立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 6.13.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Access Key (web client)

On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using an access key.

Table 84: Access Key authentication type properties
Property Description
Service Account

Enter an account for Safeguard for Privileged Passwords to use for management tasks. For more information, see About service accounts.

Access Key ID

Enter the unique identifier that is associated with the secret key. The access key ID and secret key are used together to sign programmatic AWS requests cryptographically.

Limit: 32 alphanumeric characters

Secret Key

Enter a secret access key used to cryptographically sign programmatic Amazon Web Services (AWS) requests.

Limit: 40 alphanumeric characters; the + and the / characters are also allowed.

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

Port

Enter the port number to log in to the asset.

Connection Timeout

Enter the connection timeout period.

Default: 20 seconds

None

When the asset's Authentication Type on the Connection tab is set to None, Safeguard for Privileged Passwords does not manage any accounts associated with the asset and does not store asset related credentials.

All assets must have a service account in order to check and change the passwords for the accounts associated with the asset.

Select the Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server. For more information, see Adding an archive server.

Management tab (add asset web client)

Use the Asset Management | Assets | Management tab to add the partition and profile to which the asset is assigned. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. All assets must be governed by a profile. New assets are automatically governed by the default profile unless otherwise specified.

The settings for an asset are shown below.

Table 85: Asset: Management tab properties
Property Description
Partition

Browse to select a partition for this asset. You can set a specific partition as the default, see Setting a default partition.

Password Profile

Browse to select a password profile to manage this asset's accounts.

You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.

Click Reset to set the profile to the current default.

The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.

SSH Key Profile

Browse to select an SSH key profile to manage this asset's accounts.

You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile.

Click Reset to set the profile to the current default.

The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.

Enable Session Request

If applicable, this check box is selected by default, indicating that authorized users can request session access for this asset.

Clear this check box if you do not want to allow session requests for this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions.

Available for discovery across all partitions

Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; select this check box to allow the asset to be discovered across all partitions.

Manage using hashed password

Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; selecting this check box indicates password encryption will be performed by Safeguard when performing a Change Password operation.

Managed Network

The managed network that is assigned for work load balancing. For more information, see Managed Networks.

Attributes tab (edit asset web client)

NOTE: The Attributes tab only appears after you have successfully added a new asset and is accessed by editing the asset.

In the web client, the Attributes tab is used to add attributes to directory assets (including Active Directory and LDAP). For more information, see Adding identity and authentication providers.

IMPORTANT: Some Active Directory attributes are fixed and cannot be changed.

Table 86: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords Attribute Directory Attribute
User
ObjectClass

Default: user for Active Directory, inetOrgPerson for LDAP

Click Browse to select a class definition that defines the valid attributes for the user object class.

Username

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

Description

description

MemberOf

Blank by default, this attribute can be set to a directory schema attribute that contains the list of directory groups of which the user is a member.

Alternate Login Name

userPrincipalName

NOTE:

By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.

This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v3/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object.

Group
ObjectClass

Default: group for Active Directory, groupOfNames for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Computer  

ObjectClass

Default: computer for Active Directory, ipHost for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

cn

Network Address

dNSHostName for Active Directory, ipHostNumber for LDAP

Operating System

operatingSystem for Active Directory

Operating System Version

operatingSystemVersion for Active Directory

Description

description

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级