立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Viewing API Key Archive

The Asset Administrator can access an archive of an account's API Keys.

To access an account's API key archive

  1. Navigate to Asset Management > Accounts.
  2. Select an account and click (View Details).
  3. Navigate to Properties > Secrets.
  4. For a configured API key, click View Archive.
  5. In the API Key archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current API key.

  6. In the View column, click to display the API Key that was assigned to the asset at that given date and time.

  7. In the details dialog, click Copy to copy the API Key to your copy buffer.

Setting a TOTP authenticator

Many asset types support the use of a TOTP authenticator for the accounts associated with it using password requests. The following instructions explain how to add a TOTP authenticator to an existing asset.

To set up a TOTP authenticator

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.
  5. On the TOTP Authenticator tile available on this page, click Set.

  6. On the Set TOTP Authenticator pane, select one of the following options:

    NOTE: Once you start the process for setting up a TOTP authenticator you will need to connect the authenticator with the account in SPP by entering the code(s) sent by the authenticator within a set time limit. It is strongly suggested you have your authenticator ready prior to beginning this process to avoid having to restart the setup process due to timing out.

    1. QR Code Image: Select this method to connect with the TOTP authenticator through the use of a QR code image file. Click Browse Your Computer to select the QR code image file or drag the QR code image file into the dashed box.

    2. URI or Secret String: Select this option to connect with the TOTP authenticator through the use of the URI string or secret generated by the authenticator. If only a secret is provided, then the process for generating the string will depend upon the authenticator itself.

      Click Submit.

  7. A Setup Confirmation Code section will appear as soon as the authenticator setup begins and you will need to start entering the provided code(s) into your authenticator (you can use the Copy button to copy the code instead of typing the value). The amount of time you have left before the code becomes invalid and a new code is displayed to the right of the Copy button.

    The number of code(s) required depends upon the requirements for the authenticator (for example, AWS requires 2 successive codes be entered, with each code being available for approximately 30 seconds. Only 5 codes will be displayed before the authenticator setup times out and you will need to restart the process.). If you are unable to successfully complete the setup, click Remove Authenticator to restart the process.

  8. Once you have successfully completed the TOTP authenticator setup, click Done.

Removing a TOTP authenticator

The following instructions explain how to remove a previously configured TOTP authenticator.

To remove a TOTP authenticator

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.
  5. On the TOTP Authenticator tile available on this page, click Remove.

  6. On the Remove Authenticator confirmation dialog, click Remove.

    The previously configured TOTP authentication will no longer be available for the account.

Assets

A SPP asset is a computer, server, network device, or application managed by a SPP Appliance.

It is the responsibility of the Asset Administrator (or delegated partition owner) to add assets and accounts to SPP. The Auditor has permission to access Assets. Account owners also have read permissions for the Properties and Accounts tabs for the assets associated with their account.

Before adding assets to SPP, you must ensure they are properly configured. For more information, see Preparing systems for management..

Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted.

All assets must be governed by a profile (for more information, see Assigning a profile to an asset). All new assets are automatically governed by the default profile unless otherwise specified.

An asset can only be in one partition at a time (for more information, see Assigning an asset to a partition). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition.

You can identify a default partition and default profile so that when you add assets, the assets are added to the default partition and default profile. For more information, see Setting a default partition..

Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in SPP, see Asset Discovery job workflow.

Using a domain controller (DC) asset

You can manage tasks and services on a domain controller (DC) asset. Dependent accounts are managed on the DC asset. A DC asset will only support updating dependent passwords. Account passwords for a domain controller are managed via the directory asset.

  1. Create the DC asset as windows server platform, using a directory authentication for the connection service account. For more information, see Adding an asset.
  2. Ensure that the service account for the task/service you want to manage is defined in the Directory asset. For more information, see Adding an account to an asset..
  3. Add an account dependency for the service account to the DC asset. For more information, see Adding account dependencies..

Using Check Point GAiA

In addition to managing user accounts on the Check Point GAiA platform, SPP can also manage the password for the Check Point expert command. The expert password appears as a normal user account in SPP except that it is marked as a privileged account. This means that it cannot be used as a service account and you cannot generate or install an SSH key for the account.

The minimum requirements for choosing a service account for Check Point follow:

  • The service account for Check Point must have CLI access enabled and must have the following RBA features enabled:
    • read-write user
    • read-only group
  • In order to manage the expert password, the service account must also have the following RBA features enabled:
    • read-write expert-password-hash
    • read-write expert

To manage SSH keys, the service account must have a Unix shell configured as the login shell. If the UID is not 0, then sudo privileges will be required to elevate privileges.

Managing the enable password for Cisco IOS and ASA

In addition to managing user accounts, Safeguard can also manage the password for the Cisco enable command on Cisco IOS and ASA. The enable account appears as a normal user account in Safeguard, except that it is marked as a privileged account. This means that it cannot be used as a service account, and you cannot generate or install an SSH key for it.

The enable password is not automatically managed by Safeguard; it is only managed if an account named enable is created on the asset. Once this account is created, the enable password is removed from the asset connection properties (if configured) and can no longer be configured on the asset connection properties. To stop managing the enable password, remove the enable account from the asset which will restore the enable password to the asset connection information.

Safeguard manages the enable password for the default privilege level 15. Safeguard also provides the option to manage enable passwords for other privilege levels, by creating an account called enable<level> (for example, to manage the password for privilege level 10, create an account called enable10).

Assets view

To access Assets:

  • web client: Navigate to Asset Management > Assets. If needed, you can use the partition drop-down to select the parent partition of the asset. Select an asset, then click to display additional information and options.

The Assets view displays the following information about the selected system. Not all selections will be available for all assets.

  • Properties tab (asset): Displays general, management and connection settings for the selected asset.
  • Owners tab (asset): Displays information about the users and user groups that are owners of the asset (either assigned from this tab or from the ownership derived from a tag associated with this asset). This tab does not list partition owners that are also effective owners of this asset.
  • Accounts tab (asset): Displays the accounts associated with this asset.
  • Account Dependencies tab (asset): Windows only: Displays the directory accounts that the selected Windows server depends on to perform services and tasks.
  • Discovered Services tab (asset): Displays the details of each discovered service associated with the selected asset.
  • Discovered SSH Keys (asset): Displays the SSH keys discovered on the asset.
  • History tab (asset): Displays the details of each operation that has affected the selected asset.
Toolbar

Use these toolbar buttons to manage assets:

  • New Asset: Add assets to SPP. For more information, see Adding an asset.
  • Delete: Remove the selected asset. When you delete an asset, you also permanently delete all the SPP accounts associated with the asset.For more information, see Deleting an asset..
  • View Details: Select an asset then click this button to open additional information and options for the asset.
  • Access Request: Allows you to enable or disable access request services for the selected asset. Menu options include Enable Session Request and Disable Session Request.
  • SSH Host Key: Menu options include:
    • Discover SSH Host Key: This option only applies to assets that exchange SSH host keys, such as Unix-based assets and Linux-based assets. Retrieves the latest SSH host key for the selected asset. The Discover SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not discovered on the asset, certain tasks will not be available for accounts associated with the asset, such as Check System, Check Password, and Change Password.
    • Retrieve SSH Host Key: This option only applies to Cisco NX-OS assets, and is used to retrieve the latest SSH host key from the platform. The Retrieve SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not retrieved from the asset, sessions will not be available.
    • Set SSH Host Key: This option allows you to manually add the host key to an asset in cases where SPP cannot discover the asset automatically (such as for an Other Directory asset).

    • Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key..
  • Test Connection: Select to verify that SPP can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity..
  • Syncronize Now: Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.
  • Discover Accounts: Run the associated Account Discovery job. For more information, see Account Discovery..
  • Link Directory Parent: This option is only available for assets that are members of or joined to a directory, but not linked (which may occur if the asset was manually added to SPP). Clicking this button will allow you to select the parent to which the asset will be linked.

    If the asset resides in a different partition than the parent directory, the Available for discovery across all partitions option must be enabled.

  • Enable-Disable: Select one of the following:

    Select Enable to have SPP manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.

    Select Disable to prevent SPP from managing the selected asset. When you disable an asset, SPP disables it and removes all associated accounts. If you choose to manage the asset later, SPP re-enables all the associated accounts.

  • Show Disabled: Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
  • Hide Disabled: Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
  • Import: Use this button to add assets to One Identity Safeguard for Privileged Passwords using a CSV file. For more information, see Importing objects.
  • Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.
  • Refresh: Update the list of assets.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级