csv or .json file to easily view, manipulate, and share data. This functionality includes entitlement reports, Activity Center exports, Activity Center scheduled reports, account automation reports, and access request reports.

Identity provider initiated single sign on flow (788935)

To enable users to have a centralized logon experience, an Appliance Administrator can configure their identity provider to redirect to Safeguard for Privileged Passwords. All security requirements, such as two-factor authentication, are enforced. For example, a user can go to a portal, authenticate against their identity provider, and select an application, including Safeguard, based on their organizational role. Safeguard accepts the “unsolicited” SAML 2.0 response assertion and logs in the user without additional authentication.

Systems Integrators can offer Safeguard as an application in their single sign-on (SSO) portal. Support personnel can then click the appropriate tool on their dashboard to access Safeguard for Privileged Passwords and Safeguard for Privileged Sessions.

This feature only works with SAML 2.0 and the web user interface, not the desktop client.

Policy allows password requests to include all linked accounts (776867)

A Policy Administrator can create a policy that allows a user's password request to include access to assets for all the accounts linked to the user's account. For example, if a company uses personal admin accounts in Active Directory, a single policy can be created to grant password access to each user with a personal admin account.

This function is set by selecting the following check box: Entitlements | Access Request Policy | Access Config | Allow password access to linked accounts.

Restore a backup from a previous version (790917)

An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 2.2.0.6958. Only the data is restored; the running version is not changed.

If the administrator attempts to restore a version earlier than 2.2.0.6958, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '2.2.0.6958' for restore.

You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version].

The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.

Service discovery (773722)

Overview

The Asset Administrator or delegated administrator can configure service discovery jobs to scan Windows assets and discover Windows services and tasks that may require authorization credentials. If the Windows asset is joined to a Windows domain, the authorization credentials can be local on the Windows asset or be Active Directory credentials.

Running Service Discovery jobs

Service discovery jobs run automatically in the background or may be manually run.

Discovered services and tasks association to known Safeguard accounts

Service discovery jobs associate Windows services and tasks with accounts that are already managed by Safeguard for Privileged Passwords. The accounts put under management display on the Windows Assets | Discovered Services tab. When the account's password is changed by Safeguard, Safeguard updates the password corresponding to the services or tasks on the asset according to the asset's profile change settings.

Service Discovery with Active Directory

A discovered service or task configured to use Active Directory authentication can be automatically linked to the asset with the account managed by Safeguard. Effectively, the asset will have an account dependency on the account.

To automatically link, the Account Discovery job (which runs when Safeguard synchronizes the directory) must have the Automatically Manage Found Accounts check box selected on the Discovery tab. The Assets | General tab designates the directory profile to govern the accounts the discovery job adds to Safeguard.

Unmanaged accounts

The administrators can view Discovery | Discovered Services to identify unmanaged accounts that they may want to manage to require authentication for local users or Active Directory users, if the asset is joined to a domain. For more information, see Adding an account.

View Service Discovery job status

From the Activity Center, you can select the Activity Category named Service Discovery Activity which shows the Event outcomes: Service Discovery Succeeded, Service Discovery Failed, or Service Discovery Started.

Session player installation (794597)

CAUTION: To play back sessions, the new Desktop Player must be installed for one user or system-wide users after installing Safeguard for Privileged Passwords 2.6 or later.

When Safeguard for Privileged Passwords 2.6 or later is installed, the existing Desktop Player is removed and the latest Desktop Player must be installed.

Once Safeguard for Privileged Passwords is installed, the new player can be accessed by going to the Windows Start menu, Safeguard folder and clicking Download Safeguard Player. The One Identity Safeguard for Privileged Sessions - Download Software web page displays.

To continue the installation for one or system-wide users, follow the Install Safeguard Desktop Player section of the player user guide found here:

  1. Click this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
  2. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.

User experience if the Desktop Player is not installed

If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes and will be taken to the download page to complete the install.

New Desktop Player versions

When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.

Time zone change (780266)

Safeguard for Privileged Passwords sets a default time zone based on the location of the person performing the set up. The time zone is expressed as UTC + or – hours:minutes and is used for timed access (for example, access from 9 a.m. to 5 p.m.). It is recommended that the Bootstrap Administrator set the desired time zone on set-up. An Authorizer Administrator can also change the time zone.

Time zone changes are made via Settings | Safeguard Access | Time Zone and selecting the Default User Time Zone.

相关文档