立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Setting a default profile

When you create a new partition, SPP creates a corresponding default profile with default schedules and rules. Each Asset Administrator can set a unique default partition and profile. Once you set a default profile, all new assets and accounts you add are automatically assigned to that profile.

SPP sets the default schedules to "Never" verify or reset passwords or SSH keys.

When you associate an asset to a partition, all the accounts associated with that asset, are also added to the scope of that partition. For more information, see About profiles..

To set another profile as the default

  1. Navigate to Asset Management > Partitions.
  2. In Partitions, select a partition and click View Details.

  3. Open the Password Profiles or SSH Key Profiles tab.
  4. Select a profile that is not the current default and click  Set as Default from the details toolbar or context menu. (When you select the default profile, the  Set as Default icon is grayed out.)

Assigning assets or accounts to a password profile and SSH key profile

You can assign an asset or an account to a password profile, an SSH key profile, or both. The assets and accounts must be in the scope of the partition to be assigned to a profile.

You can also configure SPP to run automatic Asset Discovery or Account Discovery jobs. For more information, see Discovery..

CAUTION: Only associate accounts to a profile that you want Safeguard for Privileged Passwords to manage.

To add assets or accounts to a profile

  1. Navigate to Asset Management > Partitions.
  2. Select a partition from the object list and click View Details.
  3. Open the Password Profiles or SSH Key Profiles tab.
  4. Select a profile and click Edit.
  5. To add an asset to the selected profile, switch to the Assets tab.
  6. Select the asset(s) to be added.
  7. To add an account to the selected profile, switch to the Accounts tab.
  8. Select the account(s) to be added.
  9. Once you have finished editing the profile, save and exit by clicking outside of the profile dialog.

Deleting a partition

When deleting a partition, you must designate another partition to transfers all assets and accounts. The profiles and associated profile settings, discovery jobs, and history data for the partition you are deleting are deleted along with the profile.

To delete a partition

  1. Navigate to Asset Management > Partitions.
  2. Select the partition to be deleted.
  3. Click Delete.
  4. In the dialog, select the partition where assets and accounts are to be reassigned.

  5. Click Select Partition to reassign the assets and accounts and delete the selected partition.

Discovery

Safeguard for Privileged Passwords discovery jobs can find assets, accounts, SSH keys, and services in your network environment. This can simplify initial deployment and ongoing maintenance of the privileged accounts in your network environment.

Details on the jobs follow.

  • Asset Discovery: Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. Rules control which assets are found. Asset Discovery jobs can be scheduled to run on regular intervals. The discovery job can be configured with templates to set default settings on newly created assets including connection details. The assets created by discovery jobs are considered to be managed by Safeguard, but this has no effect on the network asset. An asset with valid connection information can be used for account discovery.

    If you use Directory as the asset discovery Method, directory assets that are shared can be discovered into any partition. To share a directory asset, select Available for discovery across all partitions for the asset; see Management tab (add asset).

  • Account Discovery: Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. Rules control which accounts are found. Account discovery jobs can be scheduled to run on regular intervals. The discovery job can be configured to set default settings on newly created accounts.

    Accounts found by account discovery are neither managed nor disabled until you decide to manage them or disable them. If an account is managed by Safeguard, this means the password can be managed according to the profile settings associated with the discovery job. Safeguard can make the account available for password and/or session requests according to configured entitlements and policy.

    The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account..

  • Service Discovery: Service Discovery jobs find Windows services that run as accounts managed by Safeguard. If Safeguard is managing the service account password, Safeguard can update the Windows service configuration to match the password when the password changes and restart the service automatically.
  • SSH Key Discovery: SSH Key Discovery jobs search user directories and discover the authorized SSH keys in managed accounts.

In the web client, information on all discovered items is shown by default. You can also use the Partition drop-down to select a specific partition to view information on.

The following tiles are displayed in the Discovered Items section:

  • Accounts: This displays the number of discovered accounts. Click the tile for detail.

  • Services: This displays the number of discovered services. Click the tile for detail. You can launch discover service account jobs from Asset Management > Assets > (View Details) > Discovered Services. For more information, see Discovered Services tab (asset)..

  • SSH Keys: This displays the number of discovered SSH keys. Click the tile for detail.

The Discovery Jobs section is broken into the follow tabs:

  • Assets tab: This tab shows the Asset Discovery jobs available to run against the directories or networks to discover assets for potential management displays.

  • Accounts tab: This tab shows the Account Discovery jobs available to run against the in scope assets to discover accounts for potential management displays.
  • SSH Keys tab: This tab shows the SSH Key Discovery jobs available to run against the managed accounts to discover SSH keys for potential management displays.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级