立即与支持人员聊天

获得即时帮助
完成注册

登录

请求定价

联系销售人员

One Identity Safeguard for Privileged Passwords 6.0 LTS - Administration Guide

Introduction to One Identity Safeguard for Privileged Passwords

Overview of the entities Key features What's new in version 6.0 LTS

Appliance specifications

System requirements

Desktop client system requirements Web client system requirements Web management console system requirements Supported platforms Product licensing Long Term Support (LTS) and Feature Releases

Using the virtual appliance and web management console

Setting up the virtual appliance Virtual appliance backup and recovery Support Kiosk

Cloud deployment considerations

AWS deployment Azure deployment Virtual appliance backup and recovery

Setting up Safeguard for Privileged Passwords for the first time

Step 1: Create the Authorizer Administrator Step 2: Authorizer Administrator creates administrators Step 3: Appliance Administrator configures the appliance Step 4: User Administrator adds users Step 5: Asset Administrator adds managed systems Step 6: Security Policy Administrator adds access request policies

Search by attribute Select a drop-down to sort

Using the web client

My Requests (web client) Approvals (web client) Reviews (web client) Favorites (web client) Settings, version, and Windows desktop client (web client) Change password (web client) FIDO2 keys (web client) Log out (web client)

Installing the desktop client

Installing the desktop client Starting the desktop client Uninstalling the desktop client

Using the desktop client

Settings (desktop client) User information and log out Desktop client favorite request Desktop client navigation pane

Access Requests

Viewing details

Account Automation

Activity Center

Applying search criteria Saving search criteria Generating an activity audit log report Scheduling an activity audit log report Editing or deleting a saved search or scheduled report Viewing event details Auditing request workflow Filtering report results Sorting report results

Running an entitlement report Converting time stamps

Administrative Tools

Toolbar options

Privileged access requests

Configuring alerts

Toast notifications Email notifications

Password release request workflow

Requesting a password release

Taking action on a password release request

Approving a password release request Reviewing a completed password release request

Session request workflow

About sessions and recordings Requesting session access

Taking action on a session request

Approving a session request Launching the SSH client Launching an RDP session Reviewing a session request Replaying a session Following and terminating a "live" session

Viewing task status Stopping a task

General tab (account) Access Request Policies tab (account) Account Groups tab (account) Dependent Assets (account) Check and Change Log tab (account) History tab (account) Managing accounts

Adding an account Adding a cloud platform account Manually adding a tag to an account Adding an account to one or more account groups Modifying an account Deleting an account Importing objects

Creating an import file

Checking, changing, or setting an account password Viewing password archive

General tab (account group) Accounts tab (account group) Access Request Policies tab (account group) History tab (account group) Managing account groups

Adding an account group Adding a dynamic account group

General tab (add dynamic account group) Account Rules tab (add dynamic account group) Summary tab (add dynamic account group)

Adding one or more accounts to an account group Adding accounts to an access request policy Modifying an account group Deleting an account group

General tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered Services tab (asset) History tab (asset) Managing assets

Adding an asset

General tab (add asset) Management tab (add asset) Account Discovery tab (add asset) Connection tab (add asset)

About service accounts About Test Connection SSH Key

Importing an SSH key

Directory Account Local System Account Password (local service account) Access Key None

Attributes tab (add asset)

Checking an asset's connectivity Assigning an asset to a partition Assigning a profile to an asset Manually adding a tag to an asset Adding an account to an asset Adding account dependencies Adding an asset to asset groups Modifying an asset Deleting an asset Importing objects Downloading a public SSH key

General tab (asset group) Assets tab (asset group) Access Request Policies tab (asset group) History tab (asset group) Managing asset groups

Adding an asset group Adding a dynamic asset group

General tab (add dynamic asset group) Asset Rules tab (add dynamic asset group) Summary tab (add dynamic asset group)

Adding assets to an asset group Modifying an asset group Deleting an asset group

Asset Discovery

Asset Discovery job workflow Adding an Asset Discovery job

General tab (asset discovery) Information tab (asset discovery) Rules tab (asset discovery)

Add Condition (asset discovery) Edit Connection Template (asset discovery) Add Asset Profile (asset discovery)

Schedule tab (asset discovery) Summary tab (asset discovery)

Editing an Asset Discovery job Deleting an Asset Discovery job

Asset Discovery Results Account Discovery

Account Discovery job workflow Adding an Account Discovery job

Adding an Account Discovery rule

Editing an Account Discovery job Deleting an Account Discovery job

Account Discovery Results Discovered Accounts Service Discovery Results Discovered Services

General tab Users tab Access Request Policies tab History tab Managing entitlements

Adding an entitlement

About priority precedence

Time Restrictions tab

About time restrictions

Creating an access request policy

General tab Scope tab Requester tab Approver tab Reviewer tab Access Config tab Session Settings tab Time Restrictions tab Emergency tab

Adding users or user groups to an entitlement Deleting an access request policy Modifying an access request policy Copying an access request policy Viewing and editing policy details Modifying an entitlement Deleting an entitlement

About partition profiles General tab (partitions) Assets tab (partitions) Accounts tab (partitions) Profiles tab (partitions) History tab (partitions) Managing partitions

Adding a partition Adding assets to a partition Removing assets from a partition Creating a profile Modifying a profile Setting a default partition Setting a default partition profile Assigning assets or accounts to a profile Modify a partition Delete a partition

Access Request settings

Enable or Disable Services Reasons

Appliance settings

Appliance Diagnostics Appliance Information

Setting the appliance name Shutting down the appliance Restarting the appliance

Enable or Disable Services Factory Reset from the desktop client Licensing Lights Out Management (BMC) Network Diagnostics

Ping NS Lookup Trace Route Telnet Show Routes

Networking Operating system licensing Support Bundle Time Updates

Asset Management settings

Custom platforms

Creating a custom platform script Adding a custom platform

Adding a tag for dynamic tagging of assets or asset accounts Deleting an asset or asset account tag Modifying an asset or asset account tag Copying an asset or asset account tag to another partition Viewing asset and asset account tag assignments

Backup and Retention settings

About backups Archive servers

Adding an archive server

Audit Log Management Backup and restore

Run Now Backup settings Download Upload Restore Archive backup

Backup retention

Certificate settings

About certificates Audit Log Signing Certificate

Installing an audit log signing certificate Creating a Certificate Signing Request for audit logs

Certificate Signing Request SSL Certificates

Installing an SSL certificate Creating a Certificate Signing Request (CSR) Assigning a certificate to appliances

Trusted Certificates

Adding a trusted certificate Removing a trusted certificate

Cluster settings

Cluster Management

Cluster view pane Appliance details and cluster health pane

Managed networks

Adding a managed network Deleting a managed network Resolving IP address

Offline Workflow (automatic)

Enable automatic Offline Workflow Manually override automatic Offline Workflow

Session Appliances with SPS join

External Integration settings

Application to Application

About Application to Application functionality Setting up Application to Application Adding an application registration Deleting an application registration Regenerating an API key Making a request using the Application to Application service

Approval Anywhere

Adding authorized user for Approval Anywhere

Enabling email notifications Modifying an email template

Identity and Authentication

Authentication provider combinations Adding identity and authentication providers

Configuring SNMP subscriptions Verifying SNMP configuration

Join Starling

Configuring a syslog server Verifying syslog server configuration

Ticketing system

Messaging settings

Login Notification Message of the Day

Profile settings

Account Password Rules

Adding an account password rule

Change Password

Adding change password settings

Adding check password settings

Password sync groups

Adding a password sync group Modifying a password sync group

Safeguard Access settings

Login Control Password Rule

Modifying user password requirements

General tab (user) User Groups tab (user) Partitions tab (user) Entitlements tab (user) Linked Accounts tab (user) History (user) Managing users

Identity tab (add user) Authentication tab (add user) Location tab (add user) Permissions tab (add user)

Requiring secondary authentication log in

Configuring user for Starling Two-Factor Authentication when logging in to Safeguard

Adding a user to user groups Assigning a user to partitions Adding a user to entitlements Linking a directory account to a user Modifying a user Enabling or disabling a user Deleting a user Importing objects Setting a local user's password Unlocking a user's account

General tab (user groups) Users tab (user groups) Entitlements tab (user groups) History tab (user groups) Managing user groups

Adding a user group Adding a directory user group Adding users to a user group Adding a user group to an entitlement Modifying a user group Deleting a user group

Disaster recovery and clusters

Enrolling replicas into a cluster Unjoining replicas from a cluster Maintaining and diagnosing cluster members

About Offline Workflow Mode

Manually control Offline Workflow Mode

Failing over to a replica by promoting it to be the new primary Activating a read-only appliance Diagnosing a cluster member Patching cluster members

About cluster patching

Using a backup to restore a clustered appliance Resetting a cluster that has lost consensus Performing a factory reset Unlocking a locked cluster

Troubleshooting tips

Appliance states

Administrator permissions

Appliance Administrator permissions Asset Administrator permissions Auditor permissions Authorizer Administrator permissions Help Desk Administrator permissions Operations Administrator permissions Security Policy Administrator permissions User Administrator permissions

Preparing systems for management

Preparing ACF - Mainframe systems Preparing Amazon Web Services platforms Preparing Cisco devices Preparing Dell iDRAC devices Preparing VMware ESXi hosts Preparing Fortinet FortiOS devices Preparing F5 Big-IP devices Preparing HP iLO servers Preparing HP iLO MP (Management Processors) Preparing IBM i (AS/400) systems Preparing JunOS Juniper Networks systems Preparing MongoDB Preparing MySQL servers Preparing Oracle databases Preparing PAN-OS (Palo Alto) networks Preparing PostgreSQL Preparing RACF mainframe systems Preparing SAP HANA Preparing SAP Netweaver Application Servers Preparing Sybase (Adaptive Server Enterprise) servers Preparing SonicOS devices Preparing SonicWALL SMA or CMS appliances Preparing SQL Servers Preparing Top Secret mainframe systems Preparing Unix-based systems Preparing Windows systems

Minimum required permissions for Windows assets

Preparing Windows SSH systems

Troubleshooting

Anti-CSRF (cross-site request forgery) token error Connectivity failures

Change password fails Incorrect authentication credentials Missing or incorrect SSH host key No cipher supported error Service account has insufficient privileges

Cannot connect to remote machine through SSH or RDP Cannot delete account Cannot play session message Domain user denied access to Safeguard for Privileged Passwords LCD status messages

Appliance LCD and controls

My Mac keychain password was lost Password fails for Unix host Password is pending review Password is pending a reset Profile did not run Recovery Kiosk (Serial Kiosk)

Appliance information (Recovery Kiosk) Power options

Rebooting the appliance Shutting down the appliance

Admin password reset Factory reset from the Recovery Kiosk Support bundle

Replica not adding System services did not update or restart after password change Test Connection failures

Test Connection failures on archive server Certificate issue Cipher support Domain controller issue Networking issue Windows WMI connection failure

Timeout errors causing operations to fail User locked out User not notified

Frequently asked questions

How do I access the API

How do I customize the response using API query parameters

How do I audit transaction activity How do I configure external federation authentication

How do I add an external federation provider trust How do I create a relying party trust for the STS How do I add an external federation user account

How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I set up telnet and TN3270/TN5250 session access requests How do I set the appliance system time How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine When does the rules engine run for dynamic grouping and tagging Verifying syslog server configuration Why did the password change during an open request

Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release

What's new in version 2.1.0.5687 What's new in version 2.2.0.6958 What's new in version 2.3.0.7426 What's new in version 2.4.0.7846 What's new in version 2.5.0.8356 What's new in version 2.6.0.8961 What's new in version 2.7.0.9662 What's new in version 2.8.0.10133 What's new in version 2.9.0.10658 What's new in version 2.10.0.10980 What's new in version 2.11.0.11444

Troubleshooting

One Identity recommends the following resolutions to some of the common problems you may encounter as you deploy and use Safeguard for Privileged Passwords. For more information about how to troubleshoot Safeguard for Privileged Passwords, refer to the Appliance settings.

Anti-CSRF (cross-site request forgery) token error

Connectivity failures

Change password fails

Incorrect authentication credentials

Missing or incorrect SSH host key

No cipher supported error

Service account has insufficient privileges

Cannot connect to remote machine through SSH or RDP

Cannot delete account

Cannot play session message

Domain user denied access to Safeguard for Privileged Passwords

LCD status messages

Appliance LCD and controls

My Mac keychain password was lost

Password fails for Unix host

Password is pending review

Password is pending a reset

Profile did not run

Recovery Kiosk (Serial Kiosk)

Appliance information (Recovery Kiosk)

Admin password reset

Factory reset from the Recovery Kiosk

Replica not adding

System services did not update or restart after password change

Test Connection failures

Test Connection failures on archive server

Certificate issue

Domain controller issue

Networking issue

Windows WMI connection failure

Timeout errors causing operations to fail

User locked out

User not notified

Related Topics

Frequently asked questions

Anti-CSRF (cross-site request forgery) token error

Cross-site request forgery (CSRF) occurs when unauthorized commands are transmitted from a user that the web application trusts. Anti-CSRF is a type of CSRF protection. It is a random string that is only known by the user's browser and the web application

If you receive an Anti Cross-Site Request Forgery token error when attempting to log in to Safeguard for Privileged Passwords using Microsoft Internet Explorer 9 on Windows 7 SP1, this indicates that cookies are blocked.

To resolve this issue

In Internet Explorer, open Tools and choose Internet Options.
In the Privacy tab, click the Advanced button.
Select the Always allow session cookies option.

Connectivity failures

The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts.

Always verify network connectivity and asset power before troubleshooting.

The following topics explain some possible reasons that Check Password, Change Password, and Set Password may fail, and gives you some corrective steps you can take.

Change password fails: Learn about a possible resolution if Change Password fails.
Incorrect authentication credentials: Learn how to resolve incorrect service account credentials.
Missing or incorrect SSH host key: Learn how to resolve issues with SSH host keys.
No cipher supported error: Learn how to resolve cipher support issues.
Service account has insufficient privileges: Learn how to resolve service account privilege issues.

Change password fails

A local account password change can fail when you are using a Windows asset that is configured with a service account with Administrative privileges, other than the built-in Administrator.

Note: Before Safeguard for Privileged Passwords can change local account passwords on Windows systems, using a member of an administrators group other than built-in Administrator, you must change the local security policy to disable User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option.

To configure Windows assets to change account passwords

Run secpol.msc from the Run dialog,

-OR-

From the Windows Start menu, open Local Security Policy.
Navigate to Local Policies | Security Options.
Disable the User Account Control: Run all administrators in Admin Approval Mode option.
Restart your computer.

For more information, see Preparing Windows systems.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款隐私 Cookie Preference Center