立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Step 5: Asset Administrator adds managed systems

  1. Log in using the Asset Administrator account.
  2. Add partitions and, optionally, delegate partition ownership to other users (Adding a partition).
  3. (Optional) Set the following Password Profiles (or edit the default rules and settings defined when the partition was added):
  4. (Optional) Set the following SSH Key Profiles:
  5. (Optional) Create profiles or edit the default profiles created (Creating a password profile).
  6. Add assets to the appropriate partitions and profiles (Adding an asset).
  7. Add accounts to control access to the assets (Adding an account).

TIP: Create asset and account discovery jobs to discover and, optionally, automatically add assets and accounts to Safeguard for Privileged Passwords. For more information, see Discovery..

Step 6: Security Policy Administrator adds access request policies

  1. Log in using the Security Policy Administrator account.
  2. Set Reasons.
  3. Add user groups (Adding a user group).
  4. Add local or directory users to local user groups (Adding users to a user group).
  5. Add account groups (Adding an account group).
  6. Add accounts to account groups (Adding one or more accounts to an account group).
  7. Add entitlements (Adding an entitlement).
  8. Add users or user groups to entitlements (Adding users or user groups to an entitlement).
  9. Create access request policies (Adding an entitlement).

Post install checklist

The Post Install Checklist helps you complete setting up your Safeguard for Privileged Passwords appliance. After the initial setup of a cluster, these are the recommended best practice settings to complete.

For Appliance Administrators, Operations Administrators, System Auditor users, and Auditor users, the Post Install Checklist is available on the Home page of the SPP web client. For Authorizer users or User Administrator users, only one item of the checklist is displayed.

The items listed in the checklist vary depending on if they are still outstanding or not. For example, if the Bootstrap Administrator user is not marked as deactivated, it will appear on the checklist of a User Administrator or Authorizer user. You cannot manually remove or add items to the checklist. The checklist container is always displayed regardless of whether there are any outstanding items, but the administrator can collapse it.

The Post Install Checklist has the following items.

  1. Deactivate Bootstrap Admin user

    NOTE: Change the Bootstrap Admin user's password and then deactivate the user. If you are locked out, call One Identity support for a recovery code. This must be done by a user with the Authorizer permission.

  2. Trusted Servers, CORS and Redirects

    NOTE: Unless joining replica nodes to the cluster, or if you have external applications that log in or call the API, set this setting to an empty string. This must be done by an Appliance admin user.

  3. OAuth2 Grant Types

    NOTE: Unless you have external applications that log in programmatically using an OAuth2 flow, disable all grant types. All applications should use an external web browser and the PKCE extension flow. This must be done by an Appliance admin user.

  4. Enable Secure Token Service Login Timeout

    NOTE: This will invalidate cookies that are used during login, limiting their lifetime, and require the user to start the login process over again if left idle for too long. This must be done by an Appliance admin user.

  5. Archive Servers

    NOTE: Configure an archive server for use with backups and audit logs. This must be done by an Appliance admin user.

  6. Backup Protection and Archive

    NOTE: Configure backups to use password or GPG key protection, and save them to an archive server. This must be done by an Appliance admin user.

  7. Audit Log Maintenance Settings

    TIP: Archive or purge audit logs on a regular schedule. This must be done by an Appliance admin user.

  8. Enable NTP

    NOTE: Use an external NTP server to synchronize the system clock. This must be done by an Appliance admin user.

  9. Audit Log Signing Certificate

    NOTE: Change the default, untrusted audit log signing certificate to one trusted by your organization's PKI. This must be done by an Appliance admin user.

  10. SSL/TLS Certificates

    NOTE: Change the default, untrusted SSL/TLS certificate to one trusted by your organization's PKI and matches each node's DNS name. This must be done by an Appliance admin user.

  11. Use the native features of your hypervisor to encrypt the hard disk of your SPP virtual machine.

    NOTE: If using VMware, enable virtual disk encryption.

    NOTE: If you use VMware with encryption enabled, the virtual machine is unable to detect that, therefore, this item will always be on the checklist.

Using the web client

The web client uses a responsive user interface design to adapt to the user's device, from desktops to tablets or mobile phones. Only one user session will persist during a browser session. Any tabs opened after initial authentication will use the existing user session.

To log into the web client application

The following steps assume the One Identity Safeguard for Privileged Passwords Appliance has been configured and licensed. As a Safeguard for Privileged Passwords user, if you get an appliance is unlicensed notification, contact your Appliance Administrator.

  1. From your browser, enter the Safeguard for Privileged Passwords URL with the IP address, such as https://11.1.111.11.
  2. If a login notification displays, click OK to accept the notifications and restrictions stated.
  3. On the user log in screen, enter your credentials and click Log in.

Updating your avatar photo

To change your photo in the web client, expand the Username drop-down in the upper right and select My Settings. On the My Settings page, select My Account and click the circle icon with the username. Select the image file (under 64 KiB), then click Open.

Using the left navigation menu

NOTE: Use the button on mobile devices to expand and collapse the navigation menu.

The pages available to you display on the left. Clicking one of the top level headings from the left navigation menu will expand the section to display the associated subpages. For example, clicking User Management will expand the navigation menu to show all pages associated with managing users that you have permission to access.

You can reduce the left menu using the button located at the bottom of the left navigation menu.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级