One Identity Safeguard Administration Guide
2.11.1
One Identity LLC
OneIdentitySafeguardforPrivilegedPasswords 2.11.1 AdministrationGuide en-us Safeguard for Privileged Passwords 2.11.1
Administration Guide
�Copyright 2020 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners.
Legend
WARNING: A WARNING icon highlights a potential risk of bodily injury or property damage, for which industry-standard safety precautions are advised. This icon is often associated with electrical hazards related to hardware.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
Safeguard for Privileged Passwords Administration Guide Updated - March 2020 Version - 2.11.1
�Contents
Introduction
19
Introduction to Safeguard for Privileged Passwords
19
Overview of the entities
21
Key features
27
Appliance specifications
32
System requirements
34
Desktop client system requirements
35
Web client system requirements
36
Web management console system requirements
37
Supported platforms
37
Product licensing
42
Using the virtual appliance and web management console
44
Setting up the virtual appliance
45
Virtual appliance backup and recovery
49
Support Kiosk
49
Using the cloud
53
Before you start: platforms and resources
53
Restricting access to the web management kiosk for cloud deployments
53
Using Azure
54
Virtual appliance backup and recovery
56
Setting up Safeguard for Privileged Passwords for the first time
58
Step 1: Create the Authorizer Administrator
59
Step 2: Authorizer Administrator creates administrators
59
Step 3: Appliance Administrator configures the appliance
60
Step 4: User Administrator adds users
61
Step 5: Asset Administrator adds managed systems
61
Step 6: Security Policy Administrator adds access request policies
62
Search box
63
Search by attribute
64
Select a drop-down to sort
66
Safeguard for Privileged Passwords 2.11.1 Administration Guide 3
�Using the web client
69
My Requests (web client)
70
Approvals (web client)
71
Reviews (web client)
71
Favorites (web client)
72
Settings, version, and Windows client (web client)
73
Change password (web client)
73
FIDO2 keys (web client)
74
Log out (web client)
74
Installing the desktop client
76
Installing the desktop client
76
Starting the desktop client
78
Uninstalling the desktop client
79
Using the desktop client
80
Settings (desktop client)
80
User information and log out (desktop client)
82
Desktop client favorite request
84
Desktop client navigation pane
85
Home
86
Dashboard
88
Access Requests
88
Account Automation
89
Activity Center
90
Applying search criteria
91
Saving search criteria
92
Generating an activity audit log report
93
Scheduling an activity audit log report
95
Editing or deleting a saved search or scheduled report
97
Viewing event details
97
Auditing request workflow
98
Filtering report results
99
Sorting report results
99
Reports
100
Running an entitlement report
101
Safeguard for Privileged Passwords 2.11.1 Administration Guide 4
�Converting time stamps Administrative Tools
Toolbar options
Privileged access requests Configuring alerts
Toast notifications Email notifications Password release request workflow Requesting a password release
Taking action on a password release request Approving a password release request Reviewing a completed password release request Session request workflow About sessions and recordings Requesting session access
Taking action on a session request Approving a session request Launching the SSH client Launching an RDP session Reviewing a session request Replaying a session Following and terminating a "live" session
Toolbox Viewing task status Stopping a task
Accounts General tab (account) Access Request Policies tab (account) Account Groups tab (account) Dependent Assets (account) Check and Change Log tab (account) History tab (account) Managing accounts
Adding an account
102 103 105
107 108 108 108 110 111 113 115 117 118 118 120 123 127 129 130 132 133 134
136 136 137
138 139 141 142 143 144 145 146 147
Safeguard for Privileged Passwords 2.11.1 Administration Guide 5
�Adding a cloud platform account Manually adding a tag to an account Adding an account to one or more account groups Modifying an account Deleting an account Importing objects
Creating an import file Checking, changing, or setting an account password Viewing password archive
Account Groups General tab (account group) Accounts tab (account group) Access Request Policies tab (account group) History tab (account group) Managing account groups
Adding an account group Adding a dynamic account group
General tab (add dynamic account group) Account Rules tab (add dynamic account group) Summary tab (add dynamic account group) Adding one or more accounts to an account group Adding accounts to an access request policy Modifying an account group Deleting an account group
Assets General tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Adding an asset
148 150 151 152 152 152 155 156 157
159 160 160 161 162 164 164 164 165 166 168 168 169 169 169
171 174 178 180 180 181 182 183 184 185
Safeguard for Privileged Passwords 2.11.1 Administration Guide 6
�General tab (add asset) Management tab (add asset) Account Discovery tab (add asset) Connection tab (add asset) Attributes tab (add asset) Checking an asset's connectivity Assigning an asset to a partition Assigning a profile to an asset Manually adding a tag to an asset Adding an account to an asset Adding account dependencies Adding an asset to asset groups Modifying an asset Deleting an asset Importing objects Downloading a public SSH key
Asset Groups General tab (asset group) Assets tab (asset group) Access Request Policies tab (asset group) History tab (asset group) Managing asset groups
Adding an asset group Adding a dynamic asset group
General tab (add dynamic asset group) Asset Rules tab (add dynamic asset group) Summary tab (add dynamic asset group) Adding assets to an asset group Modifying an asset group Deleting an asset group
Discovery Asset Discovery
Asset Discovery job workflow Adding an Asset Discovery job
186 187 190 192 203 204 205 205 206 207 208 210 210 211 211 214
215 216 216 217 218 219 219 220 221 221 223 223 224 224
225 226 228 228
Safeguard for Privileged Passwords 2.11.1 Administration Guide 7
�General tab (asset discovery) Information tab (asset discovery) Rules tab (asset discovery) Schedule tab (asset discovery) Summary tab (asset discovery) Editing an Asset Discovery job Deleting an Asset Discovery job Asset Discovery Results Account Discovery Account Discovery job workflow Adding an Account Discovery job Adding an Account Discovery rule Editing an Account Discovery job Deleting an Account Discovery job Account Discovery Results Discovered Accounts Service Discovery Results Discovered Services
Entitlements General tab Users tab Access Request Policies tab History tab Managing entitlements
Adding an entitlement General tab Time Restrictions tab
Creating an access request policy General tab Scope tab Requester tab Approver tab Reviewer tab Access Config tab Session Settings tab
229 230 231 237 238 238 239 239 240 243 244 246 249 250 251 251 253 254
258 259 260 261 263 265 265 265 267 268 269 270 271 272 274 276 277
Safeguard for Privileged Passwords 2.11.1 Administration Guide 8
�Time Restrictions tab Emergency tab Adding users or user groups to an entitlement Deleting an access request policy Modifying an access request policy Copying an access request policy Viewing and editing policy details Modifying an entitlement Deleting an entitlement
Partitions About partition profiles General tab (partitions) Assets tab (partitions) Accounts tab (partitions) Profiles tab (partitions) History tab (partitions) Managing partitions
Adding a partition Adding assets to a partition Removing assets from a partition Creating a profile Modifying a partition profile Setting a default partition Setting a default partition profile Assigning assets or accounts to a partition profile Modifying a partition Deleting a partition
Settings Access Request settings
Enable or Disable Services (Access and management services) Reasons Appliance settings Appliance Diagnostics Appliance Information
279 279 280 281 282 282 282 283 283
285 286 287 288 289 290 291 292 292 293 294 294 295 296 297 297 298 299
300 301 301 303 304 306 307
Safeguard for Privileged Passwords 2.11.1 Administration Guide 9
�Setting the appliance name
309
Shutting down the appliance
309
Restarting the appliance
310
Enable or Disable Services
310
Factory Reset from the desktop client
311
Licensing
312
Lights Out Management (BMC)
313
Network Diagnostics
314
Ping
314
NS Lookup
315
Trace Route
316
Telnet
316
Show Routes
317
Networking
318
Operating system licensing
320
Support bundle
321
Time
321
Updates
322
Asset Management settings
324
Custom platforms
324
Creating a custom platform script
325
Adding a custom platform
326
Tags
327
Adding a tag for dynamic tagging of assets or asset accounts
328
Deleting an asset or asset account tag
332
Modifying an asset or asset account tag
333
Copying an asset or asset account tag to another partition
333
Viewing asset and asset account tag assignments
334
Backup and Retention settings
334
About backups
335
Archive servers
336
Adding an archive server
337
Audit Log Management
339
Backup and restore
341
Run Now
343
Safeguard for Privileged Passwords 2.11.1 Administration Guide 10
�Backup settings
343
Download
345
Upload
345
Restore
345
Archive backup
347
Backup retention
347
Certificate settings
348
About certificates
348
Audit Log Signing Certificate
349
Installing an audit log signing certificate
351
Creating a Certificate Signing Request for audit logs
351
Certificate Signing Request
352
Sessions Certificates
353
Installing a sessions certificate
355
Creating a Certificate Signing Request for Sessions
355
Resetting to use default certificate
356
SSL Certificates
357
Installing an SSL certificate
358
Creating a Certificate Signing Request
358
Assigning a certificate to appliances
359
Trusted Certificates
360
Adding a trusted certificate
360
Removing a trusted certificate
361
Cluster settings
361
Cluster Management
362
Cluster view pane
363
Appliance details and cluster health pane
363
Managed networks
366
Adding a managed network
369
Deleting a managed network
370
Resolving IP address
370
Offline Workflow (automatic)
370
Enable automatic Offline Workflow
372
Manually override automatic Offline Workflow
372
Session Appliances with SPS join
373
Safeguard for Privileged Passwords 2.11.1 Administration Guide 11
�Reversing the SPP to SPS join
377
External Integration settings
377
Application to Application
378
About Application to Application functionality
379
Setting up Application to Application
381
Adding an application registration
382
Deleting an application registration
384
Regenerating an API key
384
Making a request using the Application to Application service
385
Approval Anywhere
389
Adding authorized user for Approval Anywhere
390
Email
391
Enabling email notifications
393
Modifying an email template
393
Identity and Authentication
394
Authentication provider combinations
396
Adding identity and authentication providers
398
SNMP
406
Configuring SNMP subscriptions
407
Verifying SNMP configuration
408
Starling
408
Join Starling
409
Syslog
411
Configuring a syslog server
412
Ticketing systems
413
Messaging settings
416
Login Notification
416
Message of the Day
416
Profile settings
417
Account Password Rules
417
Adding an account password rule
418
Change Password
421
Adding change password settings
422
Check Password
425
Adding check password settings
425
Safeguard for Privileged Passwords 2.11.1 Administration Guide 12
�Password sync groups Adding a password sync group Modifying a password sync group
Safeguard Access settings Login Control Password Rule Modifying user password requirements Time Zone
Session settings Session Recordings Storage Management Assigning an archive server to an appliance Embedded sessions module SSH Banner SSH Host Key
Users General tab (user) User Groups tab (user) Partitions tab (user) Entitlements tab (user) Linked Accounts tab (user) History (user) Managing users
Adding a user Identity tab (add user) Authentication tab (add user) Location tab (add user) Permissions tab (add user)
Requiring secondary authentication log in Configuring user for Starling Two-Factor Authentication when logging in to Safeguard
Adding a user to user groups Assigning a user to partitions Adding a user to entitlements Linking a directory account to a user Modifying a user
427 429 430 431 431 434 434 437 437 438 439 440 441 442
443 444 446 446 447 448 450 451 451 452 453 455 456 457
458 459 459 459 460 461
Safeguard for Privileged Passwords 2.11.1 Administration Guide 13
�Enabling or disabling a user Deleting a user Importing objects Setting a local user's password Unlocking a user's account
User Groups General tab (user groups) Users tab (user groups) Entitlements tab (user groups) History tab (user groups) Managing user groups
Adding a user group Adding a directory user group Adding users to a user group Adding a user group to an entitlement Modifying a user group Deleting a user group
Disaster recovery and clusters Enrolling replicas into a cluster
Considerations to enroll cluster members Unjoining replicas from a cluster
Considerations to unjoin cluster members Maintaining and diagnosing cluster members
About Offline Workflow Mode Manually control Offline Workflow Mode
Failing over to a replica by promoting it to be the new primary Activating a read-only appliance Diagnosing a cluster member Patching cluster members
About cluster patching Using a backup to restore a clustered appliance Resetting a cluster that has lost consensus Performing a factory reset Unlocking a locked cluster
461 462 462 465 466
467 468 468 469 471 472 472 473 476 477 477 478
479 482 482 483 484 485 486 489 491 492 492 493 494 495 497 498 501
Safeguard for Privileged Passwords 2.11.1 Administration Guide 14
�Troubleshooting tips Appliance states
Administrator permissions Appliance Administrator permissions Asset Administrator permissions Auditor permissions Authorizer Administrator permissions Help Desk Administrator permissions Operations Administrator permissions Security Policy Administrator permissions User Administrator permissions
Preparing systems for management Preparing ACF - Mainframe systems Preparing Amazon Web Services platforms Preparing Cisco devices Preparing Dell iDRAC devices Preparing VMware ESXi hosts Preparing Facebook hosts Preparing Fortinet FortiOS devices Preparing F5 Big-IP devices Preparing HP iLO servers Preparing HP iLO MP (Management Processors) Preparing IBM i (AS/400) systems Preparing JunOS Juniper Networks systems Preparing MongoDB Preparing MySQL servers Preparing Oracle databases Preparing PAN-OS (Palo Alto) networks Preparing PostgreSQL Preparing RACF mainframe systems Preparing SAP HANA Preparing SAP Netweaver Application Servers Preparing Sybase (Adaptive Server Enterprise) servers Preparing SonicOS devices
501 502
507 507 509 511 512 514 514 515 517
519 520 521 521 522 522 523 523 524 524 525 525 526 526 527 527 528 528 528 529 530 531 531
Safeguard for Privileged Passwords 2.11.1 Administration Guide 15
�Preparing SonicWALL SMA or CMS appliances Preparing SQL Servers Preparing Top Secret mainframe systems Preparing Unix-based systems Preparing Windows systems
Minimum required permissions for Windows assets Preparing Windows SSH systems
Troubleshooting Anti-CSRF (cross-site request forgery) token error Connectivity failures
Change password fails Incorrect authentication credentials Missing or incorrect SSH host key No cipher supported error Service account has insufficient privileges Cannot connect to remote machine through SSH or RDP Cannot delete account Cannot play session message Domain user denied access to Safeguard for Privileged Passwords LCD status messages Appliance LCD and controls My Mac keychain password was lost Password fails for Unix host Password is pending a reset Profile did not run Recovery Kiosk (Serial Kiosk) Appliance information Power options
Rebooting the appliance Shutting down the appliance Admin password reset Factory reset from the Recovery Kiosk Support bundle Replica not adding System services did not update or restart after password change
532 532 534 534 535 536 538
539 540 540 540 541 541 542 542 543 543 544 544 544 545 547 547 548 548 549 550 551 551 552 552 553 554 554 554
Safeguard for Privileged Passwords 2.11.1 Administration Guide 16
�Test Connection failures
555
Test Connection failures on archive server
555
Certificate issue
556
Cipher support
556
Domain controller issue
557
Networking issue
557
Windows WMI connection
558
Timeout errors causing operations to fail
558
User locked out
558
User not notified
559
Frequently asked questions
560
How do I access the API
561
Access the SPP API
561
How do I customize the response using API query parameters
563
How do I audit transaction activity
565
How do I configure external federation authentication
565
How do I add an external federation provider trust
566
How do I create a relying party trust for the STS
567
How do I add an external federation user account
568
How do I manage accounts on unsupported platforms
569
How do I modify the appliance configuration settings
570
How do I prevent Safeguard for Privileged Passwords messages when making RDP
connections
571
Certificate chain of trust
573
How do I set up telnet and TN3270/TN5250 session access requests
576
How do I set the appliance system time
578
How do Safeguard for Privileged Passwords database servers use SSL
578
ODBC Transport
579
Microsoft SQL Server
579
MySQL Server
580
Sybase ASE Server
581
What are the access request states
582
What do I do when an appliance goes into quarantine
582
What is required for Safeguard for Privileged Passwords, embedded sessions
module
584
Safeguard for Privileged Passwords 2.11.1 Administration Guide 17
�Verifying syslog server configuration When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request
Appendix: Safeguard ports
Appendix: SPP 2.7 or later migration guidance
Appendix: SPP and SPS sessions appliance join guidance
Appendix: Regular expressions
Appendix: Historical changes by release What's new in version 2.1.0.5687 What's new in version 2.2.0.6958 What's new in version 2.3.0.7426 What's new in version 2.4.0.7846 What's new in version 2.5.0.8356 What's new in version 2.6.0.8961 What's new in version 2.7.0.9662 What's new in version 2.8.0.10133 What's new in version 2.9.0.10658 What's new in version 2.10.0.10980 What's new in version 2.11.0.11444
Glossary
About us Contacting us Technical support resources
Index
585 586 586
587
595
600
605
607 607 609 611 612 613 614 617 622 625 629 630
633
650 650 650
651
Safeguard for Privileged Passwords 2.11.1 Administration Guide 18
�1
Introduction
The Safeguard for Privileged PasswordsAdministration Guide is intended for IT administrators, Unix Administrators, Security Administrators, System Auditors, and other IT professionals who are installing and configuring Safeguard for Privileged Passwords for the first time.
NOTE: The term "Unix" is used informally in the Safeguard for Privileged Passwords documentation to denote any operating system that closely resembles the trademarked system, Unix.
Introduction to Safeguard for Privileged Passwords
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is preinstalled and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system, and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management and shortening the time frame to value. A Safeguard for Privileged Passwords virtual appliance is also available. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.
Safeguard privileged management software suite
Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts. The Safeguard products' unique strengths are:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 19
Introduction
�l One-stop solution for all privileged access management needs l Easy to deploy and integrate l Unparalleled depth of recording l Comprehensive risk analysis of entitlements and activities l Thorough Governance for privileged account The suite includes the following modules: l Safeguard for Privileged Passwords automates, controls, and secures the
process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its usercentered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality. l One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industryleading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations. Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers to integrate seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations. l One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics, and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time, and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action and ultimately prevent data breaches.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 20
Introduction
�Figure 1: Privileged Sessions and Privileged Passwords
Overview of the entities
Safeguard for Privileged Passwords is a password, keys, and secrets vault to secure assets including computers, servers, network devices, directories, and applications. Two types of access may be granted to assets passwords (including secrets) and sessions. A high-level introduction to the Safeguard for Privileged Passwords entities and how they relate follows.
Assets, partitions, and partition profiles
Assets include computers, servers, network devices, directories, or applications for Safeguard to manage. Assets have associated users and service accounts. Assets and accounts may be imported (for example, from Active Directory). Assets may or may not be part of an asset group. The partition is a container for delegated management for account passwords (including check and change). Partitions are also useful to segregate assets to various owners to achieve Separation of Duties (SoD). Partitions allow you to set up multiple asset managers, each with the ability to define password guidelines for the managed systems in their own workspace. Typically you would partition assets by geographical location, owner, function, or by operating system. For example, you can group Unix assets in a partition and delegate the Unix administrator to manage it. Every partition should have a partition owner. An asset can be assigned to only one partition at a time. When you assign an asset to a partition, all accounts associated with that asset are automatically reassigned to that partition, as well. Then, any new accounts you add for that asset are automatically assigned to that partition.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 21
Introduction
�The partition profile includes the schedules and rules governing the partition's assigned assets and the assets' accounts. For example, the partition profile defines how often a password check is required on an asset or account. A partition can have multiple partition profiles, each assigned to different assets, if desired. An account is governed by only one profile. If an account is not explicitly assigned to a profile, the account is governed by the one assigned to the parent asset. If that asset does not have an assigned profile, the partition's default profile is assigned. When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. You can create multiple profiles to govern the accounts assigned to a partition. Both assets and accounts are assigned to the scope of a profile. For example, suppose you have an asset with 12 accounts and you configure the partition profile to check and change passwords every 60 days. If you want the password managed for one of those accounts every seven days, you can create another profile and add the individual account to the new profile. Now, Safeguard for Privileged Passwords will check and change all the passwords on this asset every 60 days except for this account, which will change every seven days. Figure 2: Password control
In the example above, Partition A has three profiles (Profile A, B, and C) and a default profile. Profile A checks passwords every 30 days. Profile B checks passwords every three months, and Profile C has the highest level of security, checking passwords every seven days. Note that the asset Server has two partition profiles each governing different
Safeguard for Privileged Passwords 2.11.1 Administration Guide 22
Introduction
�accounts associated with the asset. Profiles A, B, and C are all explicitly assigned to the accounts and assets shown. Asset cloud service doesn't have an explicitly assigned profile so the default will be used to manage accounts on the asset. Details: Assets and asset groups
l An asset may be a computer, server, network device, directory, or application. l You can log in to an asset with more than one account, but an account can only be
associated with one asset. l If you select an asset for a profile, all accounts are included. l An asset must be assigned to only one partition. An asset typically has a profile, but
it is not mandatory. l You can create multiple assets for the same device or application then manage
different accounts on each asset. For example, a directory asset can manage a subset of the forest. l An asset group is a set of assets that can be added to the scope of an entitlement's access request policy.
Details: Partitions and partition profiles
l A partition is a group of assets (and the assets' associated accounts) governed by a partition profile and used to delegate asset management. An asset can only be in one partition at a time. All accounts associated with that asset are automatically added to the partition.
l Partition profiles are the schedules and rules that govern a partition's assets and the assets' accounts. You can set a default partition profile to assign or you can manually assign a partition profile to an asset or account.
l When a partition is created, a default profile is created for that partition. This profile is implicitly associated with all assets and accounts added to the partition. Later, a different profile can be manually assigned to assets and account which is referred to as an explicit association. Explicit associations (manual assignments) override implicit associations (auto-assignments).
Accounts, account groups, entitlements, and entitlement access request policies
Assets have associated accounts, like a user account or an account for a Windows service. An account can only be associated with one asset. Entitlements grant access to users, user groups, or both. An entitlement includes one or more access request policies and may be related to job functions like help desk support or Unix administrators. An entitlement access request policy defines what is managed by the policy and is referred to as the "scope of the policy." There are two types of access requests: password and sessions.
l To define an access request policy for a password request, the valid scope properties are accounts and account groups.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 23
Introduction
�l To define an access request policy for a sessions request, the valid scope properties are accounts, account groups, assets, and asset groups. If only assets or asset groups are defined in the access request policy, the Asset Based Session Access must have an option other than None. For more information, see Access Config tab on page 276.
Entitlement access request policies may include: l The access type: Password or sessions which include SSH, RDP (remote desktop), or telnet l The scope: Accounts, account groups, assets, and asset groups as needed l Requester settings: For example, reason for the request, comment, ticket number, and access duration l Approver and Reviewer settings: If required, the approvers and reviewers along with notifications l Access configuration: Settings based on the type of access (Password, SSH, or RDP set earlier) l Session settings: If used, record sessions l Time restrictions: If used, days and hours of access l Emergency settings: If used, who to contact
Safeguard for Privileged Passwords 2.11.1 Administration Guide 24
Introduction
�Figure 3: Entitlements and accounts
In the example above, each account or account group is assigned to only one asset. The Server asset is associated with Account D and Account Group A which is made up of several accounts. Entitlement access request policy A is assigned to Account Group A so that group can check out passwords from 8 a.m. to 5 p.m. Monday through Friday with no approval required. Entitlement access request policy B, which is associated with Account D, allows for password checkout for the same time frame, but the checkouts require approvals. Entitlement access request policy C allows for password checkout from 12:59 a.m. to 11:01 p.m. to allow for the system maintenance window. Details: Accounts and account groups
l An account can only be associated with one asset. l An account group is a set of accounts that can be added to the scope of an
entitlement's access request policy. An account group can span multiple assets. l Directory accounts are associated with assets that are directories. l Both directory accounts and directory assets can can be visible or "shared" across
partition boundaries, for specific purpose. Directory assets can be shared for Asset Discovery jobs. Directory accounts can be used as a service account or dependent account to a Windows service or task. Details: Entitlements and access request policies
Safeguard for Privileged Passwords 2.11.1 Administration Guide 25
Introduction
�l An entitlement is a set of access request policies that restrict resources, typically by job role.
l Entitlements are used to authorized users or members of user groups to access accounts in the scope of the set of the entitlement's access request policies. One entitlement may have zero, one, or multiple access request policies. Users and user groups can be added to entitlements.
l Access request policies contain the details of the type of access as well as conditions. For example, the type of access may include password versus session (RDP, SSH, other protocols), time limits, individual accountability (change after check-in), and other settings. Conditions may include number of approvers, time of day, ticketing system, reason codes, and other conditions. An access request policy can only be associated with one entitlement.
l Access request policies are scoped to resources. Sometimes that scoping is done directly to accounts and the asset is implied. Or, the scoping is done to the asset and the access request policy identifies the account.
Users and user groups
Users are individuals. A user may be assigned administrative permissions to govern assets, partitions, accounts, and entitlement access request policies. A user may be assigned more than one set of permissions by the Authorizer Administrator. It is a best practice to follow the principles of separation of duties (SoD) in administration assignments. For example, the assignment of Asset Administrator, Policy Administrator, User Administrator, and Auditor should be different users. Standard users do not have administrative permissions. They can request access, approve access requests, or review completed access requests. Users can be configured for two-factor authentication. Details: Users and user groups
l A user is a person who can log into SPP. A user can be associated with an identity provider that is local or a user can be a directory user from an external identity store such as Microsoft Active Directory. A user may be associated with user groups, partitions, entitlements, and linked accounts.
l A user group is set of users that can be added to an entitlement, typically based on roles. The user group's access is governed by the entitlement's access request policies. Both local user groups and directory user groups can be added to SPP.
l A user can be assigned administrative permissions over assets, security, and so on. A standard user has no administrative permissions and performs other duties, for example, to approve access requests.
Discovery
You can discover assets and accounts that are not being managed so you can place them under management, if appropriate. Discovery jobs can be configured to discover assets and accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 26
Introduction
�Password request high-level workflow
1. A user or service requests the password of an account. (The password may come from Active Directory and is governed by the profile setting.)
2. Based on the entitlement access request policy, the password is automatically granted or the password request can be sent through an approval process. The workflow can also include a reviewer to review all access activities for legitimacy.
3. The session launches on a machine or via a graphical user interface such as Secure Shell (SSH) or Remote Desktop Protocol (RDP).
Passwords can be checked in or are otherwise valid for the duration of the request. Safeguard resets the password and passwords are constantly changing to monitor and audit access to assets.
Session access
Session access and activities are proxied through Safeguard and are captured in audit logs. Session activities at the screen and keystroke level can be captured, viewed, and used for forensic audits.
Key features
The One Identity portfolio includes the industry's most comprehensive set of privileged access management solutions. You can build on the capabilities of One Identity Safeguard with solutions for granular delegation of the Unix root account and the Active Directory administrator account; add-ons to make open source sudo enterprise-ready; and keystroke logging for Unix root activities all tightly integrated with the industry's leading Active Directory bridge solution.
The following key features are available in Safeguard for Privileged Passwords.
Feature information by release is available. For more information, see Historical changes by release on page 607.
Table 1: One Identity Safeguard for Privileged Passwords key features
Feature
Description
Auto-login
Auto-login and sessions access request launch enhances security and compliance by never exposing the account credentials to the user.
Activity Center
Using the Activity Center, you can quickly and easily view all actions executed by Safeguard for Privileged Passwords users and integrated processes. Activity Center reports can be searched, customized, and filtered to zero in on the actions of a single user or to audit a variety of actions across a subset of departments. In addition, you can schedule queries, and save or export the data.
Always online
Safeguard for Privileged Passwords Appliances can be clustered to
Safeguard for Privileged Passwords 2.11.1 Administration Guide 27
Introduction
�Feature
Description
ensure high availability. Passwords and sessions can be requested from any appliance in a Safeguard for Privileged Passwords cluster.
This distributed clustering design also enables the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.
Approval Anywhere Leveraging One Identity Starling, you can approve or deny any access request anywhere without being on the VPN.
Directory integration
You can leverage your existing directory infrastructure (such as Microsoft Active Directory). You import directory users and directory groups. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
l Users l Username l Password (modifiable in LDAP and not modifiable in Active Directory) l Description
l Groups l Name l Member
l Computer l Name l Network Address l Operating System l Operating System Version l Description
Identity and Authentication Providers schema list
l Users l Username l First Name l Last Name
Safeguard for Privileged Passwords 2.11.1 Administration Guide 28
Introduction
�Feature
Discovery Event notification options Favorites One Identity Hybrid Subscription
Partitions and Profiles Release control RESTful API
Description
l Work Phone
l Mobile Phone
l Email
l Description
l External Federation Authentication
l Radius Authentication
l Managed Objects
l Groups
l Name
l Members
l Description
Quickly discover any privileged account or system on your network with host , directory, and network-discovery options.
Safeguard for Privileged Passwords allows you to configure the appliance to send event notifications to external systems such as Email, Syslog, and SNMP.
Quickly access the passwords that you use the most right from the Home screen. You can group several password requests into a single favorite so you can get access to all the accounts you need with a single click.
Expand the capabilities of Safeguard with the One Identity Hybrid Subscription, which offers immediate access to cloud delivered features and services. These include all-you-can-eat Starling TwoFactor Authentication (2FA) to protect Safeguard access and Starling Identity Analytics & Risk Intelligence for Safeguard so that you can preemptively detect risk users and entitlements. A single subscription enables all One Identity solution deployments.
Safeguard for Privileged Passwords allows you to group managed systems into secure work areas that can be designated for delegated management.
Manages password requests from authorized users for the accounts they are entitled to access via a secure web browser connection with support for mobile devices.
Safeguard for Privileged Passwords (SPP) is built with an API-first design and uses a modernized API based on a REST architecture that allows other applications and systems. Every function is exposed through the API to enable quick and easy integration
Safeguard for Privileged Passwords 2.11.1 Administration Guide 29
Introduction
�Feature
Description
regardless of what you want to do or which language your applications are written in. There are even a few things that can only only be done via the Safeguard SPP API. The Safeguard for Privileged Passwords API tutorial is available on GitHub at: https://github.com/oneidentity/safeguard-api-tutorial.
Role-based access control (RBAC)
Safeguard for Privileged Passwords uses a role-based access control hierarchy using administrator permissions sets. Numerous roles are available for administrating Safeguard for Privileged Passwords, enabling granular delegation and workflows along with least privileged access.
Secure access to legacy systems
Use smartcard, two-factor authentication, or other strong authentication methods to gain access to systems. Because Safeguard for Privileged Passwords acts as a gateway or proxy to the system, it enables strong authentication to targets that cannot or do not support those methods natively.
Smartcard support
Authentication of your privileged users can be integrated with Microsoft's Active Directory support for Smartcards or manually uploaded to the Safeguard for Privileged Passwords Appliance itself.
Two-factor authentication support
Protecting access to passwords with another password isn't enough. Enhanced security by requiring two-factor authentication to Safeguard for Privileged Passwords. Safeguard for Privileged Passwords supports any Radius-based 2FA solution and One Identity's Starling Two-Factor Authentication (2FA) service.
Workflow engine for policy-based release control
Using a secure web browser with support for mobile devices, you can request access and provide approval for privileged passwords and sessions. Requests can be approved automatically or require dual/multiple approvals based on your organization's policy. The workflow engine supports time restrictions, multiple approvers and reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and/or integrate directly with ticketing systems or tickets used for internal tracking only.
Sessions key features
To record and playback sessions, you may use one of the following methods:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 30
Introduction
�l The embedded sessions module that comes with Safeguard for Privileged Passwords.
CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
l Use Safeguard for Privileged Sessions via a join to Safeguard for Privileged Passwords.
The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.
Table 2: Key features using sessions
Key Feature
Description
Command detection
During a privileged session, commands that are being run on the target host are detected. All actions are logged and can be sent out, if configured, to various logging mechanisms (syslog, email, SNMP).
NOTE: For an RDP session, Safeguard for Privileged Passwords can detect the title of any window that is opened on the desktop during a privileged session.
Full session audit, recording and replay
With sessions, every packet sent and action that takes place on the screen, including mouse movements, clicks and keystrokes, is captured, indexed, and stored in tamper-proof audit trails that can be viewed like a video and searched like a database. The time and content of the session are cryptographically signed for forensics and compliance purposes. Only actual activity is recorded, and recordings are compressed to a fraction of the size required by other solutions to minimize offline storage requirements.
Security teams can search for specific events across sessions and play the recording starting from the exact location the search criteria occurred. Audit trails are encrypted, time-stamped, and cryptographically signed for forensics and compliance purposes.
Indexing
With sessions, you can create a searchable list of commands and programs that were run during the recorded session. Auditors have a quick and easy view to session activities.
Protocol support
The embedded sessions module provides full support for the SSH and RDP protocols. In addition, administrators can decide what options within the protocols they want to enable/disable.
Proxy access
All sessions are proxied to target resources. Since users have no direct access to resources, the enterprise is protected against viruses, malware, and other dangerous items on the user's system. The embedded sessions module can proxy and record
Safeguard for Privileged Passwords 2.11.1 Administration Guide 31
Introduction
�Real-time alerting and blocking
Work the way you want
Unix/Linux, Windows, network devices, firewalls, routers, and more.
Monitor traffic in real time, and execute various actions if a certain pattern appears in the command line or on screen. Predefined patterns can be a risky command or text in a text-oriented protocol, or an suspicious window title in a graphical connection. In the case of detecting a suspicious user action, Safeguard can log the event, send an alert, or immediately terminate the session.
Sessions allows administrators to choose their access tools and tool preferences (for example, PuTTY) when gaining access to privileged sessions. This creates a frictionless solution that gives administrators the access they need while meeting compliance and security regulations.
Appliance specifications
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
The Safeguard for Privileged Passwords 2000 Appliance specifications and power requirements are as follows.
Table 3: Safeguard 2000 Appliance: Feature specifications
Safeguard for Privileged Passwords 2000
Feature / Specification
Processor
Intel Xeon E3-1275v5 3.60 GHz
# of Processors
1
# of Cores per Processor 4
L2/L3 Cache
4 x 256KB L2, 8MB L3 SmartCache
Chipset
Intel C236 Chipset
DIMMs
DDR4-2400 ECC Unbuffered DIMMs
RAM
32GB
Internal HD Controller
LSI MegaRAID SAS 9391-4i 12Gbps SAS3
Disk
4 x Seagate EC2.5 1TB SAS 512e
Safeguard for Privileged Passwords 2.11.1 Administration Guide 32
Introduction
�Safeguard for Privileged Passwords 2000 Availability I/O Slots RAID NIC/LOM Power Supplies
Fans
Chassis Dimensions (HxWxD) Weight Miscellaneous
Feature / Specification
TPM 2.0, EEC Memory, Redundant PSU x16 PCIe 3.0, x8 PCIe 3.0 RAID10 3 x Intel i210-AT GbE Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible 4 x 40mm Counter-rotating, Non-hotswappable 1U Rack 43 x 437.0 x 597.0 (mm) 1.7 x 17.2 x 23.5 (in) Max: 46 lbs (20.9 Kg) FIPS Compliant Chassis
Table 4: Safeguard 2000 Appliance: Power requirements
Input Voltage
100-240 Vac
Frequency
50-60Hz
Power Consumption (Watts)
170.9
BTU
583
Safeguard for Privileged Passwords 2.11.1 Administration Guide 33
Introduction
�2
System requirements
Safeguard for Privileged Passwords has several graphical user interfaces that allow you to manage access requests, approvals, and reviews for your managed accounts and systems:
l The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
l The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well.
l The web management console displays whenever you connect to the virtual appliance and is used for first time configuration. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.
Ensure that your system meets the minimum hardware and software requirements for these clients. If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.
Bandwidth
It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 34
System requirements
�Desktop client system requirements
The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package that you can download from the appliance web client portal. You do not need administrator privileges to install Safeguard for Privileged Passwords.
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
l Any reference to putty in the PATH environment variable
l c:/Program Files/Putty
l c:/Program Files(x86)/Putty
l c:/Putty
If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:
<user-home-dir>/AppData/Local/Safeguard/putty. If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Table 5: Desktop client requirements
Component
Requirements
Technology
Microsoft .NET Framework 4.6 (or later)
Windows platforms 64-bit editions of:
l Windows 7 l Windows 8.1 l Windows 10 l Windows Server 2008 R2 l Windows Server 2012 l Windows Server 2012 R2 l Windows Server 2016
If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.
Considerations:
l Internet Explorer security must be set to use TLS 1.0 or
Safeguard for Privileged Passwords 2.11.1 Administration Guide 35
System requirements
�Component Desktop Player
Requirements
higher. Ensure the proper "Use TLS" setting is enabled on the Advanced tab of the Internet Options dialog (In Internet Explorer, go to Tools | Internet Options | Advanced tab).
l To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.
See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide.
Web client system requirements
Table 6: Web requirements
Component
Requirements
Web browsers
Desktop browsers:
l Google Chrome 77 (or later) l Microsoft Internet Explorer 11 and Edge l Mozilla Firefox 69 (or later)
NOTE: To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.
Mobile device browsers:
l Apple iOS 13 (or later) l Google Chrome on Android version 77 (or later)
The web client is implemented for modern web browser technology, using:
l HTML5 l CSS l JavaScript
NOTE: If your browser lacks these required technologies, then use the desktop client.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 36
System requirements
�Web management console system requirements
Table 7: Web kiosk requirements
Component
Requirements
Web management console
Desktop browsers: l Google Chrome 77 (or later) l Microsoft Internet Explorer 11 and Edge l Mozilla Firefox 69 (or later)
NOTE: To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.
The web management console is implemented for modern web browser technology, using:
l HTML5 l CSS l JavaScript
Supported platforms
Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.
Safeguard for Privileged Passwords tested platforms
The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, or Other Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset) on page 187.
SPP joined to SPS: Sessions platforms
When Safeguard for Privileged Passwords (SPP) is joined with a Safeguard for Privileged Sessions (SPS) appliance, platforms are supported that use one of these protocols: · SPP 2.8 or lower: RDP, SSH · SPP 2.9 or higher: RDP, SSH, or Telnet
Safeguard for Privileged Passwords 2.11.1 Administration Guide 37
System requirements
�Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.
For the embedded sessions module, platforms that support RDP and SSH protocols are generally supported.
Table 8: Supported platforms: Assets that can be managed
Platform
Version
Architecture (all versions unless noted)
SPP SPS
ACF2 Mainframe
r14, r15
zSeries
True True
ACF2 Mainframe LDAP
r14, r15
zSeries
True False
Active Directory
True False
AIX
6.1, 7.1, 7.2
PPC
True True
Amazon Linux 2
x86_64
True True
Amazon Web 1 Services (AWS)
True False
CentOS Linux 6 7
(ver 6) x86, x86_64 True True (ver 7) x86_64
Cisco ASA
7.x, 8.x
True True
Cisco IOS
12.X, 15.X
True True
Debian GNU/Linux
6, 7, 8, 9
x86, x86_64, MIPS, True True PPC, zSeries
Dell iDRAC
7, 8
True True
ESXi (VSphere) 5.5, 6.0, 6.5, 6.7
True False
F5 Big-IP
12.1.2, 13.0, 14.0
True True
Facebook (deprecated)
True False
Fedora
21, 22, 23, 24, 25, 26, 27, 28, 29, 30
x86, x86_64
True True
Fortinet FortiOS 5.2, 5.6
True True
FreeBSD
10.4, 11.1, 11.2
x86, x86_64
True True
HP iLO
2, 3, 4
x86
True True
Safeguard for Privileged Passwords 2.11.1 Administration Guide 38
System requirements
�Platform
Version
HP iLO MP
2, 3
HP-UX
11iv2 (B.11.23), 11iv3 (B.11.31)
IBM i
7.1, 7.2, 7.3
Junos - Juniper 12, 13, 14, 15 Networks
macOS
10.9, 10.10, 10.11, 10.12, 10.13
MongoDB
3.4, 3.6, 4.0
MySQL
5.6, 5.7
OpenLDAP
2.4
Oracle
11g Release 2, 12c Release 1
Oracle Linux
6
(OEL)
7
Other
Other Linux
Other Managed
PAN-OS
6.0, 7.0, 8.0, 8.1
PostgreSQL
9.6, 10.2, 10.3, 10.4, 10.5
RACF Mainframe
z/OS V2.1 Security Server, z/OS V2.2 Security Server
RACF Mainframe LDAP
z/OS V2.1 Security Server, z/OS V2.2 Security Server
Red Hat Enterprise Linux (RHEL)
6, 7, 8
SAP HANA
2.0
SAP Netweaver 7.3, 7.4, 7.5 Application
Architecture (all versions unless noted)
IA-64
PA-RISC, IA-64
SPP SPS
True True True True
PPC
True True
True True
x86_64
True True True False True False True False True False
(ver 6) x86, x86_64 True True (ver 7) x86_64
False False
True True
True False
True True
True False
zSeries
True True
zSeries
True False
(ver 6) x86, x86_ 64, PPC, zSeries
(ver 7 and 8) x86, x86_64, PPC, zSeries
Other
True True
True False True False
Safeguard for Privileged Passwords 2.11.1 Administration Guide 39
System requirements
�Platform
Version
Architecture (all versions unless noted)
Server
Solaris
10, 11
(ver 10) SPARC, x86, x86_64
(ver 11) SPARC, x86_64
SonicOS
5.9, 6.2
SonicWALL SMA 11.3.0 or CMS
SQL Server
2012, 2014, 2016
SUSE Linux
11
Enterprise
12
Server (SLES)
(ver 11) x86, x86_ 64, PPC, zSeries, IA-64
(ver 12) x86_64, PPC, zSeries
Sybase (Adaptive Server Enterprise)
15.7, 16
Top Secret Mainframe
r14, r15
zSeries
Top Secret Mainframe LDAP
r14, r15
zSeries
Twitter (deprecated)
Ubuntu
14.04 LTS, 15.04, 15.10, 16.04 LTS, x86, x86_64 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04
Windows
Vista, 7, 8, 8.1, 10 Enterprise (including LTSC and loT).
Windows Server
2008, 2008 R2, 2012, 2012 R2, 2016, 2019
Windows SSH
7, 8, 8.1, 10
Server 2008 R2, 2012, 2012 R2, 2016, 2019
Windows SSH Other
SPP SPS
True True
True False True False True False True True
True False
True True True False True False True True True True True True True True
Safeguard for Privileged Passwords 2.11.1 Administration Guide 40
System requirements
�Table 9: Supported platforms: Directories that can be searched
Platform
Version
Microsoft Active Directory
Windows 2008+ DFL/FFL
OpenLDAP
2.4
Custom platforms
The following example platform scripts are available:
l Custom HTTP l Linux SSH l Telnet l TN3270 transports are available
For more information, see the Safeguard for Privileged Passwords Administration Guide, Custom platforms and Creating a custom platform script.
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.
Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:
l Command-Reference: https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/CommandReference
l Writing a custom platform script: https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/WritingACustomPlat formScript
l Example platform scripts are available at this location: https://github.com/OneIdentity/SafeguardCustomPlatform/tree/master/SampleScri pts
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 41
System requirements
�Product licensing
Safeguard for Privileged Passwords is made up of a core set of features, such as the UI and Web Services layers, and a number of modules.
Hardware appliance
The Safeguard for Privileged Passwords 2000 Appliance ships with the following module which requires a valid license to enable functionality:
l Privileged Passwords l Privileged Sessions You must install a valid license for each Safeguard for Privileged Passwords module to operate. More specifically, if any module is installed, Safeguard for Privileged Passwords will show a license state of Licensed and is operational. However, depending on which models are licensed, you will see limited functionality. That is, even though you will be able to configure access requests: l If a Privileged Passwords module license is not installed, you will not be able to
request a password release. l If a Privileged Sessions module license is not installed, you will not be able to initiate
a session access request from the embedded sessions module.
Virtual appliance licensing
The Safeguard for Privileged Passwords virtual appliance requires a valid Microsoft Volume License Agreement that includes licensing for Windows 10 Enterprise. Privileged sessions is available via a join to Safeguard for Privileged Sessions. The virtual appliance will not function unless the operating system is properly licensed.
License expiration notice
As an Appliance Administrator: l If you receive a "license expiring" notification, apply a new license using that module's Update License link: l From the web client, click the Settings menu on the left to go to the Settings: Appliance page. Click Licensing . Click to upload a new license file. l From the desktop client, navigate to Administrative Tools | Settings | Appliance | Licensing. Click to upload a new license file.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 42
System requirements
�l If all licensed modules have expired, you will be prompted to add a new license when logging in to the Safeguard for Privileged Passwords desktop client.
l If only one of the licensed modules have expired, apply a new module license by clicking in Administrative Tools | Settings | Appliance | Licensing.
As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator. For more information on adding or updating a Safeguard for Privileged Passwords license, see Licensing.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 43
System requirements
�3
Using the virtual appliance and web management console
Before you start: platforms and resources
When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization. Platforms and versions that have been tested with the web management console follow.
l Operating system: Windows 10 Enterprise LTSC including dynamic disks. If you are using KMS, the KMS server needs to be able to validate Windows 10 Enterprise LTSC.
l Supported VMs: l Microsoft Hyper-V (VHDX) version 8 or higher l VMware vSphere with vSphere Hypervisor (ESXi) version 6.5 or higher l VMWare Workstation version 6.5 or higher
l Minimum resources recommended: 4 CPUs, 10GB RAM, and a 500GB disk
Available wizards
The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.
l Initial Setup: Used to set up the virtual appliance for the first time including naming, OS licensing, and networking. For more information, see Setting up the virtual appliance on page 45.
l Setup: After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
l Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform
Safeguard for Privileged Passwords 2.11.1 Administration Guide 44
Using the virtual appliance and web management console
�low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support. For more information, see Support Kiosk on page 49.
Security
To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. Recommendations follow.
l X0 hosts the public API and is network adapter 1 in the virtual machine settings. Connect this to your internal network.
l MGMT hosts the web management console and is network adapter 2 in the virtual machine settings. This interface always has the IP address of 192.168.1.105. Connect this to a private, restricted network accessible to administrators only, or disconnect it from the network to restrict unauthenticated actions such as rebooting or shutting down the appliance. The web management console is also available via the VMware console.
Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT. For more information, see Support Kiosk on page 49. (missing or bad snippet) For more information, see Virtual appliance backup and recovery.
Upload and download
There is a web management console running on 192.168.1.105. When you connect to the virtual appliance via the virtual display, the web management console is displayed automatically, however, upload and download functionality are disabled when connected this way. You may choose to configure the networking of your virtual machine infrastructure to enable you to proxy to https://192.168.1.105 from your desktop. Connecting in this way will enable you to upload and download from the web management console.
CAUTION: Cloning and snapshotting are not supported and should not be used. Instead of cloning, deploy a new VM and perform Initial Setup. Instead of snapshotting, take a backup of the virtual appliance.
Setting up the virtual appliance
The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first
Safeguard for Privileged Passwords 2.11.1 Administration Guide 45
Using the virtual appliance and web management console
�deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future. Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity. The steps for the Appliance Administrator to initially set up the virtual appliance follow.
Step 1: Deploy the VM
Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.
Hyper-V zip file import and set up
If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:
1. Unzip the Safeguard-hyperv-prod... zip file. 2. From Hyper-V, click Options. 3. Select Action, Import Virtual Machine. 4. On the Locate Folder tab, navigate to specify the folder containing the virtual
machine to import then click Select Folder. 5. On the Locate Folder tab, click Next. 6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then
click Next. 7. On the Choose Import Type tab, select Copy the virtual machine (create a
new unique ID), then click Next. 8. On the Choose Destination tab, add the locations for the Virtual machine
configuration folder, Checkpoint store, and Smart Paging folder, then click Next. 9. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next. 10. Review the Summary tab, then click Finish. 11. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter. 12. Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.
Step 2: Initial access
Initiate access using one of these methods:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 46
Using the virtual appliance and web management console
�l Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 3. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
l Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 3. IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.
Step 3: Complete initial setup
Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.
Step 4: Log in and configure Safeguard for Privileged Passwords
1. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in. l User Name: admin l Password: Admin123
2. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
3. In the web management console on the Initial Setup pane, enter the following. a. Appliance Name: Enter the name of the virtual appliance. b. Windows Licensing: Select one of the following options: l Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes. If KMS is not registered with DNS, enter the network IP address of your KMS server. l Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's
Safeguard for Privileged Passwords 2.11.1 Administration Guide 47
Using the virtual appliance and web management console
�Microsoft activation key. You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating system licensing on page 320. c. NTP: Complete the Network Time Protocol (NTP) configuration. l Select Enable NTP to enable the protocol. l Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address. d. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information. 4. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing. 5. When you see the message Maintenance is complete, click Continue.
Step 5: Access the desktop client or use the web client
You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:
l Use the web client. For more information, see Using the web client on page 69. l Log in and download the desktop client. For more information, see Installing the
desktop client on page 76.
Step 6: Change the Bootstrap Administrator's password
For security reasons, change the password on the Bootstrap Administrator User. For more information, see Setting a local user's password on page 465.
View or change the virtual appliance setup
You can view or change the virtual appliance setup.
l From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
l After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 48
Using the virtual appliance and web management console
�Virtual appliance backup and recovery
Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.
Backing up the virtual appliance
To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance. Backup is handled via Administrative Tools | Settings | Backup and Retention. For more information, see Backup and Retention settings on page 334.
Recovery of the virtual appliance
A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps. On-prem virtual appliance (for example, Hyper-V or VMware)
1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance on page 45.
2. Restore the backup. For more information, see Backup and Retention settings on page 334.
Cloud virtual appliance (for example, Azure) 1. Redeploy using the deployment steps: l Azure: For more information, see Using Azure on page 54.
Support Kiosk
An Appliance Administrator triaging a Hyper-V or VMware virtual appliance that has lost connectivity or is otherwise impaired can use the Support Kiosk even when the virtual appliance is in quarantine. For more information, see What do I do when an appliance goes into quarantine on page 582.
1. On the web management console, click Support Kiosk. 2. Select any of the following activities:
l Appliance Information This is read-only. You can re-run setup to change networking information.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 49
Using the virtual appliance and web management console
�l Power Options You can reboot or shutdown the virtual appliance. a. Enter the reason you want to reboot or shutdown the virtual appliance. b. Click Reboot or Shutdown.
l Admin Password Reset The Bootstrap Administrator is a built-in account to get the appliance running for the first time. The default credentials (admin/Admin123) should be changed once Safeguard is configured. If you lose the password, you can reset it to the default using the challenge response process below. Challenge response process a. In Full Name or Email, enter your name or email to receive the challenge question. b. Click Get Challenge. c. To get the challenge response, perform one of the following (see the illustration that follows). l Click Copy Challenge. The challenge is copied to the clipboard. Send that challenge to Safeguard support. Support will send back a challenge response that is good for 48 hours. Do not refresh your screen. l Screenshot the QR code and send it to Support. Support will send back a challenge response that is good for 48 hours. Do not refresh your screen. l Use a QR code reader on your phone to get the challenge response.
d. After the response is accepted, click Reset Password. l Support Bundle
A support bundle includes system and configuration information sent to One
Safeguard for Privileged Passwords 2.11.1 Administration Guide 50
Using the virtual appliance and web management console
�Identity Support to analyze and diagnose issues. You can download a support bundle or save the bundle to a Windows share location which you have already set up. To generate a support bundle:
1. Select Include Event Logs if you want to include operating system events. Unless requested by support, it is recommended to leave this unchecked because it takes much longer to generate the support bundle.
2. Create the support bundle using one of these methods: l If you are connected via the browser not the display, you can click Download, navigate to the location for the download, and click OK. l To copy the bundle to the share: 1. Enter the UNC Path, Username, and Password. 2. Select Include Event Logs, if appropriate. 3. Click Copy To Share. A progress bar displays. The operation is complete when you see The bundle was successfully copied to the share.
l Diagnostic package
Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering, as well as other other internal challenges. The appliance diagnostics package is available from the web Support Kiosk, not the Serial Kiosk (Recovery Kiosk). The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria that may include the minimum Safeguard version, appliance ID, and expiration time-stamp UTC. New product code and database changes are not included in an appliance diagnostics package.
a. To load for the first time, click Upload, select the file that has an .sgd extension, then click Open. l If the upload criteria is not met, the appliance diagnostics package is not uploaded and a message like the following displays: The minimum Safeguard version needed to run this diagnostic package is <version>. l If the upload is successful, the Diagnostic Package Information displays with a Status of Staged. Select Execute and wait until the Status changes to Completed.
b. Once uploaded, you can: l Select Download Log to save the log file. Audit log entries are available through the Activity Center during and after execution and are part of the appliance history.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 51
Using the virtual appliance and web management console
�l If the Expiration Date has not passed, you can select Execute to execute the appliance diagnostics package again.
l Select Delete to delete the appliance diagnostics package, the associated log file, and stop any appliance diagnostics package that is running. Before uploading a different appliance diagnostics package, you must delete the current one because there can be only one appliance diagnostics package per appliance.
l Factory Reset (hardware appliance) A virtual appliance is reset by the recovery steps to redeploy and not a factory reset. If you are attached to the console of a virtual machine, you will not have the Factory Reset option. The options are only available for hardware. Perform a factory reset to recover from major problems or to clear the data and configuration settings on a hardware appliance. All data and audit history is lost and the hardware appliance goes into maintenance mode. For more information, see Performing a factory reset on page 498.
l Lights Out Managment (BMC) (hardware appliance) The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk. For more information, see Lights Out Management (BMC) on page 313.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 52
Using the virtual appliance and web management console
�Using the cloud
Safeguard for Privileged Passwords can be run from the cloud.
Before you start: platforms and resources
When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization. Platforms that have been tested with the cloud deployments follow.
l Azure Virtual Machine (VM): For more information, see Using Azure on page 54. For these deployments, the minimum resources used in test are 4 CPUs, 10GB RAM, and a 60GB disk. Choose the appropriate machine and configuration template. For example, when you click Create in the Azure Marketplace, default profiles display. You can click Change size to choose a different template.
Restricting access to the web management kiosk for cloud deployments
The web management kiosk runs on port 9337 in Azure and is intended for diagnostics and troubleshooting by Appliance Administrators.
CAUTION: The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance.
Azure: Block port 9337 Use the following steps to block access to port 9337 in Azure.
1. Navigate to the virtual machine running Safeguard for Privileged Passwords. 2. In the left hand navigation menu select Networking. 3. Click Add inbound port rule. 4. Configure the inbound security rule as follows:
Source: Any Source port ranges: * Destination: Any Destination port ranges: 9337 Protocol: Any Action: Deny
Safeguard for Privileged Passwords 2.11.1 Administration Guide 53
Using the cloud
�Priority: 100 (use the lowest priority for this rule) Name: DenyPort9337 5. Click Add.
Using Azure
Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace and an Azure Virtual Machine (VM) is required. See Windows virtual machines in Azure for details of setting up your VM. When using Azure, Safeguard for Privileged Passwords is available on HTTPS X0. The Azure deployment does not use the MGMT service. The Recovery (Serial) Kiosk is used to view appliance information, Administrator password reset, power restart or shut down, and generating a support bundle.For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
Disk size considerations
Safeguard for Privileged Passwords (SPP) deploys with a minimal OS disk size, typically 30GB. You should increase the size of the OS disk based on your estimated usage and budget. SPP on hardware comes with 1TB of disk. You can use more or less than this depending on how many assets, accounts, and daily users you expect to have. 500GB is a minimal production disk size and 2TB is the maximum. Currently, a minimum of 60GB is required for patching up.
1. Deploy SPP. 2. Verify you can log in. 3. Shut down the VM (stopped and deallocated). 4. Follow Microsoft's guidance for increasing the disk size: How to expand the OS drive
of a virtual machine. When you start up the VM, SPP automatically resizes the OS disk volume to use the available space.
Azure security considerations
Running Safeguard for Privileged Passwords (SPP) in Azure comes with some security considerations that do not apply to the hardware appliance. We recommend:
l Do not give Safeguard a public IP address. l Use the Azure key vault to encrypt the disk. l Limit access within Azure to the Safeguard virtual machine. SPP in Azure cannot
protect against rogue Administrators in the same way the hardware appliance can.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 54
Using the cloud
�Static IP address recommended
Configure the SPP VM with a static IP address in Azure. In Azure, the IP address must not change after the VM is deployed. If you need to change the IP address, take a backup, deploy again, and restore the backup. You can script the VM deploy to pick up an existing virtual NIC with the IP address configuration. For details, see Microsoft's Virtual Network documentation.
Deployment steps
Safeguard for Privileged Passwords is deployed from the Azure Marketplace. Azure automatically licenses the operating system during the deployment with an Azure KMS. The Azure base image includes the required configuration necessary to deploy into Azure following Microsoft's guidance, Prepare a Windows VHD or VHDX to upload to Azure.
1. Log into the Azure portal. 2. Under Azure services, click Create a resource. 3. Search for "One Identity Safeguard for Privileged Passwords" and click the tile. 4. On the One Identity Safeguard for Privileged Passwords screen, click Create. 5. Advance through the resource creation screens. Considerations follow:
l For small deployments, it is recommended to choose at least VM size Standard D2s v3. Larger deployments warrant larger sizing choices. Safeguard hardware appliances have 32GB of RAM and 4 processors with at least 1 TB of disk space.
l You must set an administrator user name and password as part of the image creation, however, SPP will disable this account during initial setup.
l Set public inbound ports to None. l Choose your Windows licensing option. l Make sure to enable boot diagnostics and the serial kiosk. The Azure Serial
console will be used to provide access to the Safeguard Recovery Kiosk. 6. Once you are finished configuring the VM, click Create. Azure will deploy the SPP
virtual machine. 7. When the virtual machine deployment is finished, SPP will automatically start
initializing and configuring itself for the first use. This usually takes between 5-30 minutes, depending on the VM sizing. During initialization, Safeguard will enable the firewall and disable remote access to the VM. You can monitor the progress of initialization from the Azure Serial console. While the initialization is running, do not log in to the VM or power off or restart the VM. 8. When initialization is complete, you will see the Safeguard Recovery (Serial) Kiosk on the Azure Serial console screen. 9. Log in to the appliance via the web using the default username and password admin / Admin123. You should change the admin password immediately. For more information, see Setting a local user's password on page 465.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 55
Using the cloud
�View or change the cloud virtual appliance setup
You can view or change the virtual appliance setup. The Administrator uses the Recovery Kiosk (Serial Kiosk) to perform the following.
l Get appliance information l Reset the Administrator password l Restart or shut down the virtual appliance l Generate a support bundle l Resolve a quarantine (For more information, see What do I do when an appliance
goes into quarantine on page 582. For more information, see Recovery Kiosk (Serial Kiosk). To patch to a new version, use the desktop client or API.
Virtual appliance backup and recovery
Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.
Backing up the virtual appliance
To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance. Backup is handled via Administrative Tools | Settings | Backup and Retention. For more information, see Backup and Retention settings on page 334.
Recovery of the virtual appliance
A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps. On-prem virtual appliance (for example, Hyper-V or VMware)
1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance on page 45.
2. Restore the backup. For more information, see Backup and Retention settings on page 334.
Cloud virtual appliance (for example, Azure)
Safeguard for Privileged Passwords 2.11.1 Administration Guide 56
Using the cloud
�1. Redeploy using the deployment steps: l Azure: For more information, see Using Azure on page 54.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 57
Using the cloud
�4
Setting up Safeguard for Privileged Passwords for the first time
Before Safeguard for Privileged Passwords can manage your privileged account passwords and privileged sessions, you must first add all the objects you need to write access request policies, such as users, accounts, and assets. By following these procedures, you will set up a hierarchy of administrators that ensures your company follows role-based access control. For more information, see Administrator permissions on page 507. The setup steps in this section assume you have a completed the appliance initial installation and configuration steps in the Safeguard for Privileged Passwords Appliance Setup Guide. In addition:
l Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy to disable User Account Control: Run all administrators in Admin Approval Mode. For more information, see Change password fails on page 540.
l Embedded sessions module: For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config). For example, in the debian sshd_config file, set the following parameter: PasswordAuthentication yes.
Step 1: Create the Authorizer Administrator Step 2: Authorizer Administrator creates administrators Step 3: Appliance Administrator configures the appliance Step 4: User Administrator adds users Step 5: Asset Administrator adds managed systems Step 6: Security Policy Administrator adds access request policies
Safeguard for Privileged Passwords 2.11.1 Administration Guide 58
Setting up Safeguard for Privileged Passwords for the first time
�Step 1: Create the Authorizer Administrator
1. Log in to the desktop client using the Bootstrap Administrator account. (The password was changed from the default when you created the appliance using the instructions in the Safeguard for Privileged Passwords Appliance Setup Guide.)
2. Create the Authorizer Administrator, which is a user who can authorize other administrators. Give the user For more information, see Adding a user on page 451.
3. Log out as the Bootstrap Administrator. 4. Log in as the Authorizer Administrator. 5. Disable the Bootstrap Administrator.
Step 2: Authorizer Administrator creates administrators
1. Make sure you have logged into the desktop client using the Authorizer Administrator account.
2. Customize the Password Rule. (Navigate to Settings | Safeguard for Privileged Passwords Access | Password Rules.)
3. Add users for the following administrator permissions (Adding a user): a. User Administrator b. Help Desk Administrator c. Appliance Administrator d. Operations Administrator e. Auditor f. Asset Administrator g. Security Policy Administrator
NOTE: A user can have more than one set of permissions. For a list of permissions granted to the different Safeguard for Privileged Passwords administrators, see Administrator permissions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 59
Setting up Safeguard for Privileged Passwords for the first time
�Step 3: Appliance Administrator configures the appliance
Table Section Outside Table: NOTE: If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
1. Log in to the desktop client using the Appliance Administrator account. 2. If you are using both the Privileged Passwords and embedded sessions module,
ensure the Network Interface X0 (primary interface) and Network Interface X1 (sessions interface) information is configured. (Navigate to Settings | Appliance | Networking.) After one or more Safeguard Sessions Appliances have been joined, only the Network Interface X0 is used. Navigate to Settings | Appliance | Networking and set the following:
a. IP address b. Netmask c. Default gateway d. DNS servers e. DNS suffixes For more information, see Networking on page 318. 3. Ensure the access request and password management features are enabled (Settings | Access Request | Enable or Disable Services). For more information, see Enable or Disable Services (Access and management services) on page 301. 4. (Optional) Enable or disable Application to Application (A2) and audit data sharing with Safeguard for Privileged Sessions (SPS) via Settings | Appliance | Enable or Disable Services. For more information, see Enable or Disable Services on page 310. 5. Configure the External Integration settings that apply (Settings | External Integration): a. Email: Configure the SMTP server to be used for email notifications. Safeguard
for Privileged Passwords provides default email templates for most events, which can be customized. b. Identity and Authentication: Configure directory services such as Active Directory and LDAP servers to be used as identity and authentication providers for Safeguard for Privileged Passwords users. Configure Safeguard for Privileged Passwords as a relying party that uses SAML 2.0 to integrate with external federation services to authenticate users. Create a RADIUS server to be used as a primary or secondary authentication provider. c. SNMP: Configure SNMP subscriptions for sending SNMP traps to your SNMP console when certain events occur.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 60
Setting up Safeguard for Privileged Passwords for the first time
�d. Starling: Join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling Two-Factor Authentication.
e. Syslog: Configure the syslog servers where event notifications are to be sent. f. Ticketing: Add external ticketing tracking system or track tickets not tied to an
external ticketing system. 6. If you are using the embedded sessions module, Safeguard ships with default
certificates and default SSH algorithms for the Unix and Linux platforms. However, you can replace the certificates to use or add new algorithms.
a. To specify different certificates to be used, see Certificate settings. b. To add new SSH algorithms, use the API endpoint:
https://<Appliance IP>/service/core/swagger/SessionSshAlgorithms
Step 4: User Administrator adds users
1. Log in to the desktop client using the User Administrator account. 2. Add users who can log in to Safeguard for Privileged Passwords (Adding a user). 3. Grant Help Desk Administrator permissions to one or more users.
Step 5: Asset Administrator adds managed systems
1. Log in to the desktop client using the Asset Administrator account. 2. Add partitions and, optionally, delegate partition ownership to other users (Adding a
partition). 3. (Optional) Set the following Profile settings (or edit the default rules and settings
defined when the partition was added): a. Account Password Rules b. Change Password c. Check Password d. Password sync groups
4. (Optional) Create partition profiles or edit the default profiles created (Creating a profile).
5. Add assets to the appropriate partitions and profiles (Adding an asset). 6. Add accounts to control access to the assets (Adding an account). TIP: Create asset and account discovery jobs to discover and, optionally, automatically
Safeguard for Privileged Passwords 2.11.1 Administration Guide 61
Setting up Safeguard for Privileged Passwords for the first time
�add assets and accounts to Safeguard for Privileged Passwords. For more information, see Discovery on page 225.
Step 6: Security Policy Administrator adds access request policies
1. Log in to the desktop client using the Security Policy Administrator account. 2. Set Reasons. (Settings | Access Request | Reasons) 3. Configure Approval Anywhere. (Settings | External Integration | Approval
Anywhere). 4. Add user groups (Adding a user group). 5. Add local or directory users to local user groups (Adding users to a user group). 6. Add account groups (Adding an account group). 7. Add accounts to account groups (Adding one or more accounts to an account group). 8. Add entitlements (Adding an entitlement). 9. Add users or user groups to entitlements (Adding users or user groups to an
entitlement). 10. Create access request policies (Creating an access request policy).
Safeguard for Privileged Passwords 2.11.1 Administration Guide 62
Setting up Safeguard for Privileged Passwords for the first time
�5
Search box
Whether you are using the desktop client or web client, the search box can be used to filter the data being displayed. When you enter a text string into the search box, the results include items that have a string attribute that contains the text that was entered. This same basic search functionality is also available for many of the detail panes and selection dialogs, allowing you to filter the data displayed in the associated pane or dialog. When searching for objects in the object lists, an attribute search functionality is also available where you can filter the results, based on a specific attribute. That is, the search term matches if the specified attribute contains the text. To perform an attribute search, click the icon to select the attribute to be searched. Rules for using the search functionality:
l Search strings are not case-sensitive. Exception: in the web client, the Approvals and Reviews searches are case sensitive.
l Wild cards are not allowed. l Try using quotes and omitting quotes. As you use the product, you will become
familiar with the search requirements for the search fields you frequent. Safeguard may perform a general search (for example, omits quotes) or a literal search (for example, includes quotes). Example scenarios follow:
l On the Settings pane, search strings must be an exact match because a literal search is performed. Do not add quotes or underlines. For example, from the Settings pane, enter password rules to return Safeguard Access | Password Rules. If you enter "password rules" or password_rules, the following message is returned: No matches found.
l On the Users pane search box: l A general search does not return anything if you use quotes because it uses a literal search (searches for the quotes). For example: searching for "ab_misc2" returns the message: There is nothing to show here. l You can use quotes in an attribute search if there are spaces in the search name. For example, entering the following in the search box Username: "ab_misc2" returns: AB_misc2.
l When multiple search strings are included, all search criteria must be met in order for an object to be included in the results list.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 63
Search box
�l When you combine a basic search and an attribute search, the order they are entered into the search box matters. The attribute searches can be in any order, but the basic search must come after the attribute searches.
l In large environments, you will see a result number to tell you how many objects match the criteria; however, only the first 200 objects will be retrieved from the server. When you scroll down the list, more objects will be retrieved (paged) as needed.
To search for objects or object details 1. Enter a text string in the Search box. As you type, the list displays items whose string attributes contain the text that was entered. Examples: l Enter T in the search box to search for items that contain the letter "T". l Enter sse to list all items that contain the string "sse," (such as "Asset") NOTE:The status bar along the bottom of the console shows the number of items returned. 2. To clear the search criteria, click Clear. When you clear the search criteria, the original list of objects are displayed.
You can also Search by attributeSelect a drop-down to sort
Search by attribute
The attributes available for searching are dependent on the type of object being searched. The search drop-down menu lists the attributes that can be selected.
API attributes can be searched
The drop-down menu lists a limited number of attributes that can be searched; however, you can perform an attribute search using the English name of any attribute as it appears in the API. Nested attributes can be chained together using a period (.). To see a list of all the attributes, see the API documentation. For information about the API, see How do I access the API.
Entering the search string 1. Click the icon and select the attribute to be searched. The selected attribute is added to the search box. For example, if you select Last Name then LastName: is added to the search box. 2. In the search box, enter the text string after the colon in the attribute label. You can specify multiple attributes, repeating these steps to add an additional attribute to the search box. Do not add punctuation marks, such as commas or
Safeguard for Privileged Passwords 2.11.1 Administration Guide 64
Search box
�colons, to separate the different attributes. When multiple attributes are included, all search criteria must be met in order for an object to be included in the results list.
As you type, the list displays items whose selected attributes contain the text that was entered.
NOTE:The status bar along the bottom of the console shows the number of items returned.
3. To clear the search criteria, click Clear.
When you clear the search criteria, the original list of objects are displayed.
Attributes in each Search box
The following attributes are available when you click the can be searched in the search box. Accounts
l Name l Description l Asset l Domain Name l Profile l Partition l Tag Account Groups l Name l Description l Dynamic Assets l Name l Description l Platform l Forest Root Domain l Network Address l Partition l Is Directory l Tag Asset Groups l Name l Description
icon. In addition, API attributes
Safeguard for Privileged Passwords 2.11.1 Administration Guide 65
Search box
�l Dynamic Entitlements
l Priority l Name l Description l Users Display Name l Users Name Partitions l Name l Description Users
l User Name l Description l First Name l Last Name l Email Address l Domain Name User Groups
l Name l Description
Select a drop-down to sort
By default, the desktop client lists the objects in alphabetical order; however, you can use the controls located above the list to sort the object list.
To sort the desktop client object lists 1. Select Ascending or Descending under the Search box to sort the list in either alphabetical or reverse-alphabetical order. 2. To sort the list of Accounts, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description
Safeguard for Privileged Passwords 2.11.1 Administration Guide 66
Search box
�l Asset l Domain Name l Profile l Partition 3. To sort the list of Account Groups, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description l Dynamic 4. To sort the list of Assets, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description l Platform l Network Address l Partition 5. To sort the list of Asset Groups, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description l Dynamic 6. To sort the list of Entitlements, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Priority (Default) l Name l Description 7. To sort the list of Partitions, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description 8. To sort the list of Users, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 67
Search box
�l User Name (Default) l Description l First Name l Last Name l Email Address l Domain Name 9. To sort the list of User Groups, open the drop-down menu under the Search box and choose one of the following options before sorting the list in either Ascending or Descending order: l Name (Default) l Description l Type (Sorts by local and directory groups.)
Safeguard for Privileged Passwords 2.11.1 Administration Guide 68
Search box
�6
Using the web client
The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well. The web client uses a responsive UI design to adapt to the user's device, from desktops to tablets or mobile phones.
NOTE: In this documentation, you will see the following icons which denote the interface:
(web client)
(desktop client)
In the web client, to add or change your photo in the upper right, click the Select the image file, then click Open.
user avatar.
The pages available to you display on the left. You will see
role, you may also see My Requests, Approvals, combination of those.
Home and, based on your Reviews, Settings, or a
You can show less of the left menu. In the upper left of the page, click expand the menu.
to collapse or
You can customize the information you see on the pages. From the Home page, click
Settings. For more information, see Settings, version, and Windows client (web client) on page 73.
Home page
Click Home to go to the home page. Based on your role, the dashboard displays My Requests, Approvals, and Reviews, the number tasks in each queue, and the status of each task (for example, Available, Denied, Pending) as well as whether the task is Due Today. You can perform the following from the Home page:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 69
Using the web client
�l If you are a requester, click My Requests to create a new request.
l Click Settings to customize the information that is displayed on each page. For more information, see Settings, version, and Windows client (web client) on page 73.
l Read the Message of the Day from an Administrator. l Create favorites for requests you make often. For more information, see Favorites
(web client) on page 72.
My Requests (web client)
If you are a requester, click about requests.
My Requests to make a request or see information
To make a request
You must be an authorized user of an entitlement to create a request for the assets and accounts you need.
1. Click My Requests to go to the My Request page. 2. Follow the workflow steps. For more information, see Requesting a password release
on page 111.
To create a favorite You can create favorites for requests you make often. For more information, see Favorites (web client) on page 72.
To view and manage requests
On the My Requests page, you can view the requests. Control the display using the following approaches:
l Click Sort By then select to sort by Account Name, Asset Name, Due Next, Expiring Next, Most Recent, or Status.
l Click sort up or sort down to sort in ascending or descending order.
l Click Filters to filter by the status. l All: Requests in all states. l Available: Approved requests that are ready to view or copy. l Pending Approval: Requests that are waiting for approval l Approved: Requests that have been approved, but the checkout time has not arrived. Or, for pending accounts restored when using the Safeguard for Privileged Passwords suspend feature.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 70
Using the web client
�l Revoked: Approved requests retracted by the approver. The approver can revoke a request after the request has become available.
l Expired: Requests for which the checkout duration has elapsed. l Denied: Requests denied by the approver. l For more information, see Search box on page 63.
Approvals (web client)
If you are an approver, click Approvals on the left of the page to manage approvals. On the Approvals page, you can:
l View details: Select the request and the details display on the right of the page.
l Approve one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to approve all the
l Deny one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to deny all the
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63. For more information, see Approving a password release request on page 115.
Reviews (web client)
Select Reviews on the left of the page to manage reviews. On the Reviews page, you can:
l View details: Select the request and the details display on the right of the page.
l Mark one or more request as reviewed: Select the requests. Then, click to mark all the selected requests as reviewed. A comment may be required or, if not required, added.
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 71
Using the web client
�Favorites (web client)
On your Home or My Requests page, you will see My Favorites (number of favorites). You can quickly make requests by creating a favorite of requests you make often, then just click the favorite.
You must be authorized to create requests for the assets and accounts you choose to
include in a favorite. To change the look of the favorite tiles, click for small icons.
for large icons or
Add a favorite
1. To the right of My Favorite Requests, click Add. 2. On the Asset Selection page, select the assets to access. Use the following
approaches to quickly find the assets you want:
l Click to search the Asset, Network Address, or Platform. For more information, see Search box on page 63.
l Once you've selected assets, the number of Assets selected displays in the lower left. You can toggle between Show only selected and Show all.
l In the lower right, select the number of Items per page that display. Click the arrows to move through the pages.
3. Click Next to select the accounts. 4. On the Account & Access Type Selection , select the account for the asset. If
there are several accounts associated with an asset: a. Click the Select Account(s) link. b. Select the account(s) for that asset. c. Click OK. d. Continue to select accounts for each asset.
5. Click Next to provide favorite details: a. Enter a Name for the favorite. b. Enter a Brief Description. c. Select the color of the favorites tile.
6. Click Add.
Manage a favorite Once a favorite has been created, you can use and manage the favorite.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 72
Using the web client
�1. Click the menu on the right of the favorite and perform a task: l Click Submit Request to submit the request and launch the request workflow. l Click Change Color to change the color of the favorite. This is useful to color code types of requests. l Click Remove to delete the favorite.
Settings, version, and Windows client (web client)
You can control page displays, check the version, or download the Safeguard for Privileged Passwords Windows client.
1. In the upper right corner, next to your user name, click then Application Settings to proceed. Or, from the Home page, click Settings.
2. Click the General tab, then complete one of the following actions, as desired:
l In Pages, toggle the pages which are available on or changes, you can change the display in the future.
off. If your role
l In Homepage, select the page you want to see first when you log on.
l Under About, the Appliance Version displays.
l Click Download Windows Client to download the Windows desktop client.
3. Click the Home tab.
a. On the Home Page Widgets page, toggle what you want to display on or off.
b. Under any Tile Set, select the request statuses you want to display.
4. Click the Approvals tab, if available. On the Approvals Widgets page, control available widgets, if any.
5. Click the Requests tab, if available. On the My Request Widgets page, toggle what you want to display on on or off.
6. Click the Reviews tab, if available. On the Review Widgets page, control available widgets, if any.
Change password (web client)
You can change your password.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 73
Using the web client
�To change the password
1. In the upper right corner, next to your user name, click . 2. Click Change Password. The password requirements are listed. 3. Enter your Current Password and the New Password as directed. (Click or
to view or hide the password as it is entered.) 4. Click Save to save your new password.
FIDO2 keys (web client)
If the FIDO2 feature is enabled, at least one FIDO2 key must be registered. When a key is added, the placeholder name is Unnamed Key. You can enter a meaningful name or later edit the name. It is recommended that all users have more than one key registered in case a key is lost or damaged.
1. In the upper right corner, next to your user name, click . 2. Click Manage FIDO2 Keys. The name and date each existing key was registered
and last used displays. 3. Perform an action:
l To change a name, enter the new name, then click Save. l To remove a key, click Remove by the key. One key must remain
registered. If a physical security key is lost, always delete the associated key from Safeguard for Privileged Passwords. l To add a key, click Register New FIDO2 Key.
a. You will be asked to insert or connect to the new key. b. You will be prompted to reenter your primary credentials for verification. c. Tap or activate your new FIDO2 key that is being registered. d. You may then go back to the Manage FIDO2 Key page and give your
newly registered key a name, then click Save. For more information, see Requiring secondary authentication log in on page 457.
Log out (web client)
Always securely log out of the web client.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 74
Using the web client
�To log out 1. In the upper right corner, next to your user name, click . 2. Click Log out to securely exit the Safeguard for Privileged Passwords web client.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 75
Using the web client
�7
Installing the desktop client
To define and enforce security policy for your enterprise, you must first install the desktop client application which gives you access to the Administrative Tools. Or, you can use the web client instead of the desktop client, if you Administrator has provided the url location. For more information, see Using the web client on page 69. These topics explain how to install, start, and uninstall the Safeguard for Privileged Passwords desktop client application:
Installing the desktop client Starting the desktop client Uninstalling the desktop client
Installing the desktop client
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
l Any reference to putty in the PATH environment variable l c:/Program Files/Putty l c:/Program Files(x86)/Putty l c:/Putty If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at: <user-home-dir>/AppData/Local/Safeguard/putty. If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 76
Installing the desktop client
�Installing the Safeguard for Privileged Passwords desktop client application 1. To download the Safeguard for Privileged Passwords desktop client Windows installer .msi file, open a browser and navigate to: https://<Appliance IP>/Safeguard.msi Save the Safeguard.msi file in a location of your choice. 2. Run the MSI package. 3. Select Next in the Welcome dialog. 4. Accept the End-User License Agreement and select Next. 5. Select Install to begin the installation. 6. Select Finish to exit the desktop client setup wizard.
Installing the Desktop Player
CAUTION: If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes to go to the download page to install the player following step 2 below.
1. Once the Safeguard for Privileged Passwords installation is complete, go to the Windows Start menu, Safeguard folder, and click Download Safeguard Player to be taken to the One Identity Safeguard for Privileged Sessions - Download Software web page.
2. Follow the Install Safeguard Desktop Player section of the player user guide found here: a. Go to One Identity Safeguard for Privileged Sessions - Technical Documentation. b. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
3. For Safeguard Desktop player version 1.8.6 and later, ensure your signed web certificate has a Subject Alternative Name (SAN) that includes each IP address of each of your cluster members. If the settings are not correct, the Safeguard Desktop Player will generate a certificate warning like the following when replaying sessions: Unable to verify SSL certificate. To resolve this issue, import the appropriate certificates including the root CA.
New Desktop Player versions When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 77
Installing the desktop client
�Starting the desktop client
The following steps assume the Safeguard for Privileged Passwords 2000 Appliance has been configured and licensed. As a Safeguard for Privileged Passwords user, if you get an appliance is unlicensed notification, contact your Appliance Administrator.
To start the desktop client application
1. From the Windows Start menu, choose Safeguard. 2. On the server selection screen, enter or select the server's network DNS name or IP
address to connect to the appliance over the network and click Connect. NOTE: When entering an IPv6 address, enclose the IPv6 address in square brackets.
3. You will see a message like: You'll now be redirected to your web browser to complete the login process. You can select: Don't show this message again. Then, click OK.
4. On the user login screen, enter your credentials and click Log in. l User Name: Enter your user or display name. Do not include spaces in the User Name. NOTE: When using directory account credentials, you have the option to enter your domain\name. l Password: Enter the password associated with the user entered above.
5. If your Safeguard for Privileged Passwords user account requires you to log in with secondary authentication, enter the secure password token code, or other authentication for your authentication service provider account and click Submit. NOTE:The type and configuration of the secondary authentication provider (for example, RSA SecureID, FIDO2, One Identity Starling Two-Factor Authentication, and so on) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log in to Safeguard for Privileged Passwords with secondary authentication.
6. When login is successful, you can close the web browser and return to the Safeguard application.
To remove server DSN names or IP addresses no longer used The DSN name or IP address on the server selection screen may be no longer used. If you want to remove one or more selections, you can edit the user.config file using a text editor like Notepad.
1. Go to: C:\Users\<YourSafeguardUserName>\AppData\Local\One_Identity_ LLC\Client.Desktop.UI.exe_Url_<UniqueGUID\<ClientVersion>\user.config
2. Make a backup copy of user.config in case you want to return to the file. 3. Open the file and edit the following section to list only the addresses you want:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 78
Installing the desktop client
�<setting name="ClusterHistory" serializeAs="Xml"> <value> <ArrayOfString xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <string>10.5.33.57</string> </ArrayOfString> </value> </setting> 4. Save the updated file. 5. Log on to verify the correct selections display.
Uninstalling the desktop client
You can uninstall a desktop client. To uninstall the desktop client
1. In the Windows Control Panel, open Programs and Features. 2. Right-click the Safeguard for Privileged Passwords application and choose Uninstall.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 79
Installing the desktop client
�8
Using the desktop client
Safeguard for Privileged Passwords has two graphical user interfaces that allow you to manage password and session requests, approvals, and reviews for your managed accounts and systems:
l Windows desktop client: The desktop client consists of an end-user view and an administrator view. The administrative functionality is dynamically enabled based on the user's permissions. The desktop client user interface information follows.
l Web client: The web client is functionally similar to the desktop client end-user view. For more information, see Using the web client on page 69.
NOTE: In this documentation, you will see the following icons which denote the interface:
(web client)
(desktop client)
Desktop client toolbar
The toolbar along the top-right corner of the Safeguard for Privileged Passwords console, has these controls:
l
User avatar: Modify personal information, view notifications, or log out of the
Safeguard client. For more information, see User information and log out (desktop
client) on page 82.
l
Settings: Configure the desktop client application, including notifications and
Home page widgets, or view product information, including contact information. For
more information, see Settings (desktop client) on page 80.
Settings (desktop client)
The desktop client console Settings ( ) allows you to configure the desktop client application.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 80
Using the desktop client
�Notifications
Use the following options to control notifications within Safeguard for Privileged Passwords:
l Run in the System Tray when you close the application.
When you enable the Run in the System Tray option, you cannot modify the toast notifications option. However, when you disable the Run in the System Tray option, you can enable or disable toast notifications.
NOTE: When you enable the Run in the System Tray option, you cannot modify the toast notifications option because in that mode, you always get notifications.
l Enable Toast Notifications to display event alerts on your console.
Toast notifications are alerts that appear when the desktop client application is not the active foreground application: for example, when you are in another application or when you have minimized the desktop client.
Reset Notifications: Click Reset Notifications to reenable any notifications pop ups that have been preciously suppressed.
Widgets
Click the toggles to enable (toggle on page widgets:
) or disable (toggle off
) the Home
l Requests l Approvals l Reviews
All widgets are enabled by default, indicating that the corresponding controls display on your Home page. The toggles appear blue with the switch to the right when a widget is enabled, and gray with the switch to the left when a widget is disabled.
About dialog tab
Click About Safeguard for Privileged Passwords to display the following information.
l About: The trademark and copyright information l Contact: Information about how to get in touch with One Identity l Components: A list of third-party components used in Safeguard for
Privileged Passwords l Third Party License Text: The license text for third-party components that require
this text to be included in the product documentation
Safeguard for Privileged Passwords 2.11.1 Administration Guide 81
Using the desktop client
�User information and log out (desktop client)
On the desktop client, click the user avatar (or the Welcome link with your user name) to modify your personal information, manage email notifications, view current notifications, or log out of Safeguard for Privileged Passwords.
My Account
Click My Account to modify your personal information and manage your email notifications.
NOTE:Safeguard for Privileged Passwords Active Directory users cannot use My Account to modify their email address, phone number, or change their password. They must do these actions in Active Directory
To update your personal information
1. From the toolbar, select your of the following:
user avatar and choose My Account. Perform any
l To change your image, select Change Photo.
l To change your email address or Contact Information, type into the appropriate box.
2. Click Done to close the My Accounts pane.
To change your user password
1. From the toolbar, select your user avatar and choose My Account. 2. To change your user password, click Change Password and complete the
information.
3. Click Done to close the My Accounts pane.
To manage your FIDO2 keys
At least one key must be registered. When a key is added, the placeholder name is Unnamed Key. You can enter a meaningful name or later edit the name. It is recommended that all users have more than one key registered in case a key is lost or damaged.
1. From the toolbar, select your user avatar and choose My Account. 2. Click Manage FIDO2 Keys. The name and date each key was registered and last
used displays.
l Click Edit to change the name then click Save. Click Cancel to leave the editing operation.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 82
Using the desktop client
�l Click Delete to delete a key. One key must remain registered. If a physical security key is lost, always delete the associated key from Safeguard for Privileged Passwords.
l Click Register New FIDO2 Key to add a key. a. You will be asked to insert or connect to the new key. b. You will be prompted to reenter your primary credentials for verification. c. Tap or activate your new FIDO2 key that is being registered. d. You may then go back to the Manage FIDO2 Key page and give your newly registered key a name.
3. Click Done to close the My Accounts pane. For more information, see Requiring secondary authentication log in on page 457.
To manage the notifications you receive
1. From the toolbar, select your user avatar and choose My Account. 2. Click Manage Email Notifications.
The Manage Email Notifications dialog displays the type of events for which you are receiving email notifications.
NOTE: When there are no delegated owners assigned to a partition, email notifications related to partitions are sent to the Asset Administrator. However, when a delegated owner is specified to manage the assets and accounts in a partition, email notifications related to partitions are sent to the delegated owner, not to the Asset Administrator. 3. From this dialog, you can define the types of events for which you want to receive notifications. By default, all events are selected. Clear the check box for any events for which you do not want to receive an email notification. TIP: Select the check box next to the Events heading to select all of the events in the list. Similarly, clear the check box next to the Events heading to clear all of the event check boxes. 4. Click OK to save your selections and close the dialog. 5. Click Done to close the My Accounts pane.
Log Out
Click Log Out to log out of the Safeguard for Privileged Passwords desktop client.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 83
Using the desktop client
�Desktop client favorite request
If you are designated as a requester, the desktop client allows you to add an access request as a Favorite to your Home page. Favorites are unique for the user; they are available when you log in to the desktop client or the web client. You can create a favorite request from your Favorites pane on your Home page or from the New Access Request dialog when creating or editing an access request.
To create a favorite request from your Home page
1. In the Favorites pane, click New Favorite. 2. In the New Access Request dialog, specify the assets, accounts, and type of asset
to be included in the access request. a. On the Asset Selection tab, select the assets to be included in the access request. b. On the Account & Access Type tab, select the accounts to be included in the access request and the type of access being requested for each selected account. The accounts include linked accounts, if any. For more information, see Linked Accounts tab (user) on page 448. l Account: The available account appears in the Account column. When an asset has multiple accounts available, click Select Account(s) to select an account from the displayed list. l Access Type: The type of access request appears in the Access Type column. When multiple access request types are available, this value appears as a hyperlink. Click this hyperlink to select the access type.
3. Click the Add to Favorites button. 4. In the Add to Favorites dialog, specify the following:
a. Name: Enter a name for the request. b. Description: Enter descriptive text about the request. c. Color: Select the icon color to be used to display the request in your
Favorites pane. Click Add. The dialogs closes and the new favorite are added to the Favorites pane on your Home page.
To create a favorite request from the New Access Request dialog
1. At the bottom of the New Access Request dialog, click the Add to Favorites button when you are creating a new request. The Add to Favorites button is enabled when you select the minimum required information (that is, at least one asset, account, and an access type) for the access request.
2. In the Add to Favorites dialog, specify the following:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 84
Using the desktop client
�a. Name: Enter a name for the request. b. Description: Enter descriptive text about the request. c. Color: Select the icon color to be used to display the request in your
Favorites list. 3. Click Add.
To change a favorite request's icon color
1. At the top of the Favorites pane, click the button to display the Color Selected button.
2. Select the check box to the left of the favorite request to be changed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.
3. Click Color Selected. 4. In the Settings dialog, choose a color and select OK.
The icon for the favorite now appears in the color you selected.
To remove a favorite request
1. At the top of the Favorites pane, click the button to display the Remove Selected button.
2. Select the check box to the left of the favorite request to be removed. Selecting a favorite request, instead of the check box, displays the New Access Request dialog to edit and submit the access request.
3. Click the Remove Selected button. 4. Select Yes to confirm.
Desktop client navigation pane
In the desktop client, the Home page left navigation pane has these links.
l
Home: Where you view and take action on the access request tasks that need
your immediate attention. As a requester, it also provides access to your list of
Favorite access request queries.
l Dashboard: Where Security Policy Administrators can audit access requests. Where Asset Administrators can view information regarding accounts that are failing different types of tasks.
l
Activity Center: Where you can search for and review activity for a
specific time frame.
l
Reports: Where you can view and export entitlement reports that show you which
assets and accounts a selected user is authorized to access.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 85
Using the desktop client
�l Administrative Tools: Where you add all the objects you need to write access request policies, such as users, accounts, and assets. Where you define and management all of the administrative Safeguard for Privileged Passwords settings.
Home
When you log in to Safeguard for Privileged Passwords, you begin on the Home page. The Message of the Day displays on the right side. The rest of the Home page is tailored to your user rights and permissions. If you are authorized by an entitlement to request, approve, or review access requests, then your Home page gives you a quick view to the access request tasks that need your immediate attention. You can turn Requests, Approvals, and Reviews widgets on or off in Settings (desktop client). The Appliance Administrator sets the Message of the Day. For more information, see Message of the Day on page 416.
Requester's Home page view
Click the New Request tile to open the New Access Request dialog, which lists the assets and accounts you are authorized to access. From this dialog you specify the assets, accounts and the type of access you are requesting, and additional details about the request. For more information, see:
l Requesting a password release l Requesting session access Expand Requests to view the requests awaiting action. For more information, see: l Taking action on a password release request l Taking action on a session request The Favorites pane (right pane) displays a list of requests you have marked as a favorite, providing a quick way to request access.
Favorites pane: Action bar buttons
Use the toolbar buttons at the top of the Favorites pane to manage your favorite requests:
l New Favorite: Select this button to create a new favorite request. Clicking this button displays the New Access Request dialog, allowing you to select the assets,
Safeguard for Privileged Passwords 2.11.1 Administration Guide 86
Using the desktop client
�accounts, type of access, and additional details about the request.
l
Select this button to display additional options for managing your favorite
requests:
l Request Selected l Color Selected l Remove Selected
TIP: Select the check box to the left of a favorite request to use these additional buttons. Selecting the request itself will launch the New Access Request dialog, allowing you to edit and submit the request.
Submit a favorite request
To submit a favorite request, click the request or select the check box to the left of a request and select Request Selected. The New Access Request dialog displays allowing you to edit your selections or enter a required reason or comment before submitting it.
For more information, see:
l Desktop client favorite request
Approver's Home page view
Your job is to approve or deny the access requests listed on your Home page. Expand Approvals to view the requests awaiting your approval. As an approver user, unless you are also designated as a requester, you will see no favorites listed. For more information, refer to these topics:
l Approving a password release request l Approving a session request
Reviewer's Home page view
Your job is to review completed access requests listed on your Home page. Expand Reviews to view the completed requests requiring your review. As a reviewer user, unless you are also designated as a requester, you will see no favorites listed. For more information, refer to these topics:
l Reviewing a completed password release request l Reviewing a session request
Safeguard for Privileged Passwords 2.11.1 Administration Guide 87
Using the desktop client
�Dashboard
The Dashboard contains operational information that allows administrators with the proper permissions to view and manage access requests and accounts failing tasks from a single location.
l Access Requests: Displays information about access requests in different stages of the workflow.
l Account Automation: Displays information about accounts that are failing different types of tasks.
Access Requests
The Access Requests tab on the Dashboard allows Security Policy Administrators to review and manage access requests from a single location. Clicking one of the access request tiles across the top of the view displays additional information about the access requests belonging to that category. In addition, you can review the request workflow, launch a live session, terminate a session, or revoke a specific request.
This dashboard is available to Safeguard for Privileged Passwords users assigned the following administrative permissions:
l Auditor: Read-only view.
l Security Policy: Full control.
Access requests: Tiles
l Open Sessions: Displays a list of all currently opened sessions. l Passwords Out: Displays a list of all password release requests that are currently
checked out. l Pending Approval: Displays a list of access requests to be approved. l Pending Review: Displays a list of access requests to be reviewed. l Open Requests: Displays a list of all currently opened access requests, including
session requests and password release requests.
Access requests: Toolbars
Use the toolbar at the top of the details grid to perform the following tasks.
l
Workflow: Select to review the transactions that took place in the selected
request. Clicking this button displays the Request Workflow dialog allowing you to
audit the transactions that occurred during the request's workflow from request to
approval to review.
l
View Live Session: Select to view a live session for the selected session
Safeguard for Privileged Passwords 2.11.1 Administration Guide 88
Using the desktop client
�request. Clicking this button launches the Desktop Player allowing you to follow an active session.
If the Desktop Player is not installed, see Installing the desktop client, Installing the Desktop Player section.
For details on using the Desktop Player, go to One Identity Safeguard for Privileged Sessions - Technical Documentation. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
l
Terminate Session: Select to terminate the live session for the selected
session request.
l
Revoke Request: Select to retract the selected access request.
l
Export: Select to create a .csv or .json file of the currently displayed access
request grid and save it to a location of your choice.
You can convert timestamps to local time, if necessary. For more information, see Converting time stamps on page 102.
l
Columns: Select to display a list of columns that can be displayed in the grid.
Select the check box for data to be included in the grid. Clear the check box for data
to be excluded from the grid.
Viewing details
Additional detailed information is available for access requests listed in the request grids on the Access Requests view.
To see the details of an access request 1. Double-click a request to view additional details. 2. Double-click to close the request details. NOTE: Clicking Refresh at the top of the view also closes the details in addition to retrieving the latest access requests.
Account Automation
The Account Automation tab on the Dashboard allows Asset Administrators to view information regarding accounts that are failing different types of tasks. This dashboard includes both automated and manual tasks in the failure results. Clicking one of the failure task tiles across the top of the view displays additional information about the accounts belonging to that category.
This dashboard is available to Safeguard for Privileged Passwords users assigned the following administrative permissions:
Safeguard for Privileged Passwords 2.11.1 Administration Guide 89
Using the desktop client
�l Asset Administrator: Full control for accounts related to all Safeguard for Privileged Passwords assets
l Auditor: Read-only view l Delegated Partition Owner: Control for accounts related to the accounts and assets
managed through delegation
Account Automation: Tiles
l Password Check Failures: Displays a list of accounts where password check tasks failed.
l Password Change Failures: Displays a list of accounts where password change tasks failed.
l SSH Key Change Failures: Displays a list of accounts where SSH key change tasks failed.
l Suspend Account Failures: Displays a list of accounts where suspend tasks failed. l Restore Account Failures: Displays a list of accounts where restore tasks failed.
Account Automation: Toolbar
Use the toolbar at the top of the details grid to perform the following tasks.
l Rerun task: Select to rerun the selected task.
l Export: Select to create a .csv or .json file of the currently displayed account automation grid and save it to a location of your choice.
l You can convert timestamps to local time, if necessary. For more information, see Converting time stamps on page 102.
l Columns: Select to display a list of columns that can be displayed in the grid. Select the check box for data to be included in the grid. Clear the check box for data to be excluded from the grid.
Activity Center
The Activity Center is the place to go to view the details of specific events or user activity. The appliance records all activities performed within Safeguard for Privileged Passwords. Any administrator has access to the audit log information; however, your administrator permission set determines what audit data you can access. For more information, see Administrator permissions on page 507.
Activity Center: Main page toolbar
The toolbar at the top of the main Activity Center page contains these options.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 90
Using the desktop client
�l
Clear: Resets the current search criteria back to the default settings (all activity
occurring within the last 24 hours.)
l
Schedule: Allows you to define when the activity audit log report is to be
generated and sent via email as well as the format of the report (.csv or .json). For
more information, see Scheduling an activity audit log report on page 95.
l
Open: Allows you to access previously saved search and scheduled reports.
l
Save: Saves the current search criteria which can be used later to generate the
report. For more information, see Saving search criteria on page 92.
l Run button: Generates an activity audit log report based on the search criteria specified.
In addition, query tiles display the criteria you have applied to search the activity data. By default, only the Activity category and Time frame tiles display. Use the Add button to specify additional query criteria to retrieve the information you are looking for. For more information, see Applying search criteria on page 91.
Activity Center: Results page toolbar
Once an activity audit log report is generated, the results page contains the search results grid and these toolbar options.
l
Back: Takes you back to the query page where you can modify the
search criteria.
l
Refresh: Closes the details and updates the search results page.
Applying search criteria
Use the query builder in the Activity Center to add and remove data from your activity audit log report to get the information you need. By default, an activity audit log report includes all activity occurring within the last 24 hours. However, using the query tiles provided you can specify search criteria to retrieve specific information from the activity audit log. The search criteria available includes:
l Activity category (to narrow parameters and event details) l Time frame l User l Asset l Account l Search keyword or value: For sessions, you can search by keyword or value.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 91
Using the desktop client
�To apply search criteria to the audit log Activity Category and Time frame are required to generate a report. Other search criteria is optional and allows you to narrow the report to the exact parameters provided.
1. From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
2. I would like to see defaults to All Activity. Click the tile to limit the report to a particular type of activity and select the activity category to be included in the report.
3. Occurring within the defaults to Last 24 Hours. To specify a different time frame, click the tile and select the time frame to be included in the report. If using the Custom option, specify the custom date and time range.
4. Click the Add button to further filter results. The options to add are based on the selections you made and may include user, asset, or account. When you add filters, additional tiles display such as: involving the asset. l If you select Add User, you can specify one user. A tile with the user displays. l If you select Add Asset, you can select an asset. A new tile with the asset displays. When an account is specified, the Add Asset option is not available. l If you select select Add Account, you can select the account. When an asset is specified, the Add Account option is not available.
5. To search session activity for a specific keyword or value. a. Change the activity category (I would like to see) to Session Specific Activity (or In-Session Activity). b. Click the Add button and select Add Search value. c. In the Enter a Search Value dialog, enter the keyword or value (e.g., regedit) and click OK.
An additional tile appears listing the keyword or value specified. If you later change the activity category, the keyword tile will be dimmed indicating it will not be included in the query. 6. To remove or edit your selections, use the icons in the upper-right corner of a query tile:
l Clear: Resets the value back to the default. Clear is only available for Activity category and Time frame.
l Delete: Removes search criteria tiles you added. l Edit: Displays the corresponding dialog allowing you to modify your
selection. You can also click a query tile to edit your selection.
Saving search criteria
You can save the current search criteria defined to be used at a later time to generate an activity audit log report. You can save the current search criteria from the main Activity Center view (query builder page) or from the results view.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 92
Using the desktop client
�To save the current search criteria 1. From the Safeguard for Privileged Passwords desktop Home page, select Activity Center. 2. Specify the search criteria to be used to generate the desired report. For more information, see Applying search criteria on page 91. 3. Click Save. 4. In the Save Search dialog, enter the following information: a. Name: Enter a name for the search. b. Description: Optionally, enter descriptive text to describe the search. 5. Click OK. 6. To run a previously saved search, click Open. a. Select a search from the list. (The criteria for the selected search is displayed in the right pane.) b. Click Open. The query tiles for the selected search appear in the Activity Center page, where you can then select Run to generate the report.
Generating an activity audit log report
To generate an activity audit log report 1. From the Safeguard for Privileged Passwords desktop Home page, select Activity Center. 2. Use the query tiles to specify the content of the report. By default the audit log returns all activity occurring within the last 24 hours. For more information, see Applying search criteria on page 91. 3. Click Run. The information displayed by default depends on the type of activity report generated. (You can change the columns displayed by selecting the Columns in the upper right of the window.) For example, the "All Activity" report displays the following information for each event. l State: The left-most column displays one of the following regarding the availability of a recorded session: l Blank: Indicates that there is no recorded session available. l (green dot): Indicates that a live session is taking place. A Security Policy Administrator can click this button to launch the Desktop Player to follow what is happening in the current session.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 93
Using the desktop client
�l Play: Indicates that there is a recorded session available locally on the appliance. Clicking this button launches the Desktop Player to play back the selected recording.
l Download: Indicates that there is a recorded session available on the archive server. Clicking this button downloads the recording for play back.
NOTE: These icons only appear on an "All Activity" or "Session Specific Activity" report. l User: The name of the user who triggered the event. l Date: The date and time the event occurred. l Activity Category: The category that defines the type of activity that occurred. l Event: The event that occurred. Double-click an event to view or hide event details.
Actions once a report is generated Once a report is generated, you can use the buttons above the grid as described below.
l Time frames: To rerun the report using a different time frame, select one of the following links, specify the time range, then click Run. l Last 24 Hours (default) l Last 7 Days l Last 30 Days l Last 60 Days l Last 90 Days l Custom
l Workflow: Select an access request event and click Workflow to audit the transactions that occurred during the request's workflow from request to approval to review. For session requests, you can also replay a recorded session or live session from the Request Workflow dialog. For more information, see Replaying a session on page 133.
l Run: Select to generate the report using the specified time frame.
l Export: Right-click to select Export as CSV or Export as JSON to the location of your choice. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts. Once the report is exported, you can convert timestamps to local time, if necessary. For more information, see Converting time stamps on page 102.
l Schedule: Select to schedule the generation of the activity audit log report. For more information, see Scheduling an activity audit log report on page 95.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 94
Using the desktop client
�l
Save: Select to save the current search criteria to reuse the search later. For
more information, see Saving search criteria on page 92.
l
Column: Select to display a list of columns that can be displayed in the grid.
Select the check box for data to be included in the report. Clear the check box for
data to be excluded from the report. The additional columns available depend on the
type of activity included in the report.
Scheduling an activity audit log report
Safeguard for Privileged Passwords allows you to schedule the generation of an activity audit log report, which will then be sent via email. The emailed report will be an attachment in the selected .csv or .json format.
To schedule an activity audit log report
1. From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
2. Specify the search criteria to be used to generate the desired report. For more information, see Applying search criteria on page 91.
3. Click Schedule.
4. If the Configure Email dialog displays, click Configure Email to add your email in the My Account dialog. (The email server must be configured in Safeguard for emails to be sent.)
5. In the Schedule Report dialog, enter the following information:
a. Name: Enter a name for the report.
b. Description: Optionally, enter descriptive text for the report.
c. Send To: Read-only field displaying the email address of the user currently logged into the Safeguard for Privileged Passwords client. This field is required. If this field is blank, you must set your email address in My Account. For more information, see User information and log out (desktop client) on page 82.
d. Select a Report Format, which can be CSV or JSON. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts.
e. To set the schedule, select Run Every to run the job per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
l Configure the following:
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 95
Using the desktop client
�l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter. For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify. For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify. For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time.
You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap. For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values: Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time. If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter. For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values: For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2. l Time Zone: Select the time zone. 6. Click Schedule Report.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 96
Using the desktop client
�Editing or deleting a saved search or scheduled report
Click the Open toolbar button to display a list of saved searches and scheduled reports. From this dialog, you can delete or edit a saved search or scheduled report.
1. From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
2. From the Activity Center dialog, click Open. The Select a Saved Search dialog displays, which contains a list of all saved searches and scheduled reports including the Name, Description, Schedule, and saved Format (.csv or .json).
3. Select a saved search or scheduled report from the list. The search criteria defined for the search or report appear in the right pane.
4. Click one of the toolbar buttons or right-click commands. l Delete l Edit l Edit Schedule
5. If you selected Delete, click Yes in the confirmation dialog. The selected search or schedule will be removed from the list.
6. Depending on the type of search selected (saved search or scheduled report), the following editing capabilities are available: l Edit displays the Save Search dialog, allowing you to modify the name and description for a saved search or schedule. The Edit button is available for a saved search or a scheduled reports with an interval of Never. l Edit Schedule displays the Schedule Report dialog, allowing you to modify the schedule settings for a scheduled report. The Edit Schedule button is available for a saved search or a scheduled report. Using the command for a saved search allows you to convert it to a scheduled report.
NOTE: Clicking the Open button at the bottom of the Select a Saved Search dialog closes the dialog and returns you to the Activity Center view, where the query tiles for the selected search or report appear. You can then select Run to generate the report.
Viewing event details
Additional detailed information is available for some activity events.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 97
Using the desktop client
�To see the details of a specific event 1. Double-click an event to view additional details. 2. On Password management events, select Details to see the details of the password change or check tasks. 3. Double-click to close the event details.
Auditing request workflow
In addition to reviewing activity, you can use the Activity Center to audit the transactions that occurred during the request workflow process, from request to approval to review. For session requests, you can also play back a recorded or live session if Record Sessions is enabled in the entitlement's policy. If you are an authorized reviewer, you can audit an access request's workflow of a completed request awaiting review from the Home page as well.
To audit request workflow 1. Open the Activity Center, use the query tiles to specify the content of the report, and click Run. TIP: You can change the activity category tile to specify that you want to see Access Request Activity, Session Specific Activity events, or both. 2. Select an access request event and click Workflow to audit the transactions that occurred during the request's workflow from request to approval to review. TIP: If you ran an all activity report, use the filter in the Events column to locate the access request activities. 3. For session requests that have Record Session enabled in the policy, you can play back a recorded or active session: a. Locate an access request session event and click Play to launch the Safeguard for Privileged Passwords Desktop Player. The following activities may be available to you: l A (green dot) indicates the session is "live". A user with Security Policy Administrator permissions can click this icon to follow an active session. l If the session recording has been archived and removed from the local Safeguard for Privileged Passwords file system, you will see a Download button instead of a Play button. Click Download to download the recording and then click Play. b. Accept the certificate to continue. c. Use one of the following methods to play back the session recording: l Click Play Channel from the toolbar at the top of the player.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 98
Using the desktop client
�l Click the thumbnail in the upper right corner of the Information page. l Click Play Channel next to a channel in the Channels pane. 4. For SSH session requests that have the Enable Command Detection option selected in the policy, you can review a list of the commands and programs run during the session. For RDP session requests that have the Enable Windows Title Detection option selected in the policy, you can review a list of all the windows opened on the desktop during the privileged session. a. Click the Sessions Events link above the transaction grid to view a list of all the session events and recordings available for the selected session. b. To see the individual events that occurred during a particular Initialize Session transaction: l Click Show Details to display additional information about the Initialize
Session event, including Session Events. l Click the events link to view the commands and programs run during
that particular Initialize Session event The Session Events dialog displays listing the events with a time stamp showing when the event occurred as well as in which recording if multiple recordings were created.
Filtering report results
To find information in an activity audit log report or entitlement report, use the controls in the grid heading row to filter the data. When a column has selected filter criteria, Safeguard for Privileged Passwords highlights the filter symbol.
To filter columns 1. Click Filter to open the filter list. 2. Select individual objects in the filter list to display specific information. NOTE: You can also choose the Select All check box at the top of the filter list and clear individual objects.
Sorting report results
Use the controls in the grid heading row to sort report results or rearrange the columns of data. An arrow in the column heading identifies the sort criteria and order, ascending or descending, being used to display information.
Safeguard for Privileged Passwords 2.11.1 Administration Guide 99
Using the desktop client
�To sort columns 1. Click the column heading to be used for the sort criteria. 2. The sort order is in ascending order. To change it to descending order, click the heading a second time. 3. To specify a secondary sort order, press the SHIFT key and then click the heading of the column to be used for the secondary sort order.
To move columns To change the order of the columns, click the heading of the column to be moved. Drag and drop the column to a new location within the grid.
To change the columns that display
In the upper right corner, click Column to see a list of columns that can be displayed in the grid. Select the check box for data to be included in the report. Clear the check box for data to be excluded from the report. The additional columns available depend on the type of activity included in the report.
Reports
Reports allows the Auditor and Security Policy Administrators to view and export entitlement reports that show which assets and accounts a selected user is authorized to access. Reports may be exported in .csv or .json format.
Reports toolbar
The toolbar at the top of Reports contains these options.
l Refresh: Updates the entitlement report.
l Export: Used to create a .csv or a .json file of the report. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts.
Once the report is exported, you can convert timestamps to local time, if necessary. For more information, see Converting time stamps on page 102.
Entitlement reports
Safeguard for Privileged Passwords provides these entitlement reports. l User: Lists information about the accounts a selected user is authorized to request. l Asset: Lists information about the accounts associated with a selected asset and the users who have authorization to request those accounts. l Account: Lists detailed information about the users who have authorization to request a selected account including: Entitlement, Policy, Access Type, Password
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
100
�Included, Password Change, Time Restrictions, Expiration Date, Group, From Linked Account, and Last Accessed.
Running an entitlement report
You can run an entitlement report.
To run an entitlement report
1. From the Safeguard for Privileged Passwords desktop Home page, select Reports.
2. In the first drop-down, choose a type of report: User, Asset, or Account. 3. In the second drop-down, you can select All or you can select Browse to select one
or more objects for the report. If you select multiple objects, the selected objects display in the center of the page. Click a selected object to display the object's information at the bottom of the page. 4. The top of the report displays the following information. User:
l Name: The name of the user. l Username: The user name used for authentication. l Domain name: The name of the domain of the user. l Accounts: Number of accounts each user is allowed to access.
NOTE: If an access request policy allows password access to linked accounts, an account may display twice: once based on the policy scope and a second time because it is a linked account. In the bottom grid, see the From Linked Account column. For more information, see Access Config tab on page 276. Asset: l Name: The name of the asset. l Accounts: Number of accounts on this asset that can be accessed. l Requesters: Number of users allowed to request access to the asset's accounts. l Partition: The name of the partition to which the asset belongs. l Users: The name of the requesters allowed to request access. Account: l Name: Name of the account. l Asset: Name of the asset associated with the account. l Domain Name: If applicable, the domain of the account. l Requesters: Number of requesters allowed to access an account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
101
�5. Select an item from the top pane to view additional detail in the lower pane. NOTE: For entitlements by assets, you can continue to drill down into the details of an item. For example, you can view both the Total Accounts tab and the People tab to see more details about the users that can request the accounts on an asset. Select an item from the results to drill down further into the details about the users and the accounts.
6. To filter the results, use the filter control in the column heading. For more information, see Filtering report results on page 99.
To export the report
1. To export, select Export and then select Export as CSV or Export as JSON. Save the file to the location desired. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts.
2. Once the report is exported, you can convert time stamps to local time, if necessary. For more information, see Converting time stamps on page 102.
To run the report Click the Run button to generate the report.
Converting time stamps
When you export .csv or .json files, the time stamp will be in UTC/GMT time. You can convert the time to your local time. .csv opened in Excel
1. Identify how many hours different your local time is from the UTC or GMT exported by googling "UTC to my time." The value will be within the -12 to 12 range.
2. In the column to the right of the time stamp, enter one of the following formulas. These examples assume the exported time is in cell J1 and the exported time is -7 hours after the current local time. l =J1-TIME(7,0,0) l =J1+(-7 / 24) Below, the exported time stamp is 17:55:59 GMT (5:55:59 p.m.).
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
102
�The formula converts the time to the local time stamp of 10:55:59 p.m.
.json You can find code to convert JSON UTC time to local time. One possible source: https://stackoverflow.com/questions/42376914/json-utc-time-to-local-time
Administrative Tools
The Administrative Tools allow you to add all the objects you need to write access request policies, such as users, accounts, and assets. From this view, you can also configure all of the Safeguard for Privileged Passwords settings.
NOTE: You must have administrator permissions to use the Administrative Tools and the administrator permissions you have determine what you can view and modify.
The navigation pane along the left side of the console gives you access to these administrative tools.
Table 10: Administrative Tools
Administrative Tools
Description
Administrator permissions
Toolbox
Where you can gain quick access to all Users with any
the tasks you can perform from a single Safeguard administrator
portal
privileges
Accounts
Where you associate account identities Asset Administrator or
with managed systems
Auditor
Account Groups
Where you define sets of accounts that you can add to the scope of an access request policy
Auditor or Security Policy Administrator
Assets
Where you add computers, servers, network devices, or applications to be managed by a Safeguard for Privileged Passwords Appliance
Asset Administrator or Auditor
Asset Groups
Where you define sets of assets that you can add to the scope of an access request policy
Auditor or Security Policy Administrator
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
103
�Administrative Tools Discovery Entitlements Partitions Settings
Users
User Groups
Description
Administrator permissions
Where you configure asset and account discovery jobs which apply a set of rules to discover and automatically add assets and accounts to Safeguard for Privileged Passwords
Auditor or Asset Administrator
Where you specify the access request policies that restrict system access to authorized users
Auditor or Security Policy Administrator
Where you define collections of assets Asset Administrator,
that can be used to segregate assets for Auditor, or delegated
delegation
partition owner
Where you configure Safeguard for Privileged Passwords to run backups, install updates, manage clusters, manage certificates, enable event notifications, configure external integration, define profile configurations settings, define user password rules, define discovery rules, and run troubleshooting tools.
Users with any Safeguard administrator privileges; however, the settings available depend on the administrative permissions assigned.
Where you set up users who can log in to Safeguard for Privileged Passwords.
Bootstrap, Asset Administrator, Auditor, Authorizer Administrator, Help Desk Administrator, Security Policy Administrator, or User Administrator
Where you define sets of Safeguard for Privileged Passwords users that you can add to an entitlement.
Bootstrap, Auditor, Authorizer Administrator, Security Policy Administrator, or User Administrator
All of the Administrative Tools views have the following components, except for the Toolbox and Settings:
l Toolbar options across the top of the view. l Object list (left pane) l Search box at the top of the object list. l Details pane (right pane)
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
104
�Toolbar options
The toolbar at the top of the views (except for the Toolbox and Settings), contain these options, depending on your Administrator permissions and the administrative tool you are in. These buttons are available:
l Apply to apply the changes and keep the dialog open l OK to apply the changes and close the dialog. l Cancel to ignore any changes made, if any, and close the dialog.
Toolbar options include the following.
l Add: Add objects to the Safeguard for Privileged Passwords appliance.
l Delete: Remove objects from the appliance.
l Refresh the screen.
NOTE: Whenever you add, modify, or delete an object in Administrative Tools, the changes you make cannot be seen by other administrators running Safeguard for Privileged Passwords on other clients unless they click Refresh.
l Import : Only available for Accounts, Assets, and Users. Add a set of objects from a .csv file. For more information, see Importing objects on page 462.
l User Security: Only available for Users. Menu options include Set Password and Unlock accounts. For more information about these options, refer to Setting a local user's password and Unlocking a user's account.
l Account Security: Only available for Accounts. Menu options include: Set Password, Check Password, and Change Password. For more information, see Checking, changing, or setting an account password on page 156.
l Permissions: Only available for Users. Set administrator permissions for users. For more information, see Administrator permissions on page 507.
l Set as Default: Only available for Partitions. Set a partition as the default. For more information, see Setting a default partition and Setting a default partition profile.
l
Download SSH Key: Only available for Assets. Add the SSH Key to the selected
asset. For more information, see Downloading a public SSH key on page 214.
l
Password Archive: Only available for Accounts. Display the password
history for the selected account. For more information, see Viewing password
archive on page 157.
l
Access Requests: Only available for Accounts and Assets. Enable or disable
access request services for the selected account or asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
105
�l
Show Disabled: Display the accounts or assets marked as disabled.
l
Hide Disabled: Hide the accounts or assets marked as disabled.
l
Sync Now: Only available for Assets. Run the directory addition and deletion
synchronization process on demand. In addition, it runs through the discovery, if
there are discovery rules and configurations set up.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Using the desktop client
106
�9
Privileged access requests
Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.
In order for a request to progress through the workflow process, authorized users perform assigned tasks. These tasks are performed from the user's Home page in the desktop client or web client.
As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, an Administrator can set up alerts to be sent to users when there are pending tasks needing attention. For more information, see Configuring alerts on page 108.
The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:
l Requesters see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).
Requesters can also define favorite requests, which then appear on their Home page for subsequent use. This can be done from either the desktop client or web client:
l
Desktop client: For more information, see Desktop client favorite request
on page 84.
l
Web client: For more information, see Favorites (web client) on page 72.
l Approvers see tasks related to approving (or denying) and revoking access requests.
l Designated reviewers see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.
Password release and session requests use a workflow engine; however, the actions taken on a session request are slightly different than those taken on a password release request. Therefore, we will cover each of these access request workflows separately:
l Password release request workflow l Session request workflow
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
107
�Configuring alerts
All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.
l Access Request Approved l Access Request Denied l Access Request Expired l Access Request Pending Approval l Access Request Revoked l Password was Changed l Review Needed Toast notifications may also appear on your console when the desktop client application is not the active foreground application. Using the desktop client, there are two ways to configure Safeguard for Privileged Passwords to send event alerts to Safeguard for Privileged Passwords users: l Toast notifications l Email notifications
Toast notifications
Toast notifications are alerts that appear on your console when the desktop client application is not the active foreground application. For example, a toast notification may display when you are in another application or when you have minimized the Safeguard for Privileged Passwords desktop client.
(desktop client) To enable toast notifications 1. In the desktop client, open Settings (desktop client). 2. Select the Enable Toast Notifications check box. NOTE: When you select the Run in the System Tray check box, you cannot modify the toast notifications option because in that mode, you always get notifications.
Email notifications
You must configure Safeguard for Privileged Passwords properly for users to receive email notifications:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
108
�l You must set your email address correctly in the desktop client, My Account. For more information, see User information and log out (desktop client) on page 82.
l The Security Policy Administrator must configure the access request policies to notify people of pending access workflow events (that is, pending approvals and pending reviews). For more information, see Creating an access request policy on page 268.
l The Appliance Administrator must configure the SMTP server. For more information, see Enabling email notifications on page 393.
Role-based email notifications generated by default
Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.
Table 11: Email notifications based on administrative permissions
Administrative permission
Event/Warning
Appliance Administrator Operations Administrator
Appliance Healthy Appliance Restarted Appliance Sick Appliance Task Failed Archive Task Failed Cluster Failover Started Cluster Replica Enrollment Completed Cluster Replica Removal Started Cluster Reset Started Disk Usage Warning Factory Reset Appliance License Expired License Expiring Soon NTP Error Detected Operational Mode Appliance Raid Error Detected Reboot Appliance Shutdown Appliance
Partition Owner (if none, sent to the Asset Administrator)
NOTE: If Asset Administrators want to be notified
Account Discovery Failed Dependent Asset Update Failed Password Change Failed
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
109
�Administrative permission along with the Partition Owners, they can set themselves up as an explicit owners or create an email subscription for the event (for example, IsSystemOwned=false). The API /service/core/v3/EventSubscribers endpoint can be used to create event subscribers for events, including events on specific assets or accounts.
Security Policy Administrator
Event/Warning Password Check Failed Password Check Mismatch Password Reset Needed Restore Account Failed Ssh Host Key Mismatch Ssh Key Change Failed Ssh Key Install Failed Suspend Account Failed Test Connection Failed Policy Expiration Warning Policy Expired Entitlement Expiration Warning Entitlement Expired
NOTE:Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications:
POST /service/core/v2/Me/Subscribers/{id}/Disable In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API:
POST /service/core/v2/Events
Password release request workflow
Safeguard for Privileged Passwords provides secure control of administrative accounts by storing account passwords until they are needed, and releases them only to authorized persons. Then, Safeguard for Privileged Passwords automatically updates the account passwords based on configurable parameters.
Typically, a password release request follows this workflow.
1. Request: Users that are designated as an authorized user of an entitlement can request passwords for any account in the scope of that entitlement's policies.
2. Approve: Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
110
�3. Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy.
The following topics explain the entire end-to-end password release process from request to approval to review.
Requesting a password release
If you are designated as an authorized user of an entitlement, you can request passwords for any account in the scope of the entitlement's policies. You can configure Safeguard for Privileged Passwords to notify you of pending password release workflow events, such as when a password release request is pending, denied, or revoked, and so forth. For more information, see Configuring alerts on page 108.
To request a password release
1. Go to the new access request page:
l From the web client, click Home or Request.
My Requests, then click
New
l From the desktop client, go to the Home page, then click New Request.
NOTE: You can also submit an access request from your Favorites pane, if you previously saved it as a favorite.
2. On Asset Selection, select the assets to be included in the access request. The assets available for selection are based on the scope defined in the entitlement's access request policies. There is a limit of 50 assets.
3. On Account & Access Type Selection, select the accounts to be included in the access request and the type of access being requested for each selected account. The accounts include linked accounts, if any. For more information, see Linked Accounts tab (user) on page 448.
l Asset: The display name of the managed system.
l Account: The available account appears in the Account column. When an asset has multiple accounts available, either Select Account(s) or the account name appears as a hyperlink in the Account column. Click the hyperlink in the Account column to display a list of accounts available and select the accounts to be included in the access request.
l Access Type: The type of access request appears in the Access Type column. If the type is a hyperlink, multiple access request types are available. Select the hyperlink and select the access type.
You can remove an asset or account from the list. Select the entry in the grid and click Delete.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
111
�4. On Request Details, configure the following settings, which will apply to all of the selected assets and accounts:
a. Normal Access: If the policy has emergency access enabled, select this option to gain normal access to this password. Normal access ensures the access request goes through the entire end-to-end access release process from request to approval to review as defined in the policy by the Security Policy Administrator.
b. Emergency Access: If the policy has emergency access enabled, select this option to gain immediate emergency access to this password. When you use Emergency Access, the request requires no approval. For more information, see Creating an access request policy on page 268.
c. Request Immediately: If selected, the request is immediately created. You can clear this option to enter a specific date and time for the request in the user's local time.
d. Checkout Duration: Based on the policy, do one of the following:
l View the checkout duration.
l If the Allow Requester to Change Duration option is enabled in the policy, you can set the days, hours, and minutes that you want to use the password. This overrides the checkout duration set in the access request policy. For more information, see Creating an access request policy on page 268.
e. Ticket Number: If the policy requires a ticket number, enter a ticket number. If multiple accounts are in the request and one or more require a ticket number, the ticket number is applied to all of the requests associated with this access request. This feature is set up through the desktop client.For more information, see Ticketing systems on page 413.
f. Reason: If the policy requires a reason, enter a reason. If multiple accounts are in the request and one or more require a reason. The reason is applied to all of the requests associated with this access request. For more information, see Reasons on page 303.
Select the Description down arrow to view the description defined for the selected reason.
g. Comment: If required, enter information about this request. When multiple accounts are specified in the request, if any of the selected accounts require a comment, you must enter a comment. The comment will be applied to all of the requests associated with this access request. The limit is 255 characters.
5. To save the access request as a favorite, click the Add to Favorites button.
Add to Favorites displays, allowing you to specify a name and description for the access request. It also allows you to assign a color to the request's icon.
This access request is then added to your Favorites. How you manage favorites depends on your interface:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
112
�l In the web client, favorites are displayed on the Home page and the My Requests page. For more information, see Favorites (web client) on page 72.
l In the desktop client, select the favorite request from the Favorites pane. In the New Access Request dialog, you can edit the request details or enter a required reason or comment before submitting the request. For more information, see Desktop client favorite request on page 84.
6. After entering the required information, click Submit Request. The Results dialog displays the access requests submitted and whether a request was successful.
When the request has been approved, you can use the password. For more information, see Taking action on a password release request on page 113.
Taking action on a password release request
The actions that can be taken on a password release request depends on the state of the request and the client interface you are using.
(web client) To take action on a password release request
1. From the web client, click My Requests. Use any of the following methods to control the request displayed:
l Click Sort By then select to sort by Account Name, Asset Name, Due Next, Expiring Next, Most Recent, or Status.
l Click sort up or sort down to sort in ascending or descending order.
l Click Filters to filter by the status. l All: Requests in all states. l Available: Approved requests that are ready to view or copy. l Pending Approval: Requests that are waiting for approval l Approved: Requests that have been approved, but the checkout time has not arrived. Or, for pending accounts restored when using the Safeguard for Privileged Passwords suspend feature. l Revoked: Approved requests retracted by the approver. The approver can revoke a request after the request has become available. l Expired: Requests for which the checkout duration has elapsed. l Denied: Requests denied by the approver.
l For more information, see Search box on page 63. 2. You can take any of the following actions on the password release request:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
113
�l Available request: Make selections on the request based on your user interface.
l Click on to expand the box to see the options.
l If your browser allows, click Copy to check out the password. This puts the password into your copy buffer, ready for you to use. Or, click
Show to check out the password and view the password. A password displays on your screen for 20 seconds. If the password changes while you have it checked out, and your current request is still valid, select
either Copy or Show again to obtain the new password.
l Select Hide to conceal the information from view.
l Once you are done working, click password checkout process.
Check-In to complete the
l Approved request: Select Cancel to remove the request.
A password release request changes from Approved to Available when the requested time is reached. It stays available until you either cancel the request or it reaches the end of the duration period.
l Pending request: Select Cancel to remove the request.
l Revoked request: Select again.
Resubmit Request to request the password
Select Remove to delete the request from the list.
l Expired request: Select Remove to delete the request from the list. l Denied request: Select Resubmit Request to request the password again.
Select Remove to delete the request from the list.
(desktop client) To take action on a password release request
1. From your Home page, the Requests widget has these controls: l Select (expand down) to open the list of active requests. l Select Popout to float the Requests pane. You can then select and drag the pane to any location on the console and re-size the window.Open the list of requests. NOTE: You enable or disable the Home page widgets in the Settings (desktop client) menu.
2. Open the list of requests and select one of the following view filters. The number indicates how many requests are in that state.
l All: Requests in all states. l Available: Approved requests that are ready to view or copy.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
114
�l Approved: Requests that have been approved, but the checkout time has not arrived.
l Pending: Requests that are waiting for approval or for pending accounts restored when using the Safeguard for Privileged Passwords suspend feature.
l Revoked: Approved requests retracted by the approver. The approver can revoke a request between the time the requester views the password and checks it in.
l Expired: Requests for which the checkout duration has elapsed. l Denied: Requests denied by the approver. 3. Select an account to see the details of the password release request. 4. Take the following actions on password release requests: l Available: Make selections on the request based on your user interface.
l Click Copy to check out the password. This puts the password into your copy buffer, ready for you to use. Or, click Show to check out the password and view the password. A password displays on your screen for 20 seconds. If the password changes while you have it checked out, and your current request is still valid, select either Copy or Show again to obtain the new password.
l Select Hide to conceal the information from view. l Once you are done working, click Check-In to complete the password
checkout process. l Approved: Select Cancel to remove the request.
A password release request changes from Approved to Available when the requested time is reached. It stays available until you either cancel the request or it reaches the end of the duration period. l Pending: Select Cancel to remove the request. l Revoked: Select Resubmit Request to request the password again. Select Remove to delete the request from the list. l Expired: Select Remove to delete the request from the list. l Denied: Select Resubmit Request to request the password again. Select Remove to delete the request from the list.
Approving a password release request
Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts. You can revoke a request between the time the requester views it and checks it in.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
115
�Any eligible approver can deny a password release request after it has already been approved or auto-approved. Once disallowed, the requester will no longer have access to the password, but they are given another opportunity to request that password again. The requester receives an email notifying them that the request was denied.
Safeguard for Privileged Passwords can be configured to notify you of a password release request that requires your approval. For more information, see Configuring alerts on page 108.
(web client) To approve or deny a password release request
If you are an approver, click Approvals on the left of the page to manage approvals. On the Approvals page, you can:
l View details: Select the request and the details display on the right of the page.
l Approve one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to approve all the
l Deny one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to deny all the
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63.
(desktop client) To approve or deny a password release request
1. From your Home page, the Approvals widget has these controls: a. Select (expand down) to open the list of approvals. b. Select Popout to float the Approvals pane. You can then select and drag the pane to any location on the console and resize the window.
NOTE: You enable or disable the Home page widgets in the Settings (desktop client) menu. 2. Open the list of approvals and select one of the following view filters. The number indicates how many requests are in that state.
l All: Password release requests in all states. l Pending: Requests that are waiting for approval. l Approved: Requests that have been approved, but not yet available to
the requester. 3. Once you open the list, select the requester's name to see the details of the password
release request. 4. Take the following actions on password release requests:
l Pending: Select to Approve or Deny a password release request. Optionally, enter a comment of up to 255 characters.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
116
�l Pending Additional Approvers: Select to Deny a password release request. Optionally, enter a comment of up to 255 characters.
l Approved: Select to Deny or Revoke an approved request.
Reviewing a completed password release request
The Security Policy Administrator can configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy. You can configure Safeguard for Privileged Passwords to notify you of a password release request that requires your review. For more information, see Configuring alerts on page 108.
(web client) To review a completed password release request
Select Reviews on the left of the page to manage reviews. On the Reviews page, you can:
l View details: Select the request and the details display on the right of the page.
l Mark one or more request as reviewed: Select the requests. Then, click to mark all the selected requests as reviewed. A comment may be required or, if not required, added.
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63.
(desktop client) To review a completed password release request 1. From your Home page, the Reviews widget has these controls:
a. Click (expand down) to open the list of pending reviews. b. Click Popout to float the Reviews pane.
You can then select and drag the pane to any location on the console and resize the window. NOTE: You enable or disable the Home page widgets in the Settings (desktop client) menu. 2. Open the list of pending reviews and select an account name to see the details of the password release request. 3. Take the following action on password release requests: l Select Workflow to review the transactions that took place in the selected request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
117
�l Select Review to complete the review process. Optionally, enter a comment of up to 255 characters.
Once the review is complete, it no longer appears on the Reviews pane.
TIP: If one requester checks in the request and another requester wants to use it, the second requester is unable to check out the password until the original request has been reviewed. However, the Security Policy Administrator can Close a request that has not yet been reviewed. This will bypass the reviewer in the workflow and allow the account to be accessed by another requester.
Session request workflow
Authorized users can authorize connections, view active connections, limit access to specific resources, be alerted if connections exceed pre-set time limits, and even terminate connections. Typically a session request follows the workflow below:
1. Request: Users that are designated as an authorized user of an entitlement can request a session for any asset in the scope of that entitlement's policies.
2. Approve: Depending on how the Security Policy Administrator configured the policy, a session request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved.
3. Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed requests for assets in the scope of the policy. In addition, if session recording is enabled in the policy, reviewers can audit the workflow transactions and launch the Desktop Player to replay the session as part of the review process.
The following topics explain the entire end-to-end session access process from request to approval to review (and play back if sessions recording is enabled).
About sessions and recordings
Safeguard for Privileged Passwords proxies all sessions to target resources. Users do not have direct access to resources, therefore, the enterprise is protected against viruses, malware or other dangerous items on the user's system. Safeguard can proxy and record Unix/Linux, Windows, network devices, firewalls, routers and more.
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
118
�l Any reference to putty in the PATH environment variable
l c:/Program Files/Putty
l c:/Program Files(x86)/Putty
l c:/Putty
If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at: <user-home-dir>/AppData/Local/Safeguard/putty. If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Important notes
l Sessions requests are enabled by default. However, if authorized users cannot request sessions, check the Session Requests Enabled setting in the desktop client (Administrative Tools | Settings | Access Request | Enable or Disable Services). NOTE: You must have Appliance Administrator permissions to manage the service settings.
l All session activity (every packet sent and action that takes place on the screen, including mouse movements, clicks, and keystrokes) is recorded and available for play back.
l If Safeguard for Privileged Passwords detects no activity for 10 minutes during a privileged session, the session is terminated.
l It is highly recommended to assign an archive server for each Safeguard Appliance's session recording to avoid filling up the appliance's disk space. For more information, see Session Recordings Storage Management on page 438.
Embedded session related notes
CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
l For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config). For example, in the debian sshd_config file, set the following parameter: PasswordAuthentication yes.
l Both SSH and RDP session recordings use the Time Stamping Certificate Authority. For more information, see Sessions Certificates on page 353. Recordings are signed and time stamped every 30 seconds so that partial recordings may be verified as authentic.
l During an RDP session, Safeguard proxies the connection to the target asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
119
�When an RDP connection is established, the embedded sessions module will generate a certificate on the fly and sign it using the RDP Connection Signing Certificate. Therefore, the RDP client trusts the RDP Connection Signing Certificate and the generated certificate that is signed by the RDP Connection Signing Certificate. This allows the client to verify that the connection is trusted.
l During an SSH session, Safeguard proxies the connection to the target asset. Therefore, Safeguard for Privileged Passwords's SSH host key (Settings | Sessions | SSH Host Key) must be trusted by the client. This SSH host key is unique and produced during manufacturing. This key can be trusted by the client or replaced with a different key if desired.
Requesting session access
If you are designated as an authorized user of an entitlement, you can request access for a specific period (or session) to any account or asset in the scope of the entitlement's policies.
You can configure Safeguard for Privileged Passwords to notify you of pending access request workflow events, such as when a session request is pending, denied, or revoked, and so on. For more information, see Configuring alerts on page 108.
To request session access 1. Go to the new access request page:
l From the web client, click Home or New Request.
My Requests, then click
l From the desktop client, go to the Home page, then click New Request.
NOTE: You can also submit an access request from your Favorites pane, if you previously saved it as a favorite.
2. On Asset Selection, select the assets to be included in the access request. The assets available for selection are based on the scope defined in the entitlement's access request policies. The limit is 50 assets.
3. On Account & Access Type Selection, select the accounts to be included in the access request and the type of access being requested for each selected account. The accounts include linked accounts, if any. For more information, see Linked Accounts tab (user) on page 448.
l Asset: The display name of the managed system.
l Network Address: The network host name or IP address of the managed system.
l Account: The accounts available appear in the Account column. When an asset has multiple accounts available, either Select Account(s) or the account name appears as a hyperlink in the Account column. Click the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
120
�hyperlink in the Account column to display a list of accounts available and select the accounts to be included in the access request.
The accounts available for selection are based on the Asset-Based Session Access setting. For more information, see Access Config tab on page 276. Or, the accounts available for selection may have been added in the Scope tab when editing the entitlement access policy. For more information, see Scope tab on page 270.
The settings are:
l If None is selected in the access request policy, the accounts Safeguard for Privileged Passwords retrieved from the vault will be available for selection. The selected account will then be used when the session is requested.
l If User Supplied is selected in the access request policy, you will be required to enter the user credentials as part of the request workflow, prior to launching the SSH, RDP, or telnet session.
l If Linked Account is selected in the access request policy, linked directory accounts will be available for selection. The selected account will then be used when the session is requested.
l If Directory Account is selected in the access request policy, only the specified directory accounts will be available for selection. The selected directory account will then be used when the session is requested.
l Domain: The name of the domain for the request.
l Access Type: The type of access request appears in the Access Type column. When multiple access request types are available, this value appears as a hyperlink, which when selected displays an additional dialog allowing you to select the access type. Select one of the following for a session request: RDP, SSH, or Telnet.
The access type options available depend on the type of asset selected on Asset Selection. For example, RDP is only available for Windows sessions.
You can remove an asset or account from the list, select the entry and click Delete.
4. On the Request Details tab, configure the following settings, which will apply to all of the selected assets and accounts:
a. Normal Access: If the policy has emergency access enabled, select this option to gain normal access to this password. Normal access ensures the access request goes through the entire end-to-end access release process from request to approval to review as defined in the policy by the Security Policy Administrator.
b. Emergency Access: If the policy has emergency access enabled, select this option to gain immediate emergency access to this password. When you use Emergency Access, the request requires no approval. For more information, see Creating an access request policy on page 268.
c. Request Immediately: Clear this option to enter a specific date and time for
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
121
�the request. Enter the time in the user's local time.
d. Checkout Duration: This either displays the checkout duration; or, if the Allow Requester to Change Duration option is enabled in the policy, it allows you to set the days, hours, and minutes that you want the password and overrides the checkout duration set in the access request policy. For more information, see Creating an access request policy on page 268.
e. Ticket Number: If the policy requires a ticket number, enter a valid ticket number for this request. When multiple accounts are specified in the request, if any of the selected accounts require a ticket number, you must specify a valid ticket number. The specified ticket number will be applied to all of the requests associated with this access request. This feature is set up through the desktop client. For more information, see Ticketing systems on page 413.
f. Reason: If the policy requires reason, select an access request reason code for this request. Select the Description down arrow to view the description defined for the selected reason. When multiple accounts are specified in the request, if any of the selected accounts require a reason, you must specify a reason. The specified reason will be applied to all of the requests associated with this access request. For more information, see Reasons on page 303.
g. Comment: Enter information about this request. When multiple accounts are specified in the request, if any of the selected accounts require a comment, you must enter a comment. The comment will be applied to all of the requests associated with this access request. The limit is 255 characters.
5. To save the access request as a favorite, click the Add to Favorites button.
Add to Favorites displays, allowing you to specify a name and description for the access request. It also allows you to assign a color to the request's icon.
This access request is then added to your Favorites. How you manage favorites depends on your interface:
l In the web client, favorites are displayed on the Home page and the My Requests page. For more information, see Favorites (web client) on page 72.
l In the desktop client, select the favorite request from the Favorites pane. In the New Access Request dialog, you can edit the request details or enter a required reason or comment before submitting the request. For more information, see Desktop client favorite request on page 84.
6. After entering the required information, click Submit Request. Access Request Result displays showing you the access requests submitted and whether a request was successful.
7. To copy or view information, click the active request.
(expand down) arrow on the left of an
l If the access request is for sessions:
l Click Copy to copy the connection string to the clipboard. Paste the string into a client application to launch the session.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
122
�l Click Show to view the connection string. l Click Help to copy the value into the appropriate field of the
configuration dialog. l If the access request is for passwords:
l Click Copy to copy credential to the clipboard. The credential can then be pasted into the dialog that needs the credential to grant access.
l Click Show to view the credential. l Click Help to copy the value into the appropriate field of the
configuration dialog.
If the session does not launch In a rare event that the access request does not result in a launchable session request, the following notifications display:
l Please try again. The linked sessions module state is currently down or may be in a locked state. This message may mean one of the following: l SPP could not contact SPS. Try again so the request can be redirected to another managed host in the SPS cluster. l The SPS configuration is locked. Try again because this condition is typically because the SPS administrator is making configuration changes to the SPS appliance at the same time that a new access request is being created or a session is being launched.
l Missing the session connection policy. or The selected Access Request Policy cannot be used to initiate a session from SPP. The highest priority policy must be associated with a valid SPS connection policy. Check the connection policy configuration. In the desktop client, go to Entitlements | Access Request Policy | Sessions Settings to add a valid connection policy. Save the policy and recreate the access request. For more information, see Session Settings tab on page 277.
Taking action on a session request
The actions a user authorized to request access to a privileged session can take depends on the state of the request and the client interface you are using.
(web client) To take action on a session request
1. From the web client, click My Requests. 2. Search to find what you need. For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
123
�3. Click Filters to filter by the status. l All: Requests in all states.
l Available: Approved requests that are ready (that is, a session that can be launched).
l Pending Approval: Requests that are waiting for approval.
l Approved: Requests that have been approved, but the checkout time has not arrived.
l Revoked: Approved requests retracted by the approver.
l The approver can revoke a request after it is available.
l When a user with Security Policy Administrator permissions revokes a live session, the active session is terminated.
l Expired: Requests for which the checkout duration has elapsed.
l Denied: Requests denied by the approver.
4. Click or to see more or less information on the request. 5. You can take the following actions on session requests, depending on the state.
l Available: If the password changes while you have it checked out, and your
current request is still valid, select either Copy or Show again to obtain the new password, if enabled by your Administrator. Seconds Remaining shows you how long you have to copy information to use to log in.
l For SSH and RDP accounts:
l Click Launch to launch the SSH client or RDP connection. For more information, see Launching the SSH client or Launching an RDP session.
l Click Check-In to complete the checkout process once you have ended your session.
l In addition, you can use the following buttons to view or copy information into the dialog that contains the credentials needed to launch the session.
l Click Copy to check out and copy the credential.
l Click Show to check out the credential and view the credential.
l For telnet or TN3270/TN5250 over telnet accounts, the fields needed are based on the terminal service application in use:
l For a terminal service application that uses an inband connection string (like telnet), click Copy to copy the Hostname Connection string and check out the password. Then, paste the information in the log in screen.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
124
�l If the terminal service application requires more information for log in (for example, TN3270/TN5250 over telnet):
l Click Show to display values that may include Vault Address (the SPP address), a one-time Token, Username, Asset, and Sessions Module (the SPS address).
l Click Copy by any of the values to copy a single value. Or, you can click Copy at the right of all values to copy the entire the connection string, if that is required by your terminal service application.
l Paste the necessary information into your terminal service application.
l Click Check-In to complete the password checkout process. This makes the session request available to reviewers.
l Click Hide to conceal the information from view. l Approved: Select Cancel to remove the request. A session request
changes from Approved to Available when the requested time is reached. It stays available until you either cancel the request or it reaches the end of the duration period. l Pending: Click Cancel to remove the request. l Revoked:
l Click Resubmit Request to request the password again. l Click Remove to delete the request from the list. l Expired: Click Remove to delete the request from the list. l Denied: l Click Resubmit Request to request the password again. l Click Remove to delete the request from the list.
(desktop client) To take action on a session request
1. From your Home page, use any of these controls on the Requests widget, as needed. You can enable or disable the Home page widgets in the Settings (desktop client) menu. l Select (expand down) to open the list of active requests. l Select Popout. You can then select and drag the pane to any location on the console and re-size the window to float the Requests pane.
2. Open the list of requests and select one of these view filters. The number indicates how many requests are in that state. l All: Requests in all states l Available: Approved requests that are ready (that is, a session that can be launched)
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
125
�l Approved: Requests that have been approved, but the checkout time has not arrived
l Pending Approval: Requests that are waiting for approval
l Revoked: Approved requests retracted by the approver
l The approver can revoke a request between the time the requester launches the session and checks it back in.
l When a user with Security Policy Administrator permissions revokes a live session, the active session is terminated.
l Expired: Requests for which the checkout duration has elapsed.
l Denied: Requests denied by the approver.
3. Select an account to see the details of the session request.
4. You can take the following actions on session requests, depending on the state.
l Available: If the password changes while you have it checked out, and your
current request is still valid, select either Copy or Show again to obtain the new password, if enabled by your Administrator. Seconds Remaining shows you how long you have to copy information to use to log in.
l For SSH and RDP accounts:
l Click Launch to launch the SSH client or RDP connection. For more information, see Launching the SSH client or Launching an RDP session.
l Click Check-In to complete the checkout process once you have ended your session.
l In addition, you can use the following buttons to view or copy information into the dialog that contains the credentials needed to launch the session.
l Click Copy to check out and copy the credential.
l Click Show to check out the credential and view the credential.
l Click Help to copy the value into the appropriate field of the configuration dialog.
l For telnet or TN3270/TN5250 over telnet accounts, the fields needed are based on the terminal service application in use:
l For a terminal service application that uses an inband connection string (like telnet), click Copy to copy the Hostname Connection string and check out the password. Then, paste the information in the log in screen.
l If the terminal service application requires more information for log in (for example, TN3270/TN5250 over telnet):
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
126
�l Click Show to display values that may include Vault Address (the SPP address), a one-time Token, Username, Asset, and Sessions Module (the SPS address).
l Click Copy by any of the values to copy a single value. Or, you can click Copy at the right of all values to copy the entire the connection string, if that is required by your terminal service application.
l Paste the necessary information into your terminal service application.
l Click Check-In to complete the password checkout process. This makes the session request available to reviewers.
l Click Hide to conceal the information from view. l Approved: Select Cancel to remove the request. A session request
changes from Approved to Available when the requested time is reached. It stays available until you either cancel the request or it reaches the end of the duration period. l Pending Approval: Click Cancel to remove the request. l Revoked:
l Click Resubmit Request to request the password again. l Click Remove to delete the request from the list. l Expired: Click Remove to delete the request from the list. l Denied: l Click Resubmit Request to request the password again. l Click Remove to delete the request from the list.
Approving a session request
Depending on how the Security Policy Administrator configured the policy, a sessions request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. You can configure Safeguard for Privileged Passwords to notify you of an access request that requires your approval. For more information, see Configuring alerts on page 108.
(web client) To approve or deny a session request
If you are an approver, click Approvals on the left of the page to manage approvals. On the Approvals page, you can:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
127
�l View details: Select the request and the details display on the right of the page.
l Approve one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to approve all the
l Deny one or more request: Select the requests. Then, click selected requests. Optionally, enter a comment.
to deny all the
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63.
(desktop client) To approve or deny a sessions request
1. From your Home page, the Approvals widget has these controls: a. Select (expand down) to open the list of approvals. b. Select Popout to float the Approvals pane. You can then select and drag the pane to any location on the console and resize the window.
NOTE: You enable or disable the Home page widgets in the Settings (desktop client) menu. 2. Open the list of approvals and select one of these view filters:
State All Pending Approved
Description Requests in all states Requests that are waiting for approval Requests that have been approved, but not yet available to the requester
NOTE: The number indicates how many requests are in that state.
3. Once you open the list, select the requester's name to see the details of the sessions request.
4. Take the following actions on sessions requests:
State
Actions
Pending
Select to Approve or Deny a sessions request. Optionally, enter a comment of up to 255 characters.
Pending Additional Select to Deny a sessions request.
Approvers
Optionally, enter a comment of up to 255 characters.
Approved
Select to Deny or Revoke an approved request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
128
�State
Actions
You can revoke a request between the time the requester views it and checks it in.
Any eligible approver can deny an access request after it has already been approved or auto-approved. Once disallowed, the requester will no longer be able to access the requested session, but they are given another opportunity to request that session again. The requester receives an email notifying them that the request was denied. For more information, see Configuring alerts on page 108.
Launching the SSH client
Once an SSH session request becomes available, the requester can launch the SSH client to start the session. This is applicable for both the web client and desktop client user interfaces.
To launch the SSH client to begin your session then close your session
1. If the User Supplied option is selected in the policy, you will be prompted to enter your user credentials. After entering the requested credentials, click Apply. This will retrieve the information (for example, Hostname Connection String) required to launch the SSH client.
2. Click the Launch button to the right of the asset name.
l In the web client, a session will launch if you have an application registered (ssh:// for SSH protocol).
l In the desktop client, clicking Launch displays the PuTTY Configuration dialog. The required information is populated, click Open to launch the SSH client. If the required information is not populated in the PuTTY Configuration dialog, use the following buttons to copy and paste the information into the dialog:
l Use the buttons to the right of the Hostname Connection String to perform the following tasks:
l View: To view the hostname connection string
l Copy: To copy the value to your copy buffer, which can then be pasted into the Hostname field of the PuTTY Configuration dialog
l Help: To copy the value into the Hostname field of the PuTTY Configuration dialog
l Use the buttons to the right of the Password to perform the following tasks.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
129
�l View: To view the password
l Copy: To copy the password to your copy buffer, which can then be pasted into the Password field of the PuTTY Configuration dialog
l Help: To copy the value into the Password field of the PuTTY Configuration dialog
NOTE: The Password field only appears if the Include password release with session requests option (Access Config tab) is selected in the entitlement's access request policy.
3. In the SSH client, run the commands or programs on the target host.
If there is no activity in an open session for about 10 minutes, the session will be terminated. However, as long as the request is in an Available state, you can launch the session again to resume your tasks.
4. Once you are completed, log out of the target host and select Check in to complete the session request process.
This makes the session request available to reviewers. If the Record Sessions option is enabled in the policy, the reviewer can play back the recording as part of the review process. In addition, if the Enable Command Detection option is selected in the policy, the reviewer can view a list of the commands and programs run during the session.
Launching an RDP session
Once an RDP session request becomes available, the requester can launch the remote desktop connection to start the session. This is applicable for both the web client and desktop client user interfaces.
To launch a remote desktop connection
1. If the User Supplied option is selected in the policy, you will be prompted to enter your user credentials. After entering the requested credentials, click Apply. This will retrieve the information (for example, Username Connection String) required to launch the remote desktop session.
2. Depending on your interface:
l
(desktop client) Click the Launch button to the right of the asset name.
Clicking this button displays the Remote Desktop Connection dialog. Click
Connect to launch the remote desktop session.
l
(web client) In the web client:
l If you have an application registered (rdp:// for RDP sessions), you can click the Launch button to the right of the asset name then click Connect . See KB 313918 for details on application registration. A password must be entered and we recommend sg. A blank password will
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
130
�cause the session to fail.
l If you do not have an application registered, download the RDP launch file instead of using the Launch button. A password must be entered and we recommend sg. A blank password will cause the session to fail.
NOTE: If the required information is not populated in the Remote Desktop Connection dialog, use the following buttons to copy and paste the information into the dialog:
1. Use the buttons to the right of the Username Connection String to perform the following tasks:
l View: To view the username connection string.
l Copy: To copy the value to your copy buffer, which can then be pasted into the Username field of the Remote Desktop Connection dialog.
l Help: To copy the value into the Username field of the Remote Desktop Connection dialog.
2. Use the buttons to the right of the Password to perform the following tasks:
l View: To view the password.
l Copy: To copy the password to your copy buffer, which can then be pasted into the Password field of the Remote Desktop Connection dialog.
l Help: To copy the value into the Password field of the Remote Desktop Connection dialog.
NOTE: The Password field only appears if the Include password release with session requests option (Access Config tab) is selected in the entitlement's access request policy.
Begin your RDP session and close the session
1. In the remote desktop session, run the commands or programs on the target host. If there is no activity in an open session for about 10 minutes, the session will be terminated. However, as long as the request is in an Available state, you can launch the session again to resume your tasks.
2. Once you are completed, log out of the target host and select Check in to complete the session request process.
This makes the session request available to reviewers. If the Record Sessions option is enabled in the policy, the reviewer can play back the recording as part of the review process. In addition, if the Enable Window Title Detection option is selected in the policy, the reviewer can view a list of the windows opened on the desktop during the session.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
131
�Reviewing a session request
The Security Policy Administrator can configure an access request policy to require a review of completed session requests for assets or accounts in the scope of the policy.
NOTE: You can configure Safeguard for Privileged Passwords to notify you of an access request that requires your review. For more information, see Configuring alerts on page 108. Desktop Player User Guide To download the player user guide, go to One Identity Safeguard for Privileged Sessions Technical Documentation. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
(web client) To review a completed sessions request
Select Reviews on the left of the page to manage reviews. On the Reviews page, you can:
l View details: Select the request and the details display on the right of the page.
l Mark one or more request as reviewed: Select the requests. Then, click to mark all the selected requests as reviewed. A comment may be required or, if not required, added.
l Change the columns that display: Click and select the columns you want to see. l Search: For more information, see Search box on page 63.
(desktop client) To review a completed sessions request
1. From your Home page, the Reviews widget has these controls: a. Click (expand down) to open the list of pending reviews. b. Click Popout to float the Reviews pane. You can then select and drag the pane to any location on the console and resize the window.
NOTE: You enable or disable the Home page widgets in the Settings (desktop client) menu. 2. Open the list of pending reviews and select an account name to see the details of the sessions request. 3. Take the following action on sessions requests:
a. Select Workflow to review the transactions that took place in the selected request. l If Record Sessions is enabled in the policy, click Play on the Initialize Session event to play back the session.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
132
�A (green dot) indicates the session is live. A user with Security Policy Administrator permissions can click this icon to follow an active session. If the session recording has been archived from the local Safeguard file system or was recorded prior to joining a Sessions Appliance, you will see a Download button instead of a Play button. Click Download to download the recording and then click Play.
CAUTION: If you receive a message like: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now?, click Yes. See Installing the desktop client, Installing the Desktop Player, step 2.
l If Enable Command Detection is enabled in the policy, expand to show the details and click the events link on the Initialize Session event to view a list of the commands and programs run during the session. For an RDP session, the setting is Enable Windows Title Detection. When enabled, you can view a list of windows that were opened during the privileged session.
b. Select Review to complete the review process. Optionally, enter a comment of up to 255 characters.
Once the review is complete, it no longer appears on the Reviews pane.
Replaying a session
You can play back a recorded session from the Request Workflow dialog, which can be accessed by clicking the Workflow button that appears to reviewers for completed session requests and in the Activity Center view when an access request event is selected in an activity audit log report. In addition, you can play back a recorded session by clicking the icon displayed to the left of an access request session event on the activity audit log report in the Activity Center view.
NOTE: This feature is only available for session requests that have Record Session enabled in the access request policy (Access Config tab).
(desktop client only) To play back a session (Request Workflow dialog)
1. Open the Request Workflow dialog using the Workflow button. NOTE: If accessing the Request Workflow dialog from the Activity Center, select an Access Request Session event from the activity audit log report.
2. Locate an Initialize Session event and click Play to launch the Desktop Player. A (green dot) indicates the session is live. A user with Security Policy Administrator permissions can click this icon to follow an active session. If the session recording has been archived from the local Safeguard file system or was recorded from the embedded session module prior to joining a Sessions
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
133
�Appliance, you will see a Download button instead of a Play button. Click Download to download the recording and then click Play.
CAUTION: If you receive a message like: No Desktop Player. The Safeguard Desktop Player is not installed. would you like to install it now?, click Yes. See Installing the desktop client, Installing the Desktop Player, step 2.
3. Accept the certificate to continue.
In the Certificate error message, click Continue to use the default Session Recording Signing certificate shipped with Safeguard for Privileged Passwords. To use a different SSL certificate, click Abort and then import the appropriate certificates including the root CA.
4. Use one of the following methods to play back the session recording:
l Click l Click l Click
Play Channel from the toolbar at the top of the player. in the thumbnail in the upper right corner of the Information page. Play Channel next to a channel in the Channels pane.
Desktop Player User Guide
To download the player user guide, go to One Identity Safeguard for Privileged Sessions Technical Documentation. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
Archiving session recordings
For more information on archiving session recordings, see Session Recordings Storage Management.
Following and terminating a "live" session
An access request session event with a (green dot) in the left-most column of the activity audit log report or Request Workflow dialog indicates that the session is "live". Clicking this button launches the Desktop Player allowing you to follow what is happening in the active session. Safeguard for Privileged Passwords also allows you to terminate an active session directly from the desktop player.
NOTE: You must have Security Policy Administrator permissions to follow an active session.
(desktop client only) To watch or terminate a "live" session
1. From the Request Workflow dialog or Activity Center activity audit log report click the (green dot) next to an access request session event. NOTE:Security Policy Administrators can also launch the Safeguard Desktop Player from the Access Requests view. Select an access request session in the request
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
134
�grid and click the View Live Session toolbar button. The Safeguard Desktop Player launches allowing you to watch the active session. On the Information page, the thumbnail (upper right) displays a blinking red recording button when a session is "live". 2. Use one of the following methods to follow the session:
l Click Play Channel from the toolbar at the top of the player. l Click in the thumbnail in the upper right corner of the Information page. l Click Play Channel next to a channel in the Channels pane. 3. In the play back window, you will see a Terminate button and a Live indicator in the lower right corner. 4. Click Terminate to stop the active session.
NOTE: You can also terminate an active session by revoking the session through the Windows desktop client.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Privileged access requests
135
�10
Toolbox
When you select the Administrative Tools link from the Home page navigation pane, the Toolbox view appears. This view gives you quick-start links to the tasks you can perform.
NOTE: The display is tailored to your Administrator permissions. Each numbered tile gives you quick access to its Administrative Tool. Clicking displays the dialog allowing you to add an object. In addition, the Toolbox allows you to view the status of running tasks.
l Viewing task status l Stopping a task
Viewing task status
Safeguard for Privileged Passwords displays a number on your Toolbox navigation link to notify you when you have any tasks running. To view task status
1. Navigate to the Toolbox. 2. Click Popout to float the Tasks pane.
You can then select and drag the pane to any location on the console and resize the window. 3. Click Remove to delete a task from the pane. 4. Click Cancel next to a running task to stop a task. 5. Click Clear to remove all items from the Tasks pane.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Toolbox
136
�Stopping a task
To stop a task 1. In the Toolbox, open the Tasks pane. 2. Click Cancel next to a running task.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Toolbox
137
�11
Accounts
A Safeguard for Privileged Passwords account is a unique identifier that Safeguard for Privileged Passwords uses to control access to assets. Managed accounts (including directory accounts and service accounts ) and groups of accounts can be associated with an asset. Each account has an associated asset; if you delete an asset, Safeguard for Privileged Passwords permanently deletes all the accounts associated with it. The Auditor and the Asset Administrator have permission to access Accounts. On Unix assets, the accounts are stored in etc/passwd; however, each platform implements this concept differently. Service accounts are designated with a Service Account icon. For more information, see About service accounts on page 193. The Accounts view displays the following information about the selected account.
l General tab (account): Displays general information about the selected account. l Access Request Policies tab (account): Displays the entitlements and access request
policies associated with the selected account. l Account Groups tab (account): Displays the account groups that contain the
selected account. l Dependent Assets (account): Displays the assets that have dependency on the
selected directory account. l Check and Change Log tab (account): Displays the password validation and reset
history for the selected account. l History tab (account): Displays the details of each operation that has affected the
selected account.
For information about configuring Account Discovery in Safeguard for Privileged Passwords, see Account Discovery job workflow. Use these toolbar buttons to manage accounts.
l Add Account: Add accounts to Safeguard for Privileged Passwords. For more information, see Adding an account on page 147.
l Delete Selected: Remove the selected account. For more information, see Deleting an account on page 152.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
138
�l Refresh: Update the list of accounts.
l Import Accounts: Add accounts to Safeguard for Privileged Passwords. For more information, see Importing objects on page 462.
l Account Security: Menu options include Check Password, Change Password, and Set Password. For more information, see Checking, changing, or setting an account password on page 156.
l Password Archive: Display the password history for the selected account. For more information, see Viewing password archive on page 157.
l Access Requests: Allows you to enable or disable access request services for the selected account. Menu options include: l Enable Password Request l Disable Password Request l Enable Session Request l Disable Session Request
l
Show Disabled: Display the accounts that are not managed and are
disabled and have no associated assets. Account management can be
controlled by right clicking on an asset and selecting Enable-Disable.
l
Hide Disabled: Hide the accounts that are not managed and are disabled
and have no associated assets. Asset management can be controlled by right
clicking on an account and selecting Enable-Disable.
l Search: You can search by a character string or by a selected attribute with
conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
General tab (account)
The General tab lists information about the selected account. Large tiles at the top of the tab display the number of Access Request Policies, Account Groups, and Dependent Assets associated with the selected account. Clicking a tile heading opens the corresponding tab. The time stamps for the password and SSH Key check and change transactions are based on the user's local time. Navigate to Administrative Tools | Accounts | General. Information for the account displays. Not all the information listed below is applicable for every account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
139
�Table 12: Accounts General tab: General properties
Property
Description
Name
The name of the selected account.
Distinguished Name For LDAP platforms, the fully qualified distinguished name (FQDN) for the service account
Domain Name (for directories)
The name of the domain where the account was discovered
SID (for directories) Security IDentifer for a Windows account.
Asset
The display name of the managed system associated with this account. Accounts are only associated with one asset.
Partition
The name of the partition where the selected account resides.
Profile
The name of the profile that governs the accounts assigned to a partition.
Password Sync Group
If assigned, the password sync group to control password validation and reset across all associated accounts.
Account Discovery Job
The account discovery job with rule-based settings to discover all accounts that are assigned to the assets in a selected partition, that are made available globally, or that meet the rules criteria.
Date/Time Discovered
The date and time when the account was discovered.
Discovered User ID The User ID of the discovered account.
Discovered Groups (for directories)
The groups in which the account is a member. Click the link to go to the Discovered groups dialog to view the groups.
Enable Password Request
True or False, indicating whether password release requests are enabled for this account.
Enable Session Request
True or False, indicating whether session access requests are enabled for this account.
Available for use across all partitions (Global Access for directories)
When selected, any partition is able to use this account and the password is given to other administrators. For more information, see Adding an Account Discovery rule on page 246.
Last Successful Password Check
The date and time of the last successful password validation.
Password Check Failures
Displays the number of password check tasks that failed.
Next Password
The date and time of the next automated password check as set in
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
140
�Property
Description
Check
the Check Password schedule of the partition profile. For more information, see Adding check password settings on page 425.
Last Successful Password Change
The date and time of the last successful password change.
Next Password Change
The date and time of the next automated password change as set in the Change Password schedule of the partition profile. For more information, see Adding change password settings on page 422.
Password Change Failures
Displays the number of password change tasks that failed.
Last Successful SSH The date and time of the last successful SSH Key change. Key Change
SSH Key Change Failures
Displays the number of SSH key change tasks that failed.
Next SSH Key Change
The date and time of the next SSH Key change.
Tags: Tag assignments for the selected account.
The tiles displayed in the Tags pane include both the dynamic tags added through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags.
NOTE: Dynamically assigned tags contain a lightening bolt icon and cannot be deleted. Static tags which can be removed contain an X icon.
Description: Information about selected account.
Related Topics
Modifying an account
Access Request Policies tab (account)
The Access Request Policies tab displays the entitlements and access request policies, including password release policies and session request policies, associated with the selected account. Navigate to Administrative Tools | Accounts | Access Request Policies.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
141
�Table 13: Accounts: Access Request Policies tab properties
Property
Description
Entitlement
The name of the access request policy's entitlement.
Access Request Policy
The name of the access request policy that governs the selected account.
Accounts
The number of unique accounts in the account groups that are associated with the access request policy.
# Account Groups The number of unique account groups in the access request policy.
Account Groups
The names of the account groups that associate the selected account with the policy.
Use these buttons on the details toolbar to manage your access request policies associated with the selected account.
Table 14: Accounts: Access Request Policies tab toolbar
Option
Description
Add to Policy Add the selected account to the scope of an access request policy.
Remove Selected
Remove the selected policy.
Refresh
Update the list of access request policies.
Details
View and edit details about the selected access request policy. For more information, see Creating an access request policy.
Search
To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Account Groups tab (account)
The Account Groups tab displays the account groups that contain the selected account. The Account Groups tab is only available to a user with Auditor permissions. Navigate to Administrative Tools | Accounts | Access Request Policies. Click Add Account Group from the details toolbar to add the selected account to one or more account groups.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
142
�Table 15: Accounts: Account Groups tab properties
Property
Description
Name
The account group name.
Dynamic
A check mark in this column indicates that the group is a dynamic account group.
Description
Information about the account group.
Use these buttons on the details toolbar to manage the account groups.
Table 16: Accounts: Access Request Policies tab toolbar
Option
Description
Add Account Group
Add the selected account an account group.
Remove Selected
Remove the selected account group from the account.
Refresh
Update the list of account groups assigned to the selected account.
Search
To locate a specific account group in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding an account to one or more account groups
Dependent Assets (account)
The Dependent Assets tab only displays for a directory asset and displays the assets that have dependency on the selected directory account. Dependencies are created via Administrative Tools | Assets, Account Dependencies tab, then Add Account. Additional configuration is required. For more information, see Adding account dependencies.
Navigate to Administrative Tools | Accounts | Dependent Assets.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
143
�Table 17: Accounts: Dependent Assets tab properties
Property
Description
Name
The Windows asset name
Network Address
The network DNS name or IP address of the managed system
Platform
The platform of the selected managed system
Asset Partition
The partition where the Windows asset is assigned
Use these buttons on the details toolbar to manage the dependent assets.
Table 18: Accounts: Access Request Policies tab toolbar
Option
Description
Refresh
Update the list of dependent assets assigned to the selected account.
Search
To locate a specific dependent asset in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Check and Change Log tab (account)
The Check and Change Log tab displays the password validation and reset history for the selected account.
Time Frame: By default, the check and change log entries displayed are for the last 24 hours. Click one of the time intervals at the top of the grid to display log entries for a different time frame. If the display does not refresh after selecting a different time interval, click the Refresh.
Click Add Account Group from the details toolbar to add the selected account to one or more account groups.
Navigate to Administrative Tools | Accounts | Check and Change Log.
Table 19: Accounts: Check and Change Log tab properties
Property
Description
User
The display name of the user that triggered the event
Status
The status of the transaction:
l Failure l Success l Queued
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
144
�Property Reason Type
Date Duration
Description
A system message pertaining to the password validation and reset activity, such as the password matches the asset, was changed successfully, or does not match the asset.
The type of transaction:
l Check Password l Change Password
NOTE:Check and Change Log only displays events that the appliance performs; that is, it only displays Check Password and Change Password transactions. It does not display Set Password transactions. For more information, see Checking, changing, or setting an account password on page 156.
The date of the transaction. The time stamps for transactions are based on the user's local time.
The amount of time the transaction took to complete.
History tab (account)
The History tab allows you to view or export the details of each operation that has affected the selected account. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Navigate to Administrative Tools | Accounts | History.
Table 20: Accounts: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
145
�Property
Description
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected account
Event
The type of operation made to the selected account:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE:A membership operation indicates a relationship change with a related or parent object such as the selected account was added or removed from the membership of an account group.
Related Object
The name of the related object
Related Object Type The type of the related object
Parent
The name of the object to which the selected account is a child
Parent Object Type The parent object type
Select an event to display this additional information for some types of events (for example, create and update events).
Table 21: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing accounts
Use the controls and tabbed pages on the Accounts page to perform the following tasks to manage Safeguard for Privileged Passwords accounts:
l Adding an account l Adding a cloud platform account l Manually adding a tag to an account
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
146
�l Adding an account to one or more account groups l Modifying an account l Deleting an account l Importing objects l Checking, changing, or setting an account password l Viewing password archive
Adding an account
It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords. While an asset can have multiple accounts, you can only associate an account with one asset. The new account displays on the Accounts list.
NOTE: Safeguard for Privileged Passwords allows you to set up account discovery jobs that run automatically. For more information, see Account Discovery job workflow on page 243.
To add an account
1. Navigate to Administrative Tools | Accounts. 2. Click Add Account from the toolbar. 3. In the Assets dialog, for Asset Name, select an asset to associate with this
account. 4. In the Account dialog, enter the following information:
l Name: l Local account: Enter the login user name for this account. Limit: 100 characters. l Directory Account: Browse to find the account.
l Description: (Optional) Enter information about this managed account. Limit: 255 characters.
l Profile: Browse to select a partition profile to govern this account. By default an account inherits the partition profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile on page 297.
l Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
l Enable Session Request: This check box is selected by default, indicating
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
147
�that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user. l (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
Related Topics
Checking, changing, or setting an account password Assigning assets or accounts to a partition profile Account Discovery job workflow Adding a cloud platform account
Adding a cloud platform account
Safeguard for Privileged Passwords can manage cloud platform accounts such as Amazon Web Services (AWS), Facebook (deprecated), and Twitter (deprecated).
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.
Before you add cloud platform accounts to Safeguard for Privileged Passwords, you must first add an asset with which to associate the accounts. For more information, see Prepare Amazon Web Services platforms.
To add a cloud platform to Safeguard for Privileged Passwords
1. log in to Safeguard for Privileged Passwords and navigate to Administrative Tools. 2. In Assets, click Add Asset from the toolbar. 3. In the General tab:
a. Name: Enter an asset name that is meaningful to you, such as "Cloud Account Server" which you can use to manage all cloud platform accounts. (You might add separate assets for Facebook accounts and Twitter accounts.)
b. (Optional) Description: Enter a description for the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
148
�c. Partition: Select the partition you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
d. Profile: Select the profile you want Safeguard for Privileged Passwords to use to manage the cloud platform account passwords.
4. In the Management tab: a. Product: Select the appropriate product, such as Amazon Web Services. b. Version: For Amazon Web Services, select the version. c. Network Address: For Amazon Web Services, enter the AWS Account ID or Alias which can be found on the AWS IAM User's view.
5. For Amazon Web Services, in the Connection tab, select: a. Access Key to authenticate to the asset using an access key. Enter the following information: l Service Account Name: Enter the configured IAM service account. l Access Key ID: Enter the Access Key ID created for the IAM service account. l Secret Key: Enter the Secret Key created for the IAM service account. -ORb. None to not authenticate to the asset and manually manage the asset.
6. For Facebook and Twitter, in the Connection tab, select Account Password to authenticate using the current account password.
Once you add the cloud platform asset, you can associate accounts with it.
To add an account to the cloud platform
1. In Assets, select the cloud platform asset and switch to the Accounts tab. 2. Click Add Account from the details toolbar. 3. In the User Name field, enter the cloud platform account username, email
address, or phone number. For example, for a Twitter account, enter the "@User" account name. 4. In the Password field, enter the account password for the user name you provided. 5. Click Test Connection to verify that Safeguard for Privileged Passwords can communicate with this cloud platform using the credentials that you have provided. 6. (Optional) Enter a Description. 7. Browse to select a profile to govern this account 8. Ensure the Enable Password Request option is checked and click Add Account.
Now you can manually check, change, or set the cloud platform account password; and, Safeguard for Privileged Passwords can automatically manage the password according to the Check and Change settings in the profile governing the account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
149
�To resolve a Twitter requirement for additional verification Twitter may prompt for additional verification on the next login if suspicious activity is detected (for example, the login originated from a new device or there were too many failed logins from a device). The additional verification may require entry of the email address associated with the Twitter account or entry of a temporary password sent via email. Safeguard for Privileged Passwords detects the Twitter prompt and displays the login requirement in a status message when the password change fails. The Activity Center Event may display Password Change Failed with the following Checking detail: Additional account verification requested:'RetypeEmail'. To resolve the request for verification so that Twitter trusts the Safeguard for Privileged Passwords Appliance:
1. Open a browser on the same network as the Safeguard for Privileged Passwords Appliance.
2. log in to Twitter as the account. 3. Enter the additional verification requested.
To checkout the cloud platform account
1. Add a cloud platform Account Group and add the accounts to the group. 2. Add an entitlement for the cloud platform accounts. 3. Add users to the entitlements. 4. Add a password release policy to the entitlement. 5. Add the cloud platform Account Group to the scope of the policy.
Manually adding a tag to an account
Asset Administrators can manually add and remove static tags to an account. You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag on page 333.
To manually add a tag to an account
1. Navigate to Administrative Tools | Accounts. 2. Select an account from the object list (left-pane). 3. Open the General tab and scroll down to view the Tags pane. 4. Click next to the Tags title. Existing tags are displayed. 5. Place your cursor in the edit box and use one method:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
150
�l Enter the name of a tag.
l Start entering the name of the tag. As you type, existing tags that start with the letters entered appear. Select from the list.
l To add additional tags, press Enter before entering the next tag.
6. Click OK. If you do not see the new tag, click the Refresh toolbar button.
7. To remove a manually assigned tag, click inside the tag box to be removed.
next to the Tags title and click the X
Adding an account to one or more account groups
From the Accounts view you can add an account to one or more account groups.
Select an account group to add to an account 1. Navigate to Administrative Tools | Accounts. 2. In Accounts, select an account from the object list and open the Account Groups tab. 3. Click Add Account Group from the details toolbar. 4. Select one or more account groups from the list in the Account Groups dialog and click OK.
Create an account group to add to an account If you do not see the account group you are looking for and you have Security Policy Administrator permissions, you can create an account group from the Account Groups dialog.
1. Click Create New and enter the following information: l Name: Enter a unique name for the account group. Limit: 50 characters l Description: (Optional) Enter information about this account group. Limit: 255 characters
2. Click Add Account Group. 3. Create additional account groups, as required. 4. Click OK in the Account Groups selection dialog to add the new account groups to
the selected account.
Related Topics
Adding one or more accounts to an account group
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
151
�Modifying an account
Once you add an account, you cannot modify an account's associated asset or its name, but you can modify other information.
To modify an account's information Navigate to Administrative Tools | Accounts.
l To change the description, profile, or request settings, double-click the account from the object list.
l To view the selected account's password validation and reset history, switch to the Check and Change Log tab.
l To view or export the details of each operation that has affected the selected account, switch to the History tab. To export, select the time frame, then
click
Export.
l To reset an account's password, right-click the account name and navigate to Account Security and select to check, change, or set the password. For more information, see Checking, changing, or setting an account password on page 156.
Deleting an account
When you delete an account, Safeguard for Privileged Passwords does not delete it from its associated asset; it simply removes it from Safeguard for Privileged Passwords. If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None, which disables automatic password management for all accounts that are associated with this asset. All assets must have a service account in order to check and change the passwords for the accounts associated with it. For more information, see About service accounts on page 193.
To delete an account
1. Navigate to Administrative Tools | Accounts. 2. In Accounts, select an account from the object list 3. Click Delete Selected. 4. Confirm your request.
Importing objects
Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar. For more information, see Creating an import file on page 155.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
152
�Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status on page 136.
To import objects
1. In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
2. Click Import from the toolbar.
3. In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
4. When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
5. Click OK.
Safeguard for Privileged Passwords imports the objects into its database.
NOTE:Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
l Assets PlatformDisplayName property:
1. If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
2. If it does not find a partial match, it supplies the Other platform type.
l Users TimeZoneId property:
1. If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone.
NOTE: Do not enter numbers or abbreviations for the TimeZoneId.
l Users Password property:
1. Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Additional information specific to directory import follows.
1. Import the directory (and service account) via Administrative Tools | Assets |
Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
153
�l By default, the service account password is automatically managed according to the check and change settings in the profile that governs the partition. For more information, see Creating a profile on page 294. If you do not want Safeguard for Privileged Passwords to manage the service account password, assign the account to a profile that is set to never change passwords. For more information, see Assigning assets or accounts to a partition profile on page 297.
l The service account is added to the asset's Accounts tab and is disabled for password request and session request. For more information, see Accounts tab (asset) on page 178.
l To change either setting, navigate to Administrative Tools | Accounts and double-click the account. Then select the following check boxes, as desired: Enable Password Request and Enable Session Request. For more information, see General tab (account) on page 139.
2. Import users and user groups.
a. Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
b. Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
c. Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
l Users
l Username
l Password (modifiable in LDAP and not modifiable in Active Directory)
l Description
l Groups
l Name
l Member
l Computer
l Name
l Network Address
l Operating System
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
154
�l Operating System Version l Description
Identity and Authentication Providers schema list
l Users l Username l First Name l Last Name l Work Phone l Mobile Phone l Email l Description l External Federation Authentication l Radius Authentication l Managed Objects
l Groups l Name l Members l Description
Creating an import file
When importing objects, such as accounts, assets, or users, Safeguard for Privileged Passwords expects the import file to be a Comma Separated Values (CSV) file. A CSV file is a text file used to store database entries where each line is a unique record and each record consists of fields of data separated by commas. You must not add any trailing spaces in the properties you define in the CSV file. The easiest way to create a CSV file is by using a spreadsheet program such as Microsoft Excel; however, you can use any text editor, such as Notepad, to create a comma-delineated file, as long as you save the file with a .csv file type extension. The order of the columns is not important, but the title of the column must match the property name.
To create a customized .csv file template
1. In the Import dialog, click CSV Template Assistant. 2. Select specific template properties from the template properties table, or select the
select all check box in the heading. Safeguard for Privileged Passwords preselects the required properties; you can select any additional properties you desire. 3. Select Download Template to save a copy of the template properties table to a
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
155
�location of your choice. l Click the View icon in the Values column to display a list of allowable values. Click Copy to copy the selected value to your copy buffer which can then be pasted into your CSV file. l Click Export Full Table, in upper the right corner above the properties table, to save a copy of the properties table.
4. Locate the downloaded template and add your specific information to the template. l Users AdminRoles property: The value for the Authorizer Administrator is "GlobalAdmin". l Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file with the follow exceptions:
NOTE:Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file with the follow exceptions:
l Assets PlatformDisplayName property. 1. If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match it supplies the <platform> Other platform, such as "Other Linux". 2. If it does not find a partial match, it supplies the Other platform type.
l Users TimeZoneId property. 1. If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no timezone was provided), it uses the local workstation's current timezone. Do not enter numbers or abbreviations for TimeZoneId.
l Users Password property. 1. Safeguard for Privileged Passwords adds a user without validating the password you provide.
5. Use the customized .csv file to import the objects.
Checking, changing, or setting an account password
The Asset Administrator can manually check, change, or set an account password from the Account Security menu.
To manually check, change, or set an account password
1. Navigate to Administrative Tools | Accounts. 2. In Accounts, select an account from the object list. 3. Click Account Security from the toolbar. You can also right-click the account
name to open the context menu.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
156
�Select one of these options: l Check Passwordto verify the account password is in sync with the Safeguard for Privileged Passwords database. If the password verification fails, you can change it. l Change Passwordto reset and synchronize the account password with the Safeguard for Privileged Passwords database. l Set Passwordto set the account password in the Safeguard for Privileged Passwords database. The Set option does not change the account password on the asset.
NOTE: You can view the progress and results of the Check and Change options in the Toolbox | Tasks pane. For more information, see Viewing task status on page 136. 4. The Set Password option provides the following two options.
a. Generate Password: Select this option to have Safeguard for Privileged Passwords generate a new random password, that complies with the password rule that is set in the account's profile. l Click Generate Password to display the Generate Password dialog. l Click Show Password to reveal the new password. l Click Copy to put it into your copy buffer. l log in to your device, using the old password, and change it to the password in your copy buffer. l Click OK to change the password in the Safeguard for Privileged Passwords database or click Cancel to close the dialog without changing the current password in Safeguard for Privileged Passwords.
b. Manual Password: Select this option to manually set the account password in the Safeguard for Privileged Passwords database. l Click Manual Password to display the Set Password dialog. l In the Set Password dialog, enter and confirm the password. Click OK to update the Safeguard for Privileged Passwords database. l Set the account password on the physical device to synchronize it with the Safeguard for Privileged Passwords database.
Viewing password archive
The Asset Administrator can access a previous password for an account for a specific date. The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset. The password archive is never purged. You view an account's password validation and reset history on the Check and Change Log tab.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
157
�To access an account's previous password
1. Navigate to Administrative Tools | Accounts. 2. In Accounts, right-click an account name and choose Password Archive.
Or, click Password Archive from the toolbar. 3. In the Password Archive dialog, select a date.
TIP: If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current password. 4. In the View column, click to display the password that was assigned to the asset at that given date and time. 5. In the details dialog, click Copy to copy the password to your copy buffer, or click OK to close the dialog.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Accounts
158
�12
Account Groups
A Safeguard for Privileged Passwords account group is a set of accounts which you can add to the scope of an access request policy. For more information, see Creating an access request policy on page 268. The Auditor and the Security Policy Administrator have permission to access Account Groups. The Account Groups view displays the following information about the selected account group.
l General tab (account group): Displays general information about the selected account group.
l Accounts tab (account group): Displays the accounts associated with the selected account group.
l Access Request Policies tab (account group): Displays the entitlements and access request policies associated with the selected account group.
l History tab (account group): Displays the details of each operation that has affected the selected account group.
Use these toolbar buttons to manage account groups.
l Add | Account Group: Add account groups to Safeguard for Privileged Passwords. For more information, see Adding an account group on page 164.
l Add | Dynamic Account Group: Add dynamic account groups to Safeguard for Privileged Passwords. For more information, see Adding a dynamic account group on page 164.
l Delete Selected: Remove the selected account group from Safeguard for Privileged Passwords. For more information, see Deleting an account group on page 169.
l Refresh: Update the list of account groups.
Add | Account Group: Add account groups to Safeguard for Privileged Passwords. For more information, see Adding an account group on page 164.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
159
�General tab (account group)
The General tab lists information about the selected Account Group.
Large tiles at the top of the tab display the number of Accounts and Access Request Policies associated with the selected account group.
Table 22: Account Groups General tab: General properties
Property
Description
Name
The selected account group's name
Account Rules
For dynamic account groups, a summary of the asset account rules defined
Description
Information about the selected account group
Related Topics
Modifying an account group
Accounts tab (account group)
The Accounts tab displays the accounts associated with the selected account group.
Click Add Account from the details toolbar to add one or more accounts to the selected account group.
Search: For more information, see Search box on page 63.
Table 23: Account Groups: Accounts tab properties
Property
Description
Name
Name of the account belonging to the selected account group.
Parent
The asset to which the account belongs.
Domain
For directory accounts, the name of the domain the account is associated with.
Ignored
A check in this column indicates that the account is not managed.
Service Account
A check in this column indicates that the account is a service account.
Password Request
A check in this column indicates that password release requests are enabled for this account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
160
�Property Session Request Needs a Password
Description
Description
A check in this column indicates that session access requests are enabled for this account.
Displays if a password is not set for the selected account. For more information, see Checking, changing, or setting an account password on page 156.
Information about the account.
Use these buttons on the details toolbar.
Table 24: Account Groups: Access Request Policies tab toolbar
Option
Description
Add Account
To add one or more accounts to the account group you selected.
Remove Selected
Remove the selected account.
Refresh
Update the list of accounts.
Search
To locate a specific account in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding one or more accounts to an account group Modifying an account group
Access Request Policies tab (account group)
The Access Request Policies tab displays the entitlements and policies, including password release and session request policies, associated with the selected account group.
Table 25: Account Groups: Access Request Policies tab properties
Property
Description
Entitlement
The name of the access request policy's entitlement
Access Request
The name of the policy that governs the accounts in the selected
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
161
�Property Policy Account Groups Accounts
Description account group. The number of unique account groups in the access request policy The number of unique accounts in the account groups that are associated with the access request policy
Use these buttons on the details toolbar to manage your access request policies associated with the selected account group.
Table 26: Account Groups: Access Request Policies tab toolbar
Option
Description
Add to Policy
Add the selected account group to the scope of one or more access request policy. Clicking this button displays the Access Request Policy selection dialog, allowing you to select a policy.
Remove Selected
Remove the selected account group from the scope of the selected access policy.
Refresh
Update the list of access request policies.
Details
View and edit details about the selected access request policy. For more information, see Creating an access request policy.
Search
To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding accounts to an access request policy Modifying an account group
History tab (account group)
The History tab allows you to view or export the details of each operation that has affected the selected account group. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
162
�l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 27: Account Groups: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected account group
Event
The type of operation made to the selected account group:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE:A membership operation indicates a relationship change with a related or parent object such as the selected account group was added or removed from the membership of a policy, or an account was added or removed from the membership of the selected account group.
Related Object
The name of the related object
Related Object Type The type of the related object
Parent
The name of the object to which the selected account group is a child
Parent Object Type The parent object type
Display event details
Select an event to display this additional information for some types of events (for example, create and update events).
Table 28: Additional History tab properties
Property
Description
Property
The property that was updated
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
163
�Property Old Value New Value
Description The value of the property before it was updated The new value of the property
Managing account groups
Use the controls and tabbed pages in the Account Groups view to perform the following tasks to manage Safeguard for Privileged Passwords account groups:
l Adding an account group l Adding a dynamic account group l Adding one or more accounts to an account group l Adding accounts to an access request policy l Modifying an account group l Deleting an account group
Adding an account group
It is the responsibility of the Security Policy Administrator to add account groups to Safeguard for Privileged Passwords. To add an account group
1. Navigate to Administrative Tools | Account Groups. 2. Click Add | Account Group from the toolbar. 3. In the Account Group dialog, enter the following information:
l Name: Enter a unique name for the account group. Limit: 50 characters
l Description: (Optional) Enter information about this account group. Limit: 255 characters
4. Click Add Account Group.
Adding a dynamic account group
It is the responsibility of the Security Policy Administrator to add dynamic account groups to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
164
�Dynamic account groups are associated with rules engines that run when pertinent objects are created or changed. For example:
l Whenever you add or change an asset account, all applicable rules are reevaluated against that asset account.
l Whenever you change an asset account rule, the rule is reevaluated against all asset accounts within the scope of that rule. In other words, the rule is reevaluated against all asset accounts for grouping and the asset accounts within the designated partitions for tagging.
You can create a dynamic account group without any rules; however, no accounts will be added to this dynamic account group until you have added a rule.
In large environments, there is a possibility that the user interface may return before all of the rules have been reevaluated and you may not see the results you were expecting. If this happens, wait a few minutes and Refresh the screen to view the results.
To add a dynamic account group
1. Navigate to Administrative Tools | Account Groups.
2. Click Add | Add Dynamic Account Group from the toolbar.
3. In the Dynamic Account Group dialog, provide information in each of the tabs:
General tab (add dynamic account group)
Where you add general information about the dynamic account group
Account Rules tab (add dynamic account group)
Where you define the rules to be used to identify the accounts to be included in a dynamic account group
Summary tab (add Where you review the rules defined for adding accounts to a
dynamic account dynamic account group, and where you save your selections,
group)
and add the dynamic account group
General tab (add dynamic account group)
On the General tab of the Dynamic Account Group dialog, supply general information about the dynamic account group.
Table 29: Dynamic Account Group: General tab
Property
Description
Name
Enter a unique name for the dynamic account group. Limit: 50 characters
Description
Enter information about this dynamic account group. Limit: 255 characters
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
165
�Account Rules tab (add dynamic account group)
Use the rule editor controls on the Account Rules tab of the Dynamic Account Group dialog to define the accounts that are to be included in the dynamic account group.
Table 30: Dynamic Account Group: Asset Account Rules tab
Property
Description
Enable rule for this group
Select this check box to include an asset account rule for this dynamic account group. Selecting this check box enables the rule editor controls.
NOTE: You can create a dynamic account group without any rules; however, no accounts will to added to this dynamic account group until you have added a rule.
AND | OR
Click AND to group multiple search criteria together where all criteria must be met in order to be included.
Click OR to group multiple search criteria together where at least one of the criteria must be met in order to be included.
Attribute
In the first query clause box, select the attribute to be searched. Valid attributes include:
l Name (Default) l Description l Platform l Disabled l Tag l Service Account l Partition Name l Asset Name l Asset Tag l Domain Name l NETBIOS Name l Distinguished Name (You cannot do a one-level search
with this attribute.) l SID l Discovered Group Name (Use this selection to not specify
the domain in the search. To specify the domain, select Discovered Group Distinguished Name.) l Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
166
�Property Operator
Search string
| Add Grouping | Remove
Description
group belongs.) l Directory Container (If you use the operator Equal, one
level is found.)
In the middle clause query box, select the operator to be used in the search. The operators available depend upon the data type of the attribute selected. For string attributes, the operators may include:
l Contains (Default) l Does not contain l Starts with l Ends with l Equals l Not equal
For boolean attributes (such as Service Account), the operators may include:
l Is True l Is False
In the last clause query box, enter the search string or value to be used to find a match. If you selected an attribute of Discovered Group Name, Discovered Group Distinguished Name, or Directory Container:
1. Click Browse to go to the Select Directory Asset to Search dialog to locate the search string. The Name, Asset Partition, and Description for each directory display.
2. Choose a directory and click OK. 3. On the Location dialog, select the location and click OK.
Click to the left of a search clause to add an additional clause to the search criteria. Click to remove the search clause from the search criteria.
Click the Add Grouping button to add an additional set of conditions to be met. A new grouping is added under the last query clause in a group and appears in a bordered pane, showing that it is subordinate to the higher-level query conditions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
167
�Property Preview
Description
Click the Remove button to remove a grouping from the search criteria.
Click Preview to run the query in order to review the results of the query before adding the dynamic group.
Summary tab (add dynamic account group)
On the Summary tab of the Dynamic Account Group dialog, review the rules defined and add the dynamic account group.
1. Review the rules defined for this dynamic account group. 2. Return to the Account Rules tab to modify any of the rules if necessary. 3. Click Add Account Group to create the dynamic account group.
Adding one or more accounts to an account group
From the Account Groups view, you can add one or more accounts to an account group.
To add accounts to an account group 1. Navigate to Administrative Tools | Account Groups. 2. Select an account group from the object list and click the Accounts tab. 3. Click Add Account from the details toolbar. 4. Select one or more accounts from the list in the Accounts selection dialog and click OK.
Create an account to add to an account group If you do not see the account you are looking for and you have Asset Administrator permissions, you can click Create New. For more information the information to provide, see Adding an account. Click OK in the Accounts selection dialog to add the accounts to the selected account group.
Related Topics
Adding an account to one or more account groups
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
168
�Adding accounts to an access request policy
To add accounts to an access request policy 1. Navigate to Administrative Tools | Account Groups. 2. In Account Groups, select an account group from the object list and open the Access Request Policies tab. 3. Click Add to Policy from the details toolbar. 4. Select a policy from the list in the Access Request Policy selection dialog and click OK.
Modifying an account group
To modify an account group's information 1. Navigate to Administrative Tools | Account Groups. 2. In Account Groups, select an account group from the object list. 3. Select the view of the account group's information you want to modify (General, Accounts, or Access Request Policies). For example: l To change the selected account group's name or description, click the General tab then click the Edit icon. You can also double-click an account group name to open the General settings edit window. l To add (or remove) accounts associated with the selected account group, click the Accounts tab. You can multi-select members to add or remove more than one from an account group. l To add (or remove) accounts in a dynamic account group, double-click the dynamic account group and change the selections on the Account Rules tab. l To add (or remove) the selected account group to the scope of a policy, switch to the Access Request Policies tab. For more information, see Access Request Policies tab (account group) on page 161. 4. To view or export the details of each operation that has affected the selected account group, switch to the History tab. To export, select the time frame then click Export.
Deleting an account group
When you delete an account group, Safeguard for Privileged Passwords does not delete the associated accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
169
�To delete an account group 1. Navigate to Administrative Tools | Account Groups. 2. In Account Groups, select an account group. 3. Click Delete Selected. 4. Confirm your request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Account Groups
170
�13
Assets
A Safeguard for Privileged Passwords asset is a computer, server, network device, or application managed by a Safeguard for Privileged Passwords Appliance. It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords.The Auditor has permission to access Assets. Before adding assets to Safeguard for Privileged Passwords, you must ensure they are properly configured. For more information, see Preparing systems for management on page 519. Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted. All assets must be governed by a profile identified on the General tab (asset group). All new assets are automatically governed by the default profile unless otherwise specified. An asset can only be in one partition at a time identified on the General tab (asset group). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. You can identify a default partition and default partition profile so that when you add assets, the assets are added to the default partition and default partition profile. For more information, see Setting a default partition on page 296. Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in Safeguard for Privileged Passwords, see Asset Discovery job workflow.
Assets view
The Assets view displays the following information about the selected system. Not all selections will be available for all assets.
l General tab (asset): Displays general, management and connection settings for the selected asset.
l Accounts tab (asset): Displays the accounts associated with this asset. l Account Dependencies tab (asset): Windows only: Displays the directory accounts
that the selected Windows server depends on to perform services and tasks.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
171
�l Access Request Policies tab (asset): Displays the entitlements and access request policies associated with the selected asset.
l Asset Groups tab (asset): Displays the asset groups that contain the selected asset.
l Discovered Services tab (asset): Displays the details of each discovered service associated with the selected asset.
l History tab (asset): Displays the details of each operation that has affected the selected asset.
Toolbar
Use these toolbar buttons to manage assets:
l
Add Asset: Add assets to Safeguard for Privileged Passwords. For more
information, see Adding an asset on page 185.
l Delete Selected: Remove the selected asset. For more information, see Deleting an asset on page 211.
l IMPORTANT: When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.
l Refresh: Update the list of assets.
l
Import Assets: Add assets to Safeguard for Privileged Passwords. For more
information, see Importing objects on page 462.
l
Download SSH Key: Add the SSH key to the selected asset. For more
information, see Downloading a public SSH key on page 214.
l
Access Requests: Allows you to enable or disable access request services for
the selected asset. Menu options include Enable Session Request and Disable
Session Request.
l
Syncronize Now: Run the directory addition and deletion synchronization
process on demand.
l
Show Disabled: Display the assets that are not managed and are disabled and
have no associated accounts. Asset management can be controlled by right-clicking
on an asset and selecting Enable-Disable.
l
Hide Disabled: Hide the assets that are not managed and are disabled and have
no associated accounts. Asset management can be controlled by right-clicking an
asset and selecting Enable-Disable.
Add Asset: Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset on page 185.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
172
�Asset menu options
Right click on an asset to use these context menu options.
l Discover SSH Host Key: This option only applies to assets that exchange SSH host keys, such as Unix-based assets and Linux-based assets. Retrieves the latest SSH host key for the selected asset. The Discover SSH Host Key dialog also tells you when the SSH host key is up-to-date. If the SSH host key is not discovered on the asset (either via a discovery or import), certain tasks will not be available for accounts associated with the asset, such as Check System, Check Password, and Change Password.
l
Check Connection: Select to verify that Safeguard for Privileged Passwords
can log in to the asset using the current service account credentials. For more
information, see Checking an asset's connectivity on page 204.
l
Syncronize Now: Run the directory addition and deletion synchronization
process on demand. In addition, it runs through the discovery, if there are discovery
rules and configurations set up.
l Download SSH Key: Add the SSH key to the selected asset. For more information, see Downloading a public SSH key on page 214.
l
Enable-Disable: Select Enable to have Safeguard for Privileged Passwords
manage a disabled asset. This option is only available for assets that have been
disabled. Account Discovery jobs find all accounts that match the discovery rule's
criteria regardless of whether it has been marked Enabled or Disabled in the past.
Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.
l
Access Requests: Select Enable Session Request to allow session requests
for the selected asset. Select Disable Session Request to disallow session
requests for the selected asset.
l
Discovery Accounts: Run the associated Account Discovery job. For more
information, see Account Discovery on page 240.
l
Discover Services: Run the associated Account Discovery job that has
Discovery Services selected. For more information, see Adding an Account
Discovery job on page 244.
l
Delete Selected: Remove the selected asset from Safeguard for Privileged
Passwords. When you delete an asset, you also permanently delete all the Safeguard
for Privileged Passwords accounts associated with the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
173
�General tab (asset)
The General tab lists information about the selected asset.
Large tiles at the top of the tab display the number of Accounts, Account Dependencies (when applicable), Access Request Policies, and Asset Groups associated with the selected asset. Clicking a tile heading opens the corresponding tab.
Navigate to Administrative Tools | Assets | General. The following fields display based on the type of asset (for example, Windows, Linux, OpenLDAP, or Active Directory).
Table 31: General tab: General properties
Property
Description
Name
The asset name.
Description
Descriptive text to further identify the asset.
Partition
The name of the partition where the selected asset resides.
Profile
The name of the profile that manages the asset's accounts.
NOTE: All assets must be governed by a profile. All new assets are automatically governed by the default profile unless otherwise specified.
License Type
If applicable (for example, for a Windows asset), indicates your license model, such as System or Desktop.
Last Successful Account Discovery
If applicable, the date and time of the last successful Account Discovery job.
Next Account Discovery
If applicable, the date and time of the next automated Account Discovery job as set in the Account Discovery job of the partition profile. (For more information, see Creating a profile on page 294.)
Directory (directory) The name of the directory where the asset was discovered.
Domain Name (directory)
The name of the domain where the asset was discovered.
NetBios Name (directory)
The NetBios name of the asset that was discovered.
Distinguished Name The distinguished name of the asset that was discovered. (directory)
The following fields display based on the type of asset (for example, Windows, Linux, OpenLDAP, or Active Directory).
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
174
�Table 32: General tab: Management properties
Property Description
Product
The platform of the selected managed system.
Version
If applicable, the system version.
Architecture if applicable, the operating system architecture.
Network Address
If applicable, the network DNS name or IP address of the managed system.
Manage Forest (directory)
If True, the whole forest is managed.
Forest Root Domain Name (directory)
The forest root domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain.
Managed Domains
The managed domains.
Available for discovery across all partitions
If True, this asset is read-access available for Asset Discovery jobs beyond partition boundaries.
Managed Network
The managed network that is assigned for work load balancing. For more information, see Managed networks on page 366.
Enable Session Request
The check box is selected if session access requests are enabled for the asset.
RDP Session Port
If applicable, the access port on the target server used for RDP session access requests.
SSH Session Port
If applicable, the access port on the target sever used for SSH session access requests.
Telnet Session Port
If connecting to TN3270 or TN5250, the port for connection.
Sync additions every [number]
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the additions or modifications to objects. The date and time of the last sync, last failed, and last successful sync display. The intervals are directory specific.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
175
�Property
minutes
Sync deletions every [number] minutes
Description
If applicable, the frequency that Safeguard for Privileged Passwords synchronizes the deletion of objects. The date and time of the last sync, last failed, and last successful sync display. The intervals are directoryspecific.
Table 33: General tab: Account Discovery properties
Account Discovery
Account discovery identifier
Last Successful Account Discovery
The date and time of the last successful account discovery
Last Failed Account Discovery The date and time of the last failed account discovery
Next Account Discovery
The date and time for the next account discovery
Table 34: Assets General tab properties: Connection properties
Property
Description
Authentication Type How the console connects with the managed system. For more information, see Connection tab (add asset) on page 192.
Service Account Name
The account used by Safeguard for Privileged Passwords to securely manage accounts and passwords on the asset.
Service Account Domain Name
The domain used to manage accounts and passwords on the asset.
Service Account
The distinguished name of the service account.
Distinguished Name
Connection Timeout The session timeout period.
Privilege Elevation Command
Displays the elevation command (such as sudo) if it is populated on the Connection tab.
Port
The port used by SSH to log in to the managed system.
SSH Host Key Finger- The fingerprint of the SSH key that Safeguard for Privileged
print
Passwords uses to authenticate to the asset.
SSH Key Comment Human-readable information about the SSH key.
SSH Host Key Finger- The managed system's public host key fingerprint.
print
When an asset requiring an SSH host key does not have one,
Check Password will fail. For more information, see
Connectivity failures on page 540.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
176
�Property
CheckSystem (custom platform script)
CheckPassword (custom platform script)
ChangePassword (custom platform script)
Description True if the service account has access to the remote host. See the wiki Writing a custom platform script.
True if the given account user and password are valid on the remote host. See the wiki Writing a custom platform script.
True if the password for the given user on the remote host. See the wiki Writing a custom platform script.
Table 35: Assets General tab properties: Attributes properties (for example, for directories and LDAP)
Property
Description
User Attributes
User attributes include: Object Class User Name Password Description
Group Attributes
Group attributes include: Object Class Name Member
Computer Attributes
Computer attributes include: Object Class Name Network Address Operating System Operating System Version Description
Tags: Tag assignments for the selected asset. The tiles listed under in the Tags pane display both the dynamic tags assigned to the asset through tagging rules and static tags that were added manually. In addition to viewing tag assignments, Asset Administrators can add and remove statically assigned tags using this pane.
Description: Information about the selected asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
177
�Related Topics
Assigning an asset to a partition Assigning a profile to an asset Modifying an asset
Accounts tab (asset)
An asset's Accounts tab displays the accounts associated with this asset.
Click Add Account from the details toolbar to associate an account with the selected asset.
Navigation: Administrative Tools | Assets | Accounts.
Table 36: Assets: Accounts tab properties
Property
Description
Name
Name of an account associated with the selected asset.
NOTE: While you can associate an account with only one asset, you can log in to an asset with more than one account.
Domain Name
The domain name for the account and helps to determine the uniqueness of accounts.
Profile
The name of the profile that manages the account.
Service Account
A check in this column indicates that the account is a service account.
Password Request
A check in this column indicates that password release requests are enabled for the account.
NOTE: Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account.
Session Request
A check in this column indicates that session access requests are enabled for the account.
NOTE: Click Access Requests from the details toolbar to enable or disable a user's ability to request access to the selected account.
Needs a Password
Displays if a password is not set for the account. For more information, see Checking, changing, or setting an account password on page 156.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
178
�Property Description Global Access
Description Descriptive information entered when the account was added.
A check in this column indicates that the asset is available for discovery across all partitions. For more information, see Available for discovery across all partitions on page 188.
Use these buttons on the details toolbar to manage your asset accounts.
Table 37: Assets: Accounts tab toolbar
Option
Description
Add Account
Add accounts to the selected asset. For more information, see Adding an account to an asset on page 207.
Delete Selected
Remove the selected account from the asset.
Refresh
Update the list of asset accounts.
Account Security
Menu options include Check Password, Change Password, and Set Password. For more information, see Checking, changing, or setting an account password on page 156.
Password Archive
Display the password history for the selected asset account. For more information, see Viewing password archive on page 157.
Access Requests
Select an option to enable or disable access request services for the selected account. Values are derived from whether the platform of the asset indicates it supports Password Request, Session Request, or both. Menu options include:
l Enable Password Request l Disable Password Request l Enable Session Request l Disable Session Request
Service Accounts are created when the Asset is created and by default are not enabled for session or password access.
Discovered Accounts are controlled by the Account Discovery template that is used in discovering the accounts. They are a property of the rule template of the Account Discovery job. For more information, see Adding an Account Discovery rule on page 246.
Set Profile
Select a profile to manage the selected asset account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
179
�Option Search
Description
To locate a specific asset account or set of accounts in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Account Dependencies tab (asset)
The Account Dependencies tab displays the directory accounts that the selected Windows server depends on to perform services and tasks. The Account Dependencies tab is only applicable for a Windows platform when one or more directories have been added to Safeguard for Privileged Passwords.
Click Add Account from the details toolbar to associate account dependencies with the selected asset. For more information, see Adding account dependencies on page 208.
Navigate to Administrative Tools | Assets | Account Dependencies.
Table 38: Assets: Account Dependencies tab properties
Property
Description
Name
Name of a directory account
Directory
The directory in which the account resides
Domain Name
The forest root domain name for the directory
Distinguished Name The distinguished name for a directory account
Description
Description of the dependent account
Access Request Policies tab (asset)
The Access Request Policies tab displays the entitlements and access request policies associated with the selected asset.
Navigate to Administrative Tools | Assets | Access Request Policies.
Table 39: Assets: Access Request Policies tab properties
Property
Description
Entitlement
The name of the access request policy's entitlement
Access Request Policy
The name of the policy that governs the selected asset
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
180
�Property Assets
# Asset Groups Asset Groups
Description
The number of unique assets that are associated with the access request policy
The number of unique asset groups in the access request policy
The names of the asset groups that associate the selected asset with the policy
Use these buttons on the details toolbar to manage your access request policies associated with the selected asset.
Table 40: Assets: Access Request Policies tab toolbar
Option
Description
Add to Policy
Add the selected asset to the scope of a session access request policy.
Remove Selected
Remove the selected policy. For more information, see Deleting an access request policy on page 281.
Refresh
Update the list of access request policies.
Details
View and edit details about the selected access request policy. For more information, see Creating an access request policy.
Search
To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Asset Groups tab (asset)
The Asset Groups tab displays the asset groups that contain the selected asset. Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms on page 37.. This section lists SPP and SPS support by platform. The Auditor and Security Policy Administrator have permission to access Asset Groups. Click Add Asset Groups from the details toolbar to add the selected asset to one or more asset groups. Navigate to Administrative Tools | Assets | Asset Groups.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
181
�Table 41: Assets: Asset Groups tab properties
Property
Description
Name
The asset group name.
Dynamic
A check mark in this column indicates that the group is a dynamic asset group.
Description
Information about the asset group.
Related Topics
Adding an asset to asset groups
Discovered Services tab (asset)
The Discovered Services tab displays information specific to the selected asset and is applicable only to Windows assets.
l For more information, see Discovered Services on page 254. l For more information about the workflow, see Account and Service Discovery
job workflow.
Navigate to Administrative Tools | Assets | Discovered Services. Use these buttons to manage the discovered services.
Table 42: Discovered Services: Toolbar
Option
Description
Discover Services Run the selected service discovery job.
Search
To locate one or more assets, enter the character string to be used to search for a match. For more information, see Search box on page 63.
The following displays for each discovered service.
Table 43: Assets: Discovered Services tab properties
Property
Description
Account
The account in Safeguard that maps to the discovered account associated with the discovered service or task on the asset. This can be a local account or an Active Directory account.
Domain Name
The domain name of the account if the account is an
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
182
�Property System Name Account Status
Dependent Account
Service Type Service Name Service Enabled Discovered Account Date/Time Discovered
Description
Active Directory account.
The asset to which the account is associated.
The status of the Safeguard account. If Safeguard manages the account, the value is Managed. If the account is disabled, the value is blank.
A check displays if the account is associated as an account dependency on the asset. The value is blank if the account is not associated as an account dependency of the asset. This automatic dependency mapping only happens if you select the following options. Select the Automatically Manage Found Accounts option on the account discovery job associated with the partition profile that is associated to the asset. For more information, see Adding an Account Discovery rule on page 246.
Type of service discovered. Values may be Service or Task.
The name of the discovered service or task.
A check displays if the service or task on the asset is enabled. If there is no check mark, the service or task is disabled.
The discovered service account name configured.
The date and time when the service or task was discovered.
History tab (asset)
The History tab allows you to view or export the details of each operation that has affected the selected asset. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Navigate to Administrative Tools | Assets | History.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
183
�Table 44: Assets History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected asset
Event
The type of operation made to the selected asset:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE: A membership operation indicates a relationship change with a related or parent object such as an account dependency was added or deleted from the selected asset.
Related Object
The name of the related object
Related Object Type The type of the related object
Parent
The name of the object to which the selected asset is a child
Parent Object Type The parent object type
Select an event to display this additional information for some types of events (for example, create and update events).
Table 45: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing assets
Use the controls and tabbed pages on the Assets page to perform the following tasks to manage Safeguard for Privileged Passwords assets:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
184
�l Adding an asset l Checking an asset's connectivity l Assigning an asset to a partition l Assigning a profile to an asset l Manually adding a tag to an asset l Adding an account to an asset l Adding account dependencies l Adding an asset to asset groups l Modifying an asset l Deleting an asset l Importing objects l Downloading a public SSH key
Adding an asset
It is the responsibility of the Asset Administrator to add assets and accounts to Safeguard for Privileged Passwords. Safeguard for Privileged Passwords allows you to set up Asset Discovery jobs that run automatically. For more information, see Asset Discovery job workflow on page 228. Before you add systems to Safeguard for Privileged Passwords, make sure they are properly configured. For more information, see Preparing systems for management on page 519.
NOTE: There are special considerations for adding an MS SQL asset to Safeguard. See KB 261806 for details.
To add an asset
1. Navigate to Administrative Tools | Assets. 2. Click Add Asset from the toolbar. 3. In the Asset dialog, provide information in each of the tabs:
General tab (add asset)
Management tab (add asset)
Account Discovery tab (add asset)
Where you add general information about the asset
Where you add the network address, operating system, and version information Where you add the Account Discovery job
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
185
�Connection tab (add asset)
Where you add the authentication type information or custom platform properties
Attributes tab (add Where you add attributes to directory assets asset)
Related Topics
Adding an account to an asset Assigning an asset to a partition Assigning a profile to an asset Assigning assets or accounts to a partition profile
General tab (add asset)
Use the General tab to specify general information about the asset, including the partition and profile to which the asset is assigned. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. All assets must be governed by a profile and new assets are automatically governed by the default profile unless otherwise specified.
Table 46: Asset: General properties
Property
Description
Name
Enter a unique display name for the asset. Limit: 100 characters Required
Description
(Optional) Enter information about this managed system. Limit: 255 characters
Partition
Browse to select a partition for this asset. You can set a specific partition as the default, see Setting a default partition.
Profile
Browse to select a profile to manage this asset's accounts.
You must assign all assets to a profile. Safeguard for Privileged Passwords assigns all new assets to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default partition profile on page 297.
Click Reset to set the profile to the current default.
The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, Safeguard for Privileged Passwords does
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
186
�Property
Description
not activate the Reset button. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile.
Management tab (add asset)
Use the Administrative Tools | Assets | Management tab to add the network address, operating system or directory service, and version information for an asset.
When you create a directory asset, accounts created display as discovered accounts in the Discovered Accounts properties grid. For more information, see Discovered Accounts on page 251.
The settings for an asset are shown below.
Table 47: Asset: Management tab properties (for example, Windows, Linux, OpenLDAP, or Active Directory)
Property
Description
Product
Select an operating system or directory service, for this asset.
A custom platform can be selected. For more information, see Custom platforms on page 324.
NOTE:Safeguard for Privileged Passwords allows you to select a generic operating system of Other, Other Managed, or Other Linux. This allows you to add an asset to Safeguard for Privileged Passwords without designating a specific platform.
l Other: An asset with an Other operating system cannot be managed. You can manually change passwords on accounts associated with an asset with an Other operating system. Safeguard for Privileged Passwords cannot connect to the asset so there is no automatic password check and change, test connection, or other activity requiring a connection.
l Other Managed: Safeguard for Privileged Passwords stores the password and can automatically check and change it per the profile configuration. There is no active connection or service account. The passwords are rotated internally and event notifications are sent when the rotation is complete. Another component or piece of automation can change the password or make use of the password in configuration files. For example, a listener can pick up the change event via the Safeguard for Privileged Passwords Application to Application (A2A) service and perform actions, as required.
l Other Linux: Safeguard for Privileged Passwords manages
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
187
�Property
Description
an asset with "Other Linux" on a best effort basis.
Other platform details: Any Other platform type can be changed to different platform type. Conversely, any platform type can be changed to Other, however, any property values specific to the current platform type will be lost. For example, you may want to change an Other Linux operating system to any type of Linux, such as AIX, HP-UX, or Solaris. Then, the specific platform type can be changed back to Other, if needed. For more information, see Modifying an asset on page 210.
Version
If applicable, select the operating system version. When adding a Linux or Macintosh OS X system, Safeguard for Privileged Passwords allows you to choose an Other version.
NOTE:Safeguard for Privileged Passwords does not manage passwords for accounts on domain controllers. Manage accounts on domain controllers through the directory asset that hosts the domain controller. For more information, see Adding an account to an asset on page 207.
Architecture
If applicable, the product's system architecture.
Network Address If applicable, enter a network DNS name or the IP address used to connect to the managed system over the network.
For Amazon Web Services assets, enter the Amazon AWS Account ID or Alias.
Domain Name (directory)
The domain for the asset (Name on the General tab). A domain can be identified for more than one directory asset so that multiple directory assets can be governed the same domain.
Manage Forest (directory)
Select if you want to manage the whole forest. Do not select if you want to manage just one domain.
Available for discovery across all partitions
If applicable, select to make this asset read-access available for Asset Discovery jobs beyond partition boundaries. Any partition that exists is able to use this directory asset. Other partition owners do not have read password access. If not selected, partition owners and other partitions will not know the directory asset exists.
In setting up the Asset Discovery job, use the Directory asset discovery Method so that directory assets that are shared can be discovered into any partition. For more information, see General tab (asset discovery) on page 229.
Enable Session Request
If applicable, this check box is selected by default, indicating that authorized users can request session access for this asset.
Clear this check box if you do not want to allow session requests for
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
188
�Property
Description
this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions.
Advanced
Managed Network
The managed network that is assigned for work load balancing. For more information, see Managed networks on page 366.
RDP Session Port If applicable, specify the access port on the target server to be used for RDP session requests.
Default: Port 3389
SSH Session Port If applicable, specify the access port on the target server to be used for SSH session requests.
Default: Port 22
Telnet Session Port
If connecting to TN3270 or TN5250, the port for connection. By default, a telnet server typically listens on port 23.
Sync additions every [number] minutes
For directory assets, enter or select how often you want Safeguard for Privileged Passwords to synchronize additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.
Default: 15 minutes
Range: Between 1 and 2147483647
Directory Sync is enabled by default and can be disabled. For more information, see Enable or Disable Services (Access and management services) on page 301.
Sync deletions every [number] minutes
For directory assets, enter or select how often you want Safeguard for Privileged Passwords to synchronize deletions (in minutes).
This updates Safeguard for Privileged Passwords with any deletions that have been made to the objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.
Default: 15 minutes
Range: Between 1 and 2147483647
Directory Sync is enabled by default and can be disabled. For more information, see Enable or Disable Services (Access and management services) on page 301.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
189
�Account Discovery tab (add asset)
The Account Discovery tab is only available after Active Directory Asset has been created. On the Account Discovery tab, the default is Do not perform account discovery.
Table 48: Account Discovery tab properties
Property
Description
Description
Select the description of the Account Discovery job desired and the details of the configuration display.
Partition Discovery Type Directory Schedule
Click Add to add a job or Edit to edit the job. You can click the drop-down and select Do not perform account discovery.
The partition in which to manage the discovered assets or accounts.
The type platform, for example, Windows, Unix, or Directory.
The directory for account discovery.
Click Schedule to control the job schedule.
Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)
l Configure the following:
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
190
�Property Rules
Description
Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and
End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
l Time Zone: Select the time zone.
You may click Add, the Rules grid.
Delete,
Edit, or
Copy to update
Details about the selected account discovery setting rules may include the following based on the type of asset.
l Name: Name of the discovery job
l Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more inform-
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
191
�Property
Description
ation, see Adding an Account Discovery rule on page 246.
l Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
l Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
l Set default password: A check mark displays if the rule causes default passwords to be set automatically.
l Assign to Profile: The partition profile assigned
l Assign to Sync Group: A check mark displays if the rule automatically associated the accounts with a password sync group.
l Enable Password Request: A check mark displays if the passwords is available for release.
l Enable Session Request: A check mark displays if session access is enabled.
Connection tab (add asset)
On the Connection tab, choose an Authentication Type (see the table that follows) and specify the service account credentials. The type of asset specified in the Product field on the Management tab determines the authentication types available for the asset. If the asset has a custom platform, the Custom Properties elements are displayed. For more information, see Custom platforms on page 324.
Table 49: Connection tab: Asset authentication types
Authentication Type
Description
SSH Key
To authenticate to the asset using an SSH authentication key.
Directory Account
To authenticate to the asset using a directory account from an external identity store such as Microsoft Active Directory.
NOTE: In order to use this authentication type, you must first add a directory asset and add domain user accounts. For more information, see Accounts on page 138.
Local System Account
For SQL Server assets, to authenticate to the asset using a local system account, which is a Windows user account on the server that is hosting the SQL database.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
192
�Authentication Type Password (local service account) Account Password
Access Key
Custom
None Test Connection Timeout
Description
To authenticate to the asset using a local service account and password.
When the function account credentials are not in the custom script, for example, Amazon Web Services. For more information, see Adding a cloud platform account on page 148.
For Amazon Web Services assets, to authenticate to the asset using an access key. For more information, see Adding a cloud platform account on page 148.
No authentication information is taken because the custom parameters or parameters in a customer platform script are used. No accounts associated with the asset are stored. For more information, see Custom platforms on page 324.
No authentication information is taken and check/change functions are disabled. No accounts associated with the asset are stored.
Verify that Safeguard can log in to the asset using the service account credentials that you have provided.
Enter the connection timeout period.
Client ID: For SAP assets, enter the client ID.
Custom platform properties
If the Product field on the Management tab identified a custom platform, complete the dialog based on the custom properties of the custom platform script. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms. For more information, see Creating a custom platform script on page 325.
About service accounts
Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage accounts and passwords on that asset. Therefore, a service account needs sufficient permissions to edit the passwords of other accounts.
When you add an asset, Safeguard for Privileged Passwords adds its service account to the list of Accounts and designates it with a Service Account icon. By default, Safeguard for Privileged Passwords automatically manages the service account password according to the check and change schedules in the profile that governs its asset. For more information, see Creating a profile on page 294.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
193
�When adding a service account, Safeguard for Privileged Passwords automatically disables it from access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request. If you want to enable session access, select Enable Session Request.
TIP:As a best practice, if you do not want Safeguard for Privileged Passwords to manage a service account password, add the account to a profile that is set to never change passwords. If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None, which disables automatic password management for all accounts that are associated with this asset. A user can continue to check out the passwords, however, if the policy that governs the account requires that it change the password after release, the password can get stuck in a pending password reset state. For more information, see Password is pending a reset on page 548.
Test connectivity
The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts. If you experience issues, first verify that you can access the managed system from another system (independent of Safeguard for Privileged Passwords), using the service account. For more information about troubleshooting connectivity issues, see Test Connection failures and Connectivity failures.
About Test Connection
When adding an asset, Test Connection verifies that Safeguard for Privileged Passwords can log in to the asset using the service account credentials that you have provided. When adding an asset that requires an SSH host key, Test Connection first discovers the key and presents it to you for acceptance. When you accept it, Test Connection then verifies that Safeguard for Privileged Passwords can log in to the asset using the service account credentials that you have provided. Once you save the new asset, Safeguard for Privileged Passwords saves the service account credentials. Safeguard for Privileged Passwords uses these credentials to connect to an asset to securely manage accounts and passwords on that asset. For more information, see About service accounts on page 193. If you want to verify an existing asset's connectivity, use the Check Connection rightclick command. For more information, see Checking an asset's connectivity on page 204.
Related Topics
Test Connection failures
SSH Key
You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an SSH authentication key. Safeguard for Privileged Passwords will not rotate SSH
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
194
�Keys unless you select the Manage SSH Key option in the asset's profile change schedule. For more information, see Adding change password settings on page 422.
NOTE: This option is not available for all operating systems. But if a Safeguard for Privileged Passwords asset requires an SSH host key and does not have one, Check Password, Change Password, and Test Connection will fail. For more information, see Connectivity failures on page 540.
Table 50: SSH Key authentication type properties
Property
Description
Automatically Generate the SSH Key
Select this option to have Safeguard for Privileged Passwords generate the SSH authentication key.
Manually Deploy the SSH Key
When you select Automatically Generate the SSH Key, Safeguard for Privileged Passwords allows you to select this option so that you can manually append this public key to the authorized keys file on the managed system for the service account. For more information, see Downloading a public SSH key on page 214.
The SSH authentication key becomes available after Safeguard for Privileged Passwords creates the asset.
IMPORTANT: If you do not select this option, Safeguard for Privileged Passwords automatically installs the SSH authentication key. If you do select this option, Safeguard for Privileged Passwords creates the key and associates it with the Safeguard for Privileged Passwords asset you are creating, but it does not install it on the managed system for you.
Import and Manually Select this option, then Browse to import an SSH authentication Deploy the SSH Key key. For more information, see Importing an SSH key on page
196.
Key Comment
(Optional) Enter a description of this SSH key.
Service Account Name
Enter the service account name that Safeguard for Privileged Passwords is to use for management tasks. This is the account Safeguard for Privileged Passwords uses to install the SSH authentication key on the asset. For more information, see About service accounts on page 193.
Service Account Password
If not importing the SSH authentication key, then you must enter the service account password Safeguard for Privileged Passwords needs to authenticate to this managed system.
Limit: 255 characters
Privilege Elevation Command
If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
195
�Property
Test Connection Service Account Profile Auto Accept SSH Host Key
Port Connection Timeout
Description
accounts.
When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection on page 194.
To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a profile on page 294.
The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems on page 534.
Limit: 255 characters
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection on page 194.
Click
Edit to add the profile or -- Remove to delete the
assigned profile. Available profiles are based on the partition
selected on the General tab (asset discovery). To update the
profile later, go to the service account and update the Profile. For
more information, see General tab (account) on page 139.
Select this option to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the Safeguard for Privileged Passwords asset.
When this option is selected, Safeguard for Privileged Passwords displays the thumbprint of the SSH host key that was discovered. When a managed system requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures on page 540.
Enter the port number used by SSH to log in to the managed system.
Required
Enter the command timeout period. This option applies only to platforms that use telnet or SSH.
Default: 20 seconds
Importing an SSH key
When you add an asset using the SSH Key authentication type, Safeguard for Privileged Passwords gives you the option to Use an Imported SSH Key.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
196
�To import an SSH Key
1. Click Add Asset from the toolbar to add an asset. 2. In the Connection tab:
a. In Authentication type, select SSH Key. b. In SSH Key Generation and Deployment Settings, select Import and
Manually Deploy SSH Key. c. Browse to select an SSH key. 3. In the SSH Key dialog, click Import an SSH Key. 4. In the Import an SSH Key dialog, specify the following information: a. In Private Key File, Browse to select a private key file. b. In Key Comment, enter a comment regarding the key. c. Click Import.
Directory Account
You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an account from an external identity store such as Microsoft Active Directory. In order to use this authentication type, you must first add a directory asset to Safeguard for Privileged Passwords and add domain user accounts. For more information, see Accounts on page 138.
Table 51: Directory Account authentication type properties
Property
Description
Service Account Name
Click Select Account. Choose the service account name used for management tasks. The accounts available for selection are domain user accounts that are linked to a directory that was previously added to Safeguard for Privileged Passwords.
Service Account Password
If required, enter the password used to authenticate.
Privilege Elevation Command
If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.
When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection on page 194.
To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
197
�Property
Description
scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a profile on page 294.
The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems on page 534.
Limit: 255 characters
Test Connection
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection on page 194.
Service Account Profile
Click Edit to add the profile or -- Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the Profile. For more information, see General tab (account) on page 139.
Use Named Pipe for service account connection
Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.
Use SSL Encryption
Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL.
Verify SSL Certificate
Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset's
Privilege Level Password If required, enter the system enable password to allow
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
198
�Property Auto Accept SSH Host Key
Instance
Port Connection Timeout
Description
access to the Cisco configuration.
Select this option to have Safeguard for Privileged Passwords automatically accept an SSH host key. When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures on page 540.
Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
Enter the port number to log in to the asset. This option is not available for all operating systems.
Enter the directory connection timeout period. Default: 20 seconds.
Local System Account
You can configure Safeguard for Privileged Passwords to authenticate to a managed SQL Server using a local system account and password. The local system account is a Windows user account on the server that is hosting the SQL database.
NOTE: In order to use this authentication type, you must add both a Windows asset and a SQL Server asset to Safeguard for Privileged Passwords.
Table 52: Local System Account authentication type properties
Property
Description
Service Account
Click Select Account to choose the local system account associated with the SQL Server for Safeguard for Privileged Passwords to use for management tasks.
Test Connection
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the local system account credentials you have provided. For more information, see About Test Connection on page 194.
Use Named Pipe for service account connection
Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.
Advanced
Open to reveal the following settings:
As Privilege
Specify the Oracle privilege level to use when connecting with the selected Oracle service account, if required. The Oracle
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
199
�Property
Description
SYS account requires the privilege level SYSDBA or SYSOPER. For details, see the Oracle document, About Administrative Accounts and Privileges and SYSDBA and SYSOPER System Privileges.
Instance (Service Name)
Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
Specify the Service Name if you are configuring an Oracle asset.
Port
Enter the port number to log in to the asset.
Connection Timeout
Enter the SQL server connection timeout period. Default: 20 seconds
Password (local service account)
You can configure Safeguard for Privileged Passwords to authenticate to a managed system using a local service account and password.
NOTE: Some options are not available for all operating systems.
Table 53: Password authentication type properties
Property
Description
Distinguished Name
For LDAP platforms, enter the fully qualified distinguished name (FQDN) for the service account.
For example: cn=dev-sa,ou=people,dc=example,dc=com
Service Account Name
Browse to select the service account for Safeguard for Privileged Passwords to use for management tasks. When you add the asset, Safeguard for Privileged Passwords automatically adds the service account to Accounts. For more information, see About service accounts on page 193.
Required except for LDAP platforms, which use the Distinguished Name.
Service Account Password Enter the service account password used to authenticate to this asset.
Limit: 255 character
Privilege Elevation Command
If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
200
�Property
Description
privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.
When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection on page 194.
To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a profile on page 294.
The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems on page 534.
Limit: 255 characters
Privilege Level Password Enter the Enable password to allow access to the Cisco configuration.
Test Connection
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection on page 194.
Service Account Profile
Click Edit to add the profile or -- Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the Profile. For more information, see General tab (account) on page 139.
Auto Accept SSH Host Key This check box is selected by default indicating that Safeguard for Privileged Passwords automatically accepts an SSH host key. This option is not available for all platforms.
Once the SSH host key is discovered, the SSH host key fingerprint is displayed.
When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures on page 540.
Use SSL Encryption
Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
201
�Property Verify SSL Certificate
As Privilege Instance (Service Name) Workstation ID Port Connection Timeout
Description
about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL
Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset's
Specify the Oracle privilege level to use when connecting with the selected Oracle service account, if required. The Oracle SYS account requires the privilege level SYSDBA or SYSOPER. For details, see the Oracle document, About Administrative Accounts and Privileges and SYSDBA and SYSOPER System Privileges.
Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
Specify the Service Name if you are configuring an Oracle asset.
Specify the configured workstation ID, if applicable. This option is for IBM i systems.
Enter the port number on which the asset will be listening for connections.
Default: port 22; port 1433 for SQL server; port 8443 for SonicWALL SMA or CMS appliance.
Enter the connection timeout period.
Default: 20 seconds
Access Key
You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an access key.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
202
�Table 54: Access Key authentication type properties
Property
Description
Service Account
Enter an account for Safeguard for Privileged Passwords to use for management tasks. For more information, see About service accounts on page 193.
Access Key ID
Enter the unique identifier that is associated with the secret key. The access key ID and secret key are used together to sign programmatic AWS requests cryptographically.
Limit: 32 alphanumeric characters
Secret Key
Enter a secret access key used to cryptographically sign programmatic Amazon Web Services (AWS) requests.
Limit: 40 alphanumeric characters; the + and the / characters are also allowed.
Test Connection
Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection on page 194.
Port
Enter the port number to log in to the asset.
Connection Timeout
Enter the connection timeout period. Default: 20 seconds
None
When the asset's Authentication Type on the Connection tab is set to None, Safeguard for Privileged Passwords does not manage any accounts associated with the asset and does not store asset related credentials.
All assets must have a service account in order to check and change the passwords for the accounts associated with it.
Select the Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
Attributes tab (add asset)
The Attributes tab is used to add attributes to directory assets, including Active Directory and LDAP. For more information, see Adding identity and authentication providers on page 398.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
203
�Table 55: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords Attribute
Directory Attribute
Users
Object Class
Browse to select a class definition that defines the valid attributes for the user object class.
Default: user for Active Directory, inetOrgPerson for LDAP
User Name
sAMAccountName for Active Directory, cn for LDAP
Password
userPassword for LDAP
Description
description
Groups
Object Class
Browse to select a class definition that defines the valid attributes for the computer object class.
Default: group for Active Directory, groupOfNames for LDAP
Name
sAMAccountName for Active Directory, cn for LDAP
Member
member
Computer Attributes
Object Class
Browse to select a class definition that defines the valid attributes for the computer object class.
Default: computer for Active Directory, ipHost for LDAP
Name
cn
Network Address
dNSHostName for Active Directory, ipHostNumber for LDAP
Operating System operatingSystem for Active Directory
Operating System Version
operatingSystemVersion for Active Directory
Description
description
Checking an asset's connectivity
After you add an asset you can verify that Safeguard for Privileged Passwords can log in to it using the Check Connection option.
NOTE: When you run Test Connection from the asset's Connection tab (such as when
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
204
�you add the asset initially), you must enter the service account credentials. Once you add the asset to Safeguard for Privileged Passwords it saves these credentials. The Check Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log in to that asset.
To check an asset's connectivity 1. Navigate to Administrative Tools | Assets. 2. From Assets, right-click an asset in the object list to open the asset's context menu. 3. Choose the Check Connection option. Safeguard for Privileged Passwords displays a Toolbox task pane that shows the results.
Related Topics
About Test Connection About service accounts
Assigning an asset to a partition
Use the Assets view to assign an asset to a partition. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition, as well.
You cannot remove an asset from a partition. However, you can add the asset to another partition either from the scope of the other partition or from an asset's General properties.
To assign an asset to a partition
1. Navigate to Administrative Tools | Assets. 2. In Assets, double-click an asset to open the general properties, or click the
icon next to the General title on the General tab. 3. On the Asset dialog, Browse to select a partition. 4. Click OK.
Edit
Related Topics
Adding assets to a partition
Assigning a profile to an asset
Use the Assets view to assign a profile to an asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
205
�To assign a profile to an asset 1. Navigate to Administrative Tools | Assets. 2. In Assets, double-click an asset to open the general properties, or click the Edit icon next to the General title on the General tab. 3. Browse to select a profile, and click OK. You can only choose profiles that are in the selected asset's partition. 4. Click Reset to set the profile to the current default.
Related Topics
Assigning assets or accounts to a partition profile
Manually adding a tag to an asset
Asset Administrators can manually add and remove static tags to an asset using the Tags pane, which is located at the bottom of the General tab when an asset is selected on the Assets view. You cannot manually remove dynamically assigned tags which are defined by rules and indicated by a lightening bolt icon. You must modify the rule associated with the dynamic tag if you want to remove it. For more information, see Modifying an asset or asset account tag on page 333.
To manually add a tag to an asset 1. Navigate to Administrative Tools | Assets. 2. Select an asset from the object list (left-pane). 3. Open the General tab and scroll down to view the Tags pane. 4. Click next to the Tags title. 5. Place your cursor in the edit box and enter the tag to be assigned to the selected asset. As you type, existing tags that start with the letters entered will appear, allowing you to select a tag from the list. To add additional tags, press Enter before entering the next tag. 6. Click OK.
If you do not see the new tag, click Refresh. 7. To remove a manually assigned tag, click the X inside the tag box.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
206
�Adding an account to an asset
Use the Accounts tab on the Assets view to add an account to an asset. You can acc an account to an asset or add a directory account to a directory asset. Steps for both follow.
To add an account to an asset
1. Navigate to Administrative Tools | Assets.
2. In Assets, select an asset from the object list and open the Accounts tab.
3. Click Add Account from the details toolbar.
4. Enter the account information and click Add Account.
5. In the Account dialog, enter the following information:
l Name:
l Local account: Enter the login user name for this account. Limit: 100 characters.
l Directory Account: Browse to find the account.
l Description: (Optional) Enter information about this managed account. Limit: 255 characters.
l Profile: Browse to select a profile to govern this account.
By default an account inherits the profile of its associated asset, but you can assign it to a different profile for this partition. For more information, see Assigning assets or accounts to a partition profile on page 297.
l Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
l Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.
l (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
207
�Directory assets
If you add directory user accounts to a directory asset, Safeguard for Privileged Passwords will automatically change the user passwords according to the profile schedule you set, which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.
Table Section Outside Table: IMPORTANT: For Active Directory, the standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.
To add a directory account to a directory asset
1. Navigate to Administrative Tools | Assets. 2. In Assets, select a directory asset from the object list and open the Accounts tab. 3. Click Add Account from the details toolbar. 4. In the Find Accounts dialog, click Browse to select a container within the directory
as the Filter Search Location. a. The Include objects from sub containers check box is selected by default, indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search. b. In the Name field, enter a full or partial account name and click Search. To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad," it will find any user Name or Distinguished Name that contains "ad." The text search is not case-sensitive and does not allow wild cards.
5. The results of the search displays in the Select the Account(s) to Add grid. Select one or more accounts to add to Safeguard for Privileged Passwords.
Related Topics
Adding account dependencies Setting a default partition profile
Adding account dependencies
One or more Windows servers can use a directory account (such as an Active Directory account) to run hosted services and/or tasks. The Asset Administrator can configure a
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
208
�dependency relationship between the directory account and the Windows servers. Safeguard for Privileged Passwords performs dependent system updates to maintain the passwords for dependent accounts on all the systems that use the dependent accounts. For example, when Safeguard for Privileged Passwords changes the directory account password, it updates the credentials on all the Windows server's dependent accounts so that the services or tasks using this account are not interrupted. Also see KB article 312212.
Configuring account dependencies on an asset
1. Directory accounts:
a. You must add directory accounts before you can set up account dependency relationships. For more information, see Adding an account on page 147.
b. From the directory account, select the Available for use across all partitions option so it can be used outside its domain partition. For more information, see Adding an account on page 147.
2. Assets: You must add the target directory account as a dependent account for the asset. The service account can be a domain account (to look up domain information) or a local account. The service account must be a domain account if the asset is Windows SSH platform, but does not have to be a domain account if the asset is a Windows Server platform. Follow these steps:
a. Navigate to Administrative Tools | Assets.
b. Select a the asset (such as a Windows server) from the object list and open the Account Dependencies tab.
c. Click Add Account from the details toolbar and select one or more directory accounts. Safeguard for Privileged Passwords only allows you to select directory accounts.
3. Discovery: To update the asset, you must configure the Account Discovery job for the dependent asset. Navigate to Administrative Tools | Discovery | Account Discovery and select these check boxes:
l Discover Services
l Automatically Configure Dependent System.
For more information, see Adding an Account Discovery job on page 244.
4. Partition profiles:
a. The target directory account must be in the same partition profile as the dependent asset.
b. You must configure the dependent asset's partition profile in the Change Password tab to perform the required updates on the asset. For example, select the Update Service on Password Change check box and so on. For more information, see Creating a profile on page 294.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
209
�Adding an asset to asset groups
Use the Asset Groups tab on the Assets view to add an asset to one or more asset groups. Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms on page 37.. This section lists SPP and SPS support by platform.
To add an asset to asset groups
1. Navigate to Administrative Tools | Assets. 2. In Assets, select an asset from the object list and open the Asset Groups tab. 3. Click Add Asset Group from the details toolbar. 4. Select one or more asset groups from the list in the Asset Groups selection dialog
and click OK.
If you do not see the asset group you are looking for and have Security Policy Administrator permissions, you can click Create New and add the new asset group. Enter the information and click Add Asset Group. For more information on creating asset groups, see Adding an asset group.
Modifying an asset
You can modify an asset.
To modify an asset
1. Navigate to Administrative Tools | Assets. 2. In Assets, select an asset from the object list. 3. Select the view of the asset's information you want to modify ( such as General,
Accounts, or Account Dependencies, Access Request Policies, Asset Groups, Discovered Services, or History). For example:
l To change an asset's connection information, for example, connection timeout, double-click the Connection information in the General tab or click the Edit icon. You can also double-click an asset name to open the General settings edit window. NOTES: The following notes apply to attempting to change information on the General tab.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
210
�l Profile: You can only edit or remove a Service Account Profile when adding an asset. To update or remove the asset's service account profile, go to Accounts, select the service account, and edit it to update the profile. For more information, see General tab (account) on page 139.
l Management tab, Product: Other platform details: Any Other platform type can be changed to different platform type. Conversely, any platform type can be changed to Other, however, any property values specific to the current platform type will be lost. For example, you may want to change an Other Linux operating system to any type of Linux, such as AIX, HP-UX, or Solaris. Then, the specific platform type can be changed back to Other, if needed.
l To add (or remove) an account to this asset, switch to the Accounts tab. l To add (or remove) a directory account to a Windows server as an account
dependency, switch to the Account Dependencies tab. For more information, see Adding account dependencies on page 208. 4. To view or export the details of each operation that has affected the selected asset, switch to the History tab. To export, select the time frame then click Export.
Deleting an asset
The Asset Administrator can delete an asset even if there are active access requests. IMPORTANT:When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.
To delete an asset
1. Navigate to Administrative Tools | Assets. 2. In Assets, select an asset from the object list. 3. Click Delete Selected. 4. Confirm your request.
Importing objects
Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar. For more information, see Creating an import file on page 155. Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status on page 136.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
211
�To import objects
1. In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
2. Click Import from the toolbar.
3. In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
4. When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
5. Click OK.
Safeguard for Privileged Passwords imports the objects into its database.
NOTE:Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
l Assets PlatformDisplayName property:
1. If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
2. If it does not find a partial match, it supplies the Other platform type.
l Users TimeZoneId property:
1. If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone.
NOTE: Do not enter numbers or abbreviations for the TimeZoneId.
l Users Password property:
1. Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Additional information specific to directory import follows.
1. Import the directory (and service account) via Administrative Tools | Assets |
Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
l By default, the service account password is automatically managed according to the check and change settings in the profile that governs the partition. For more information, see Creating a profile on page 294. If you do not want
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
212
�Safeguard for Privileged Passwords to manage the service account password, assign the account to a profile that is set to never change passwords. For more information, see Assigning assets or accounts to a partition profile on page 297.
l The service account is added to the asset's Accounts tab and is disabled for password request and session request. For more information, see Accounts tab (asset) on page 178.
l To change either setting, navigate to Administrative Tools | Accounts and double-click the account. Then select the following check boxes, as desired: Enable Password Request and Enable Session Request. For more information, see General tab (account) on page 139.
2. Import users and user groups.
a. Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
b. Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
c. Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
l Users
l Username
l Password (modifiable in LDAP and not modifiable in Active Directory)
l Description
l Groups
l Name
l Member
l Computer
l Name
l Network Address
l Operating System
l Operating System Version
l Description
Identity and Authentication Providers schema list
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
213
�l Users l Username l First Name l Last Name l Work Phone l Mobile Phone l Email l Description l External Federation Authentication l Radius Authentication l Managed Objects
l Groups l Name l Members l Description
Downloading a public SSH key
When you add an asset and select the Automatically Generate the SSH Key (SSH Key Generation and Deployment setting on the Connection page in the Asset dialog), Safeguard for Privileged Passwords allows you to download the SSH key so that you can manually install it on the asset.
To download a public SSH key 1. Navigate to Administrative Tools | Assets. 2. In Assets, select an asset that has an SSH key authentication type. 3. Click the Download SSH Key from the toolbar or the context menu. -OROpen the asset's Connection settings and select Download SSH Key. 4. In the Save As dialog, specify the drive, directory, and name of the file to save.
You can manually install this public key to an asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Assets
214
�14
Asset Groups
A Safeguard for Privileged Passwords asset group is a set of assets that you can add to the scope of an access request policy. For more information, see Creating an access request policy on page 268.
Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms on page 37.. This section lists SPP and SPS support by platform.
The Auditor and the Security Policy Administrator have permission to access Asset Groups.
The Asset Groups view displays the following information about the selected asset group.
l General tab (asset group): Displays general information about the selected asset group.
l Assets tab (asset group): Displays the assets associated with the selected asset group.
l Access Request Policies tab (account group): Displays the entitlements and access request policies associated with the selected asset group.
l History tab (asset group): Displays the details of each operation that has affected the selected asset group.
Use these toolbar buttons to manage asset groups.
l
Add | Asset Group: Add asset groups to Safeguard for Privileged Passwords.
For more information, see Adding an asset group on page 219.
l
Add | Dynamic Asset Group: Add dynamic asset groups to Safeguard for
Privileged Passwords. For more information, see Adding a dynamic asset group
on page 220.
l
Delete Selected: Remove the selected asset group from Safeguard for
Privileged Passwords. For more information, see Deleting an asset group on
page 224.
l
Refresh: Update the list of asset groups.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
215
�l
Search: You can search by a character string or by a selected attribute with
conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
General tab (asset group)
The General tab lists information about the selected asset group.
The large tile at the top of the tab displays the number of Assets and Access Request Policies associated with the selected asset group. Clicking a tile heading opens the corresponding tab.
Table 56: Asset Groups General tab: General properties
Property
Description
Name
The selected asset group's name
Description
Information about the selected asset group
Asset Rules
For dynamic asset groups, a summary of the asset rules defined.
Related Topics
Modifying an asset group
Assets tab (asset group)
The Assets tab displays the assets associated with the selected asset group.
Click Add Asset from the details toolbar to add one or more assets to the selected asset group.
Search: For more information, see Search box on page 63.
Table 57: Asset Groups: Assets tab properties
Property
Description
Name
The asset name assigned to the managed system.
Platform Type
The platform of the managed system.
Session Request
A check in this column indicates that session access requests are enabled for the asset.
Description
Information about the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
216
�Related Topics
Adding assets to an asset group Modifying an asset group
Access Request Policies tab (asset group)
The Access Request Policies tab displays the entitlements and access request policies associated with the selected asset group.
Click Add to Policy from the details toolbar to add the selected asset group to the scope of one or more access request policies.
Table 58: Asset Groups: Access Request Policies tab properties
Property
Description
Entitlement
The name of the access request policy's entitlement
Access Request Policy
The name of the policy that governs the assets in the selected asset group
Asset Groups
The number of unique asset groups in the access request policy
Assets
The number of unique assets in the asset groups that are associated with the access request policy
Use these buttons on the details toolbar to manage your access request policies associated with the selected asset group.
Table 59: Asset Groups: Access Request Policies tab toolbar
Option
Description
Add to Policy
Add the selected asset group to the scope of an access request policy.
Remove Selected
Remove the selected policy. For more information, see Deleting an access request policy on page 281.
Refresh
Update the list of access request policies.
Details
View and edit details about the selected access request policy. For more information, see Creating an access request policy on page 268.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
217
�Option Search
Description
To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
History tab (asset group)
The History tab allows you to view or export the details of each operation that has affected the selected asset group. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 60: Asset Groups: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected asset group.
Event
The type of operation made to the selected account group:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE: A membership operation indicates a "relationship" change with a related or parent object such as the selected asset group
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
218
�Property
Description
was added or removed from the membership of a policy, or an asset was added or removed from the membership of the selected asset group.
Related Object
The name of the related object
Related Object Type The type of the related object
Parent
The name of the object to which the selected asset group is a child
Parent Object Type The parent object type
Select an event to display this additional information for some types of events (for example, create and update events).
Table 61: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing asset groups
Use the controls and tabbed pages in the Asset Groups view to perform the following tasks to manage Safeguard for Privileged Passwords asset groups:
l Adding an asset group l Adding a dynamic asset group l Adding assets to an asset group l Modifying an asset group l Deleting an asset group
Adding an asset group
It is the responsibility of the Security Policy Administrator to add asset groups to Safeguard for Privileged Passwords. Use the Asset Groups view to add new asset groups to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
219
�Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms on page 37.. This section lists SPP and SPS support by platform.
To add an asset group
1. Navigate to Administrative Tools | Asset Groups. 2. Click Add Asset Group from the toolbar. 3. In the Asset Group dialog, enter the following information:
a. Name: Enter a unique name for the asset group. Limit: 50 characters
b. Description: (Optional) Enter descriptive text about this asset group. Limit: 255 characters
4. Click Add Asset Group.
Adding a dynamic asset group
It is the responsibility of the Security Policy Administrator to add asset groups to Safeguard for Privileged Passwords.
Only the assets that support session management can be added to asset groups and dynamic asset groups. Assets that do not support session management include but may not be limited to Directory assets. When you create the asset, the Management tab has an Enable Session Request check box if sessions is supported. For more information, see Supported platforms on page 37.. This section lists SPP and SPS support by platform.
To add a dynamic asset group
1. Navigate to Administrative Tools | Asset Groups.
2. From Asset Groups, click Add | Add Dynamic Asset Group from the toolbar.
3. In the Dynamic Asset Group dialog, provide information in each of the tabs.
General tab (add dynamic account group)
Where you add general information about the dynamic asset group
Account Rules tab (add dynamic account group)
Where you define the rules to be used to identify what assets are to be included in the dynamic asset group
Summary tab (add Where you review the rules defined for adding assets to this
dynamic account dynamic asset group, and where you save your selections and
group)
create the dynamic asset group
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
220
�Related Topics
When does the rules engine run for dynamic grouping and tagging
General tab (add dynamic asset group)
On the General tab of the Dynamic Asset Group dialog, supply general information about the dynamic asset group.
Table 62: Dynamic Asset Group: General tab
Property
Description
Name
Enter a unique name for the dynamic asset group. Limit: 50 characters
Description
Enter information about this dynamic asset group. Limit: 255 characters
Asset Rules tab (add dynamic asset group)
Use the rule editor controls on the Asset Rules tab of the Dynamic Asset Group dialog to define what assets are to be included in the dynamic asset group.
Table 63: Dynamic Asset Group: Asset Rules tab
Property
Description
AND | OR
Click AND to group multiple search criteria together; where all criteria must be met in order to be included.
Click OR to group multiple search criteria together; where at least one of the criteria must be met in order to be included.
Attribute
In the first query clause box, select the attribute to be searched. Valid attributes include:
l Name (default) l Description l Platform l Disabled l Tag l Discovery Job Name l Partition Name
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
221
�Property
Operator
Search string |
Add Grouping | Remove
Description
l Profile l Network Address l Discovered Group Name (Use this selection to not
specify the domain in the search. To specify the domain, select Discovered Group Distinguished Name.) l Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the group belongs.) l Directory Container (If you use the operator Equal, one level is found.)
In the middle clause query box, select the operator to be used in the search. The operators available depend on the data type of the attribute selected. For string attributes, the operators may include:
l Contains (Default) l Does not contain l Starts with l Ends with l Equals l Not equal
For boolean attributes, the operators may include:
l Is True l Is False
In the last clause query box, enter the search string or value to be used to find a match.
Click to the left of a search clause to add an additional clause to the search criteria. Click to remove the search clause from the search criteria.
Click the Add Grouping button to add an additional set of conditions to be met. A new grouping is added under the last query clause in a group and appears in a bordered pane, showing that it is subordinate to the higher level query conditions. Click the Remove button to remove a grouping from the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
222
�Property Preview
Description
search criteria.
Click Preview to run the query in order to review the results of the query before adding the dynamic group.
Summary tab (add dynamic asset group)
On the Summary tab of the Dynamic Asset Group dialog, review the rules defined for adding assets to the dynamic asset group, save your selections, and add the dynamic asset group to Safeguard for Privileged Passwords.
1. Review the rules defined for this dynamic asset group. 2. Return to the Asset Rules tab to modify any of the rules if necessary. 3. Click Add Asset Group to create the dynamic asset group.
Adding assets to an asset group
From the Assets tab on the Asset Groups view, you can add one or more assets to an asset group.
To add assets to an asset group 1. Navigate to Administrative Tools | Assets Groups. 2. In Asset Groups, select an asset group from the object list and open the Assets tab. 3. Click Add Asset from the details toolbar. 4. Select one or more assets from the list in the Assets selection dialog and click OK. NOTE: You can also double-click an asset name to add it.
If you do not see the asset you are looking for, depending on your Administrator permissions, you can create it in the Assets selection dialog. (You must have Asset Administrator permissions to create assets.)
To create a new asset from the Assets selection dialog 1. Click Create New. For more information on creating assets, see Adding an asset. 2. Create additional assets, as required. 3. Click OK in the Assets selection dialog to add the assets to the selected asset group.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
223
�Modifying an asset group
To modify an asset group's information 1. Navigate to Administrative Tools | Asset Groups. 2. In Asset Groups, select an asset group from the object list. 3. Select the view of the asset group's information you want to modify (General or Assets). For example: l To change an asset group's name or description, double-click the General information in the General tab or click the Edit icon. You can also doubleclick an asset group name to open the General settings edit window. l To add (or remove) assets to the selected asset group, open the Assets tab. 4. To view or export the details of each operation that has affected the selected asset group, open the History tab.
Deleting an asset group
You can delete an asset group. When you delete an asset group, Safeguard for Privileged Passwords does not delete the associated assets.
To delete an asset group 1. Navigate to Administrative Tools | Asset Groups. 2. In Asset Groups, select an asset group from the object list. 3. Click Delete Selected. 4. Confirm your request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Asset Groups
224
�15
Discovery
Safeguard for Privileged Passwords discovery jobs can find assets, accounts, and services in your network environment. This can simplify initial deployment and ongoing maintenance of the privileged accounts in your network environment.
Details on the jobs follow.
l Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. Rules control which assets are found. Asset Discovery jobs can be scheduled to run on regular intervals. The discovery job can be configured with templates to set default settings on newly created assets including connection details. The assets created by discovery jobs are considered to be managed by Safeguard, but this has no effect on the network asset. An asset with valid connection information can be used for account discovery.
If you use asset discovery Method of Directory, directory assets that are shared can be discovered into any partition. To share a directory asset, select Available for discovery across all partitions for the asset; see Management tab (add asset).
l Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. Rules control which accounts are found. Account discovery jobs can be scheduled to run on regular intervals. The discovery job can be configured to set default settings on newly created accounts. Accounts found by account discovery are neither managed nor disabled until you decide to manage them or disable them. If an account is managed by Safeguard, this means the password can be managed according to the partition profile settings associated with the discovery job. Safeguard can make the account available for password and/or session requests according to configured entitlements and policy.
The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account on page 147.
l Service Discovery jobs find Windows services that run as accounts managed by Safeguard. If Safeguard is managing the service account password, Safeguard can update the Windows service configuration to match the password when the password changes and restart the service automatically.
Discovery tiles include the following:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
225
�l Asset Discovery: The number of Asset Discovery jobs available to run against the directories or networks to discover assets for potential management. Click the tile for details.
l Asset Discovery Results: The number of Asset Discovery Results in the time frame indicated. Click the tile for details.
l Account Discovery: The number of Account Discovery jobs available to run against the in scope assets to discover accounts for potential management. Click the tile for details.
l Account Discovery Results: The number of Account Discovery Results in the time frame indicated. Click the tile for details.
l Discovered Accounts: The number of Discovered Accounts in the specified partition. Click the tile for details.
l Discovered Services: The number of Discovered Services in the specified partition. You can launch discover service account jobs from Administrative Tools | Assets | Discovered Services. For more information, see Discovered Services tab (asset) on page 182.
Asset Discovery
You can schedule one or more Asset Discovery jobs to run automatically against the directories or network (IP range) you have added to Safeguard for Privileged Passwords. The assets in the scope of the discovery job may include assets that were previously added (manually) to the Safeguard partition. For more information, see Adding an asset on page 185. If you use asset discovery Method of Directory, directory assets that are shared can be discovered into any partition. To share a directory asset, select Available for discovery across all partitions for the asset; see Management tab (add asset). When an Asset Discovery job runs, the found asset is added to Assets. If the operating system cannot be detected in the Network Scan or Directory method of asset discovery, the Other Linux operating system is applied which you can modify later. For more information, see Modifying an asset on page 210. For more information, see Asset Discovery job workflow on page 228.
Properties and toolbar
Navigate to Administrative Tools | Discovery | Asset Discovery. Use these toolbar buttons to manage the discovery job settings.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
226
�Table 64: Asset Discovery: Toolbar
Option
Description
Add
Add an Asset Discovery job. For more information, see Adding an Asset Discovery job on page 228.
Delete Selected Delete the selected Asset Discovery job.
Refresh
Update the list of Asset Discovery jobs that have run.
Edit
Modify the selected Asset Discovery job. You can also doubleclick a row to open the edit dialog.
Run Now
Run the selected Asset Discovery job. A Task pop-up display which shows the progress and completion.
Details
View additional details about the selected Asset Discovery job including schedule frequency and rules.
Search
Enter the character string to be used to search for a match. For more information, see Search box on page 63.
Asset Discovery jobs display in the grid.
Table 65: Asset Discovery: Asset Discovery job grid
Name
Name of the discovery job
Creator
Indicates how the job was launched, for example, Automated System or Admin
Method
The type of job, for example, Windows, Unix, or Directory
Directory
The directory on which the discovery job runs
Partition
The partition in which to manage the discovered assets or assets
Schedule
Designates when the Asset Discovery job runs
Last Run Date
The date the selected Asset Discovery job ran
Next Run Date
The date when the Asset Discovery job is scheduled to run next
Last Success Run Date
The most recent date the selected Asset Discovery job successfully ran
Last Failure Run Date
The most recent date the selected Asset Discovery job failed
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
227
�Asset Discovery job workflow
You can configure, schedule, test, and run Asset Discovery jobs. After the job has run, you can select whether to manage the asset. You can also view information about the Asset Discovery jobs that have run.
1. Create an Asset Discovery job. For more information, see Adding an Asset Discovery job on page 228.
2. After you save the Asset Discovery job, you can test it by selecting For more information, see Asset Discovery on page 226.
Run Now.
3. After the Asset Discovery job runs, click Asset Discovery Results to view the assets found. For more information, see Asset Discovery Results on page 239.
4. To control management of an asset, navigate to Administrative Tools | Assets,
right-click the asset, click menu options.
Enable-Disable, and choose one of these context
Enable Disable
Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. This option is only available for assets that have been disabled.
Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords reenables all the associated accounts.
5. On Administrative Tools | Assets, you can show or hide assets marked as disabled, use the following buttons. For more information, see Assets on page 171.
Show Disabled Hide Disabled
Display the disabled assets. Hide assets marked as disabled.
6. Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the Asset Discovery events in the Asset Discovery Activity category.
Adding an Asset Discovery job
You can add a new Asset Discovery job.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
228
�1. Navigate to Administrative Tools | Discovery. 2. Click the Asset Discovery tile. 3. Click Add to create a new Asset Discovery job. 4. In the Asset Discovery dialog, provide information for the discovery job on the
following tabs:
General tab (asset discovery)
Where you add general information about the discovery job and identify which partition you want Safeguard for Privileged Passwords to add the assets it discovers. You will also specify the discovery method (Directory or Network Scan).
Information tab (asset discovery)
Where you select the directory and set the search location.
Rules tab (asset discovery)
Where you define the search constraints and conditions and choose the profile you want to govern the discovered assets.
Schedule tab (asset discovery)
Where you configure the schedule for the discovery job.
Summary tab (asset discovery)
Where you review the Asset Discovery job parameters and save it.
After you save the discovery job, you can modify or run it using the Asset Discovery toolbar. For more information, see Asset Discovery.
General tab (asset discovery)
Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job).
On the Asset Discovery dialog, General tab, supply general information about the Asset Discovery job and identify the partition where you want Safeguard for Privileged Passwords to add the assets it discovers.
Table 66: Discovery: General properties
Property
Description
Name
Enter a name for the Asset Discovery job. Limit: 50 characters
Description
Enter information about this Asset Discovery job. Limit: 255 characters
Partition
Browse to select the partition in which to manage the discovered assets.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
229
�Property Method
Description
IMPORTANT: You cannot change the partition after you save this discovery job.
Choose a type of discovery:
l Network Scan
l Directory
If you select Directory, directory assets that are shared can be discovered into any partition. To share a directory asset, select Available for discovery across all partitions for the asset; see Management tab (add asset). If the check box is not selected, the asset is not shared and the asset will only be discovered into the partitions to which the directory asset is assigned.
Information tab (asset discovery)
Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job).
On the Asset Discovery dialog, Information tab, define the directory or network information for the discovery job.
Table 67: Discovery: Information properties for Directory scans
Property
Description
Directory
Select the Directory on which to run the Asset Discovery job.
Table 68: Discovery: Information properties for Network scans
Property
Description
Enable OS Detection
This check box is selected by default, indicating that OS fingerprinting is to be used to detect the operation system being used. Clear this check box if you do not want to use the OS fingerprinting process.
IPv4 Range
Enter a range of IPv4 addresses to scan:
l Starting IP Address l Ending IP Address
Click Add or Delete to add or remove IPv4 address range sets.
Advanced
Exclude IP
Safeguard for Privileged Passwords allows you to exclude an IP
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
230
�Property
Description
address within a specified IPv4 range from the scan. Click Add to exclude an IP address from the scan. Click Delete to remove the corresponding excluded IPv4 address and include that IP address in the scan.
Rules tab (asset discovery)
Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job)
Use the Rules tab on the Asset Discovery dialog to govern the discovered assets.
Discovery details
l Once Safeguard for Privileged Passwords creates an asset, it will not attempt to recreate it or modify the asset if the asset is rediscovered by a different job.
l Any SSH host keys encountered in discovery will be automatically accepted.
l You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.
To add a new Asset Discovery rule
1. On the Rules tab, click Add.
2. In the Asset Discovery Rule dialog, enter a Name up to 50 characters.
3. You must specify at least one condition, the connection, and a profile for each rule:
a. Under Settings, click Add Condition (asset discovery) to add one or more Group, Constraints, LDAP Filter (for LDAP or Active Directory), or Find All.
Once one or more conditions have been added, you can existing conditions.
Edit or
Delete
b. A Connection Template is required and defaults to None (no credentials are
associated). To change this, select Edit to configure the authentication parameters. For more information, see Edit Connection Template (asset discovery) on page 234.
c. For Asset Profile, you can Edit or Delete the profile to govern the discovered assets. The asset profile defaults to the partition default profile and is based on the partition selected on the General tab (asset discovery).
d. Select Add Account Discovery Job to select a schedule.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
231
�e. For Managed Network, you can assigned for workload balancing.
Edit or
4. Click OK to save the Asset Discovery rule.
Delete the managed network
Add Condition (asset discovery)
An Asset Discovery rule can have more than one condition, and each condition can have one or more constraints. When Safeguard for Privileged Passwords runs the discovery job, it finds all assets that meet all of the search conditions. Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Add Condition.
Add Find All condition
1. In the Condition dialog, in Find By, choose Find All. 2. If you are setting up an Asset Discovery job for a directory, Browse the Filter
Search Location to select a container within the directory to search for assets. Select Include objects from sub containers to include objects from sub containers or clear the check box to exclude child objects from discovery. 3. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered. 4. Click OK.
Add Constraints condition
1. In the Condition dialog, in Find By, choose Constraints. 2. To change the Filter Search Location, click Browse and select the search location
that is the scope of the search. Network Scan Asset Discovery jobs don't support the search bases settings. 3. (Optional) Select Include objects from sub containers to discover assets in subcontainers. 4. To apply constraints (search criteria):
a. Select a property: l Name l Description l Network Address l Operating System l Operating System Version
NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
232
�b. Select an operation: l Equals l Not Equals l Starts With l Ends With l Contains
c. In the text box, type a value of up to 255 characters. The search is casesensitive and does not allow wild cards.
5. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.
6. You can add or delete search constraints: a. Click Add to additional constraints to your search criteria. b. Click Delete to remove the corresponding constraint from your search criteria.
7. Click OK to save your selections.
Add LDAP Filter (for LDAP or Active Directory) condition Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).
1. In the Condition dialog, a. Find By: Choose LDAP Filter and enter the search criteria to be used. b. Filter Search Location: Browse to select a container within the directory to search for assets. TIP: Do not select the Directory Root for Asset Discovery jobs. c. Include objects from sub containers: Optionally, select this check box to search for assets in sub-containers.
2. Click Preview to test the conditions you have configured. 3. Click OK to save your selections.
Add Group for a Directory condition This condition is only available for a Directory discovery job.
1. In the Condition dialog: a. Find By: Choose Group. b. Click Add to launch the Group dialog. c. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
233
�d. Filter Search Location: Browse to select a container to search within the directory.
e. Include objects from sub containers: Select this check box to include child objects.
f. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.
3. Click OK to save your selections.
Edit Connection Template (asset discovery)
You can change how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets. The default Connection Template is None so assets are authenticated manually.
Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Connection Template.
Discovery details
l Once Safeguard for Privileged Passwords creates an asset, it will not attempt to recreate it or modify the asset if the asset is rediscovered by a different job.
l Any SSH host keys encountered in discovery will be automatically accepted.
l You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.
To edit connection template information
1. Navigate to the Asset Discovery Rule dialog, click Connection Template.
Edit next to
2. In the Connection Template dialog, Product defaults to Use Discovered Platform. You can select a different product and may need to completed additional information based on the product selected.
3. Select an Authentication Type:
l SSH Key: To authenticate to the asset using an SSH authentication key.
l Browse to select an SSH Key and provide the service Service Account Name.
l You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
234
�l Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.
l Under Service Account Name, click Select Account to choose the directory account. The Service Account Profile for the directory account displays for reference.
l You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
l Password: To authenticate to the assets using a local service account and password.
l Enter the Service Account Name and Password.
l You can edit or remove the Service Account Profile. Available profiles are based on the partition selected on the General tab (asset discovery).
l None: The accounts associated with the asset are not managed and no asset related credentials are stored.
4. Click Advanced to enter settings if you selected one of these authentication types: SSH Key, Directory Account, or Password. If you selected None, the Advanced settings are not needed and are ignored, if entered.
l Privilege Elevation Command:
If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.
l Port: Enter the port number for the connection.
l Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.
l RDP Port: Specify the access port on the target server to be used for RDP session requests.
l SSH Port: Specify the access port on the target server to be used for SSH session requests.
l Connection Timeout: The session timeout period.
l Privilege Level Password: Enter the system enable password to allow access to the configuration.
l Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).
l Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
235
�information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL
l Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset's certificate in Safeguard for Privileged Passwords's Trusted Certificates store. One Identity does not recommend disabling this option in production environments.
l Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.
l Instance: Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
5. Click OK.
6. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.
Add Asset Profile (asset discovery)
During Asset Discovery, Safeguard for Privileged Passwords automatically adds the assets that it finds and begins to manage them according to the settings in the asset profile you set on the Rules tab.
Discovery details
l Once Safeguard for Privileged Passwords creates an asset, it will not attempt to recreate it or modify the asset if the asset is rediscovered by a different job.
l Any SSH host keys encountered in discovery will be automatically accepted.
l You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.
Navigate to Administrative Tools | Discovery | Asset Discovery | (add or edit a Asset Discovery job) | Asset Discovery dialog | Rules tab | Asset Discovery Rule dialog | Asset Profile.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
236
�To edit the asset profile information
1. Click Edit next to Asset Profile. 2. Browse to select a profile to govern the discovered assets.
NOTE: You can only choose a profile that is associated with the partition selected in the General tab (asset discovery). 3. Click OK to save your selection.
Schedule tab (asset discovery)
From the Asset Discovery dialog, Schedule tab, configure when you want to run the Asset Discovery job. Select Run Every to run the job along per the run details you enter. (If you clear Run Every, the schedule details are lost.)
l Configure the following: To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section. l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing. l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour. l Days: The job runs on the frequency of days and the time you enter. For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight. l Weeks The job runs per the frequency of weeks at the time and on the days you specify. For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday. l Months: The job runs on the frequency of months at the time and on the day you specify. For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time. You can click
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
237
�add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap. For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values: Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time. If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter. For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values: For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2. l Time Zone: Select the time zone.
Summary tab (asset discovery)
From the Asset Discovery dialog, Summary tab, review the Asset Discovery job parameters and save it.
1. Review the following settings: l Method l Information l Rules l Schedule
2. Modify the Asset Discovery job settings, if necessary. 3. Click OK to save the discovery job.
Editing an Asset Discovery job
You can change the settings for an Asset Discovery job. 1. Navigate to Administrative Tools | Discovery. 2. Click the Asset Discovery tile. 3. Select an Asset Discovery job.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
238
�4. Click Edit to update the selected Asset Discovery job. For more information, see Adding an Asset Discovery job on page 228.
5. Make the updates. 6. Click OK.
Deleting an Asset Discovery job
You can delete an Asset Discovery job. 1. Navigate to Administrative Tools | Discovery. 2. Click the Asset Discovery tile and select the Asset Discovery job to delete.
3. Click Delete. 4. Click OK.
Asset Discovery Results
You can view the results of running one or more Asset Discovery jobs. 1. Navigate to Administrative Tools | Discovery and click the Asset Discovery Results tile. 2. On the Asset Discovery Results grid:
l Click Refresh to refresh the results. l Select the time frame of the completed jobs you want to display which ranges
from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
3. Click Search and enter the character string to be used to search for a match. For more information, see Search box on page 63.
4. Click a column to sort the column information displayed for each job: l User: The user who ran the job or Automated System, if the job is run on an automated schedule l Date: The most recent date the Asset Discovery job successfully ran l Job Name: The name of the Asset Discovery job l Type: The type of Asset Discovery job (for example, Network Scan or Directory Scan) l Event: The outcome of running the Asset Discovery job event, which may be Asset Discovery Succeeded, Asset Discovery Failed, or Asset Discovery Started.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
239
�l Partition: The partition in which the discovered assets will be managed l Appliance: The name of the Safeguard for Privileged Passwords Appliance l Directory: If applicable, the name of the directory on which the Asset
Discovery job ran l # Assets Found: The number of asset found during the discovery job 5. For additional detail on an Asset Discovery job result, double-click the result row to view the Asset Discovery Results pop-up window. On this window, click # of Assets Found to see a list of the assets.
Account Discovery
Account Discovery jobs include the rules Safeguard for Privileged Passwords uses to perform account discovery against assets. When you add an Account Discovery job, you can identify whether or not to automatically manage found accounts, whether to discover services, and whether to automatically configure dependent systems. The accounts in the scope of the discovery job may include accounts that were previously added (manually) to the Safeguard partition. For more information, see Adding an account on page 147. To configure and schedule account discovery jobs, perform one of the following:
l You can create or edit an Account Discovery job from Administrative Tools | Discovery | Account Discovery. Then, associate assets to the Account Discovery job via the Occurrences button.
IMPORTANT: You must click Occurrences to associate assets to the Account Discovery job. If you do not associate the assets to the Account Discovery job, the accounts will not be found. l You can create or edit an asset and, in the process, assign or create an Account Discovery job. For more information, see Adding an asset on page 185.
Supported platforms
Safeguard for Privileged Passwords supports account discovery on the following platforms: l AIX l HP-UX l Linux / Unix (based) l MAC OS X l Solaris l Windows (services and tasks)
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
240
�Properties and toolbar
Navigate to Administrative Tools | Discovery | Account Discovery. Use these toolbar buttons to manage the Account Discovery jobs.
Table 69: Account Discovery: Toolbar
Option
Description
Add
Add an Account Discovery job. For more information, see Adding an Account Discovery job on page 244.
Delete Selected Delete the selected Account Discovery job.
Refresh
Update the list of Account Discovery jobs.
Edit
Modify the selected Account Discovery job. You can also doubleclick a row to open the edit dialog.
Discover Accounts
Discover the accounts on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays which shows the progress and completion.
Discover Services
Discover the services on the selected Account Discovery job. Select the asset on the Asset dialog. A Task pop-up displays
which shows the progress and completion.
Details
View additional details about the selected Account Discovery job.
Occurrences
Add, delete, or refresh the assets associated with the Account Discovery job.
IMPORTANT: You must associate the assets to the Account Discovery job for the accounts to be found.
Search
Enter the character string to be used to search for a match. For more information, see Search box on page 63.
Account Discovery jobs display in the grid.
Table 70: Account Discovery: Account Discovery job grid
Name
Name of the discovery job
Creator
Indicates the source of the job, for example, Automated System or a specific administrator.
Discovery The type of discovery performed, for example, Windows, Unix, or Directory. Type
Directory The directory on which the discovery job runs.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
241
�Partition The partition in which to manage the discovered assets or accounts.
Schedule Designates when the discovery job runs.
Discover A check mark displays if the job will discover service accounts. Services
Auto
A check mark displays if the accounts that are discovered in the Service
Configure Discovery job are automatically configured as dependent accounts on the
asset.
Asset Count
Total number of assets assigned to the Account Discovery job. A Caution displays if no accounts are assigned to the Account Discovery job therefore no data will be discovered.
Double-click on an Account Discovery job to view the details.
Table 71: Account Discovery tab properties
Partition The partition on which the Account Discovery job runs
Name
The name of the Account Discovery job
Description The description of the Account Discovery job
Discovery The type platform, for example, Windows, Unix, or Directory Type
Directory If applicable, the directory on which the selected Account Discovery job runs
Schedule The interval for the Account Discovery job to run
Rules
l Name: Name of the discovery job
l Rule Type: What the search is based on. For example, the rule may be Name based or Property Constraint based if the search is based on account properties. For more information, see Adding an Account Discovery rule on page 246.
l Filter Search Location: If a directory is searched, this is the container within the directory that was searched.
l Auto Manage: A check mark displays if discovered accounts are automatically added to Safeguard for Privileged Passwords.
l Set default password: A check mark displays if the rule causes default passwords to be set automatically.
l Assign to Profile: The partition profile assigned
l Assign to Sync Group: A check mark displays if the rule automatically associated the accounts with a password sync group.
l Enable Password Request: A check mark displays if the passwords is available for release.
l Enable Session Request: A check mark displays if session access is enabled.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
242
�Related Topics
Account Discovery job workflow
Account Discovery job workflow
Safeguard for Privileged Passwords's Account Discovery jobs discover accounts of the assets that are in the scope of a partition profile. For more information, see About partition profiles on page 286. Account Discovery jobs can include service discovery. You can configure, schedule, test, and run Account Discovery jobs. After the job has run, you can select whether to manage the account, if it was not identified to be automatically managed.
1. Create an Account Discovery job and associate assets or create an asset and associate the Account Discovery job. l To create an Account Discovery job then add assets. For more information, see Adding an Account Discovery job on page 244. l To create an asset and associate an Account Discovery job. For more information, see Adding an asset on page 185.
2. Account Discovery jobs can be scheduled to run automatically. In addition you can manually launch these jobs in any of the following ways: l From Assets, right-click the asset and choose to run the account or service discovery.
l From Discovery | Account Discovery click Discover Accounts or Discover Services.
l From Assets | Discovered Services click Discover Services. For more information, see Discovered Services tab (asset) on page 182.
3. After the Account Discovery job runs, you can mark the managed accounts from Administrative Tools | Discovery | Discovered Accounts.
l Click Disable to prevent Safeguard for Privileged Passwords from managing the selected account.
l Click Enable to manage the selected account and assign it to the scope of the default profile.
NOTE: The discovery job finds all accounts that match the discovery rule's criteria regardless of the state and reports only the accounts discovered that do not currently exist. Account Discovery does not update existing accounts.
Search the Activity Center for information about discovery jobs that have run. Safeguard for Privileged Passwords lists the account discovery events in the Account Discovery Activity category.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
243
�Adding an Account Discovery job
It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules that govern how Safeguard for Privileged Passwords performs account discovery. For more information, see Account Discovery job workflow on page 243.
To add an account discovery job
1. Navigate to Administrative Tools | Discovery | Account Discovery.
2. Click Add to open the Account Discovery dialog.
3. Provide the following:
a. Partition: Browse to select a partition.
b. Name: Enter a name for the account discovery job. Limit: 50 characters.
c. Description: Enter descriptive text about the account discovery job. Limit: 255 characters
d. Discovery Type: The platform, for example, Windows, Unix, or Directory. Make sure the Discovery Type is valid for the assets associated with the Partition selected earlier on this dialog.
e. Directory: If the Discovery Type is Directory, select the directory on which the Account Discovery job runs.
f. Click the Schedule button and choose an interval for to run the Account Discovery job.
In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
l Configure the following:
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
244
�l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time.
You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
l Time Zone: Select the time zone.
g. Rules: You can add, delete, edit or copy rules. For more information, see Adding an Account Discovery rule on page 246.
h. Discover Services: (For Windows accounts only and deselected by default.) Select this check box so that when the discovery job is run, services are discovered and can be viewed in by clicking the Discovered Services tile. For more information, see Discovered Services on page 254.
For more information, see Adding an Account Discovery job on page 244.
Automatically Configure Dependent Systems: (For Windows accounts only and deselected by default.) Select this check box so that any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. The dependencies are listed on Administrative Tools | Assets | Account Dependencies. If you clear the check box and run the account
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
245
�discovery job again, the dependencies are not removed. Dependencies can be manually removed from Administrative Tools | Assets | Account Dependencies. For more information, see Account Dependencies tab (asset) on page 180.
4. Click OK.
5. Select the assets to which the account discovery rule applies using one of these approaches:
l Go to the asset and configure the account discovery rules. For more information, see Account Discovery tab (add asset) on page 190.
l From the Account Discovery job grid, click the link in the Asset Count column to select assets. For more information, see Account Discovery on page 240.
Adding an Account Discovery rule
Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.
You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.
NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.
For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.
All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.
To add an Account Discovery rule
1. On the Account Discovery dialog, click Add Discovery Rule to open the Account Discovery Rule dialog.
2. Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
3. Find By: Select one of the types of search below. If the Discovery Type on the previous Account Discovery dialog is Windows or Unix, you can search by Property Constraint or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
l Name: Select this option to search by account name.
l For a regular search (not directory), in Contains enter the characters to search.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
246
�l If you are searching a directory:
l Select Start With or Contains and enter the characters used to search subset within the forest. When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
l Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
l Select Include objects from sub containers to include sub containers in the search.
l Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
l Group: Select this option to search by group name.
l Click Add to launch the Group dialog.
l Starts withor Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.
l Filter Search Location. Click Browse to select a container to search within the directory.
l Include objects from sub containers: Select this check box to include child objects.
l Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
l Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
l Property Constraint: Select this option to search for accounts based on an account's property. Available Unix properties are GID, UID, Name, and Group. Available Windows and Directory properties are RID, GID, UID, Name, and Group. All are limited to 255 numeric characters.
IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.
l Selections:
l RID (ranges): RID property only applies to Windows and Microsoft Active Directory. Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1000 and press Enter. Then type in 5000-7000 and
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
247
�press Enter. The selections display and can be deleted. Spaces and commas are not allowed.
l GID (ranges): Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 8 and press Enter. Type in 10-12 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.
l UID (ranges): Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separately. For example, type in 1 and press Enter. Then type in 5-7 and press Enter. The selections display and can be deleted. Spaces and commas are not allowed.
l Name (ranges): Using Name (ranges) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name. To use, enter a single regular expression pattern. For more information, see Regular expressions on page 605.
l Group (ranges): Using Group (ranges) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name. To use, enter a single regular expression pattern. For more information, see Regular expressions on page 605.
l If you are searching a directory:
l Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
l To include sub containers in your search, select Include objects from sub containers.
l Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
l LDAP Filter: Select this option to search for accounts using an LDAP query. Type an LDAP query into the field.
l Find All: This option is selected by default and will find all accounts based on the rules.
l If you are searching a directory:
l Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
l To include sub containers in your search, select Include objects from sub containers.
l Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
248
�4. Automatically Manage Found Accounts: Select to automatically add the discovered accounts to Safeguard for Privileged Passwords. When selected, you can select Set default password then enter the password.
5. Assign to Sync Group: Click Browse to select a password sync group to control password validation and reset across all associated accounts. For more information, see Password sync groups on page 427.
6. Assign to Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a profile to identify the configuration settings for the discovered accounts. About partition profiles.
7. Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
8. Enable Session Request:This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which he or she is an authorized user.
9. (For directory accounts only) Available for use across all partitions: When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
10. Click OK. The Accounts Discovery dialog displays a list of the rules for this Account Discovery job.
11. Click OK to save the Account Discovery job.
Editing an Account Discovery job
Changing the assets associated with an Account Discovery job
To change the assets associated with an Account Discovery job, perform on of the following:
l From Account Discovery:
1. Go to Administrative Tools | Discovery | Account Discovery.
2. Select the Account Discovery job.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
249
�3. Click Occurrences. 4. Add the asset to the job. l From Assets: 1. Go to Administrative Tools | Assets. 2. Click the the asset.
3. On the General tab, go to Account Discovery and click Edit. 4. In the Description drop-down, select the Account Discovery job. For more
information, see Account Discovery tab (add asset) on page 190. l From Partitions:
1. Go to Administrative Tools | Partitions. 2. Select the partition. 3. Click the Assets tab. 4. From the list of assets in the partition, double-click the asset.
5. Scroll to Account Discovery and click Edit. 6. In the Description drop-down, select the Account Discovery job. For more
information, see Account Discovery tab (add asset) on page 190.
Changing the settings for an Account Discovery job You can change the settings for an Account Discovery job
1. Navigate to Administrative Tools |Discovery. 2. Click the Account Discovery tile. 3. Select an Account Discovery job.
4. Click Edit to update the selected Account Discovery job. For more information, see Adding an Account Discovery job on page 244.
5. Make the updates. 6. Click OK.
Deleting an Account Discovery job
You can delete an Asset Discovery job. 1. Navigate to Administrative Tools |Discovery. 2. Click the Asset Discovery tile.
3. Click Delete to delete the selected Asset Discovery job. 4. Click OK.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
250
�Account Discovery Results
You can view the results of running one or more Account Discovery jobs. To see the results of discoveries, see Discovered Accounts
1. Navigate to Administrative Tools | Discovery and click the Account Discovery Results tile.
2. On the Account Discovery Results grid:
l Click Refresh to refresh the results. l Select the time frame of the completed jobs you want to display which ranges
from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
3. Click Search and enter the character string to be used to search for a match. For more information, see Search box on page 63.
4. View the following information displays for each job: l User: The user who ran the job or Automated System, if the job is run on an automated schedule. l Date: The most recent date the Account Discovery job successfully ran. l Asset: The asset which is associated with the Account Discovery job. l Event: The outcome of running the Account Discovery job event, which may be Account Discovery Succeeded, Account Discovery Failed, or Account Discovery Started. l Partition: The partition in which the discovered accounts will be managed. l Profile: The partition profile which will govern the discovered accounts. l Account Discovery Job: Name of the discovery schedule. l Appliance: The name of the Safeguard for Privileged Passwords Appliance. l # Accounts Found: The number of accounts found during the discovery job.
5. For additional detail on an Account Discovery job result, double-click the result row to view the Account Discovery Results pop-up window. On this window, click # of Accounts Found to see a list of the accounts.
Discovered Accounts
You can view the results of all Account Discovery jobs that have ever run in a partition (in other words, all accounts ever discovered) and choose to enable or disable the accounts. Accounts created display as managed accounts in the Discovered Accounts properties grid (see below). For more information, see Management tab (add asset) on page 187. Navigate to Administrative Tools | Discovery | Discovered Accounts tile.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
251
�Use these toolbar buttons to manage the discovered accounts.
Table 72: Discovery: Discovered Accounts toolbar
Option
Description
Partition
Select the partition associated with the discovered accounts you want to view.
Manage
Select Manage to have Safeguard for Privileged Passwords manage an account with no (blank) status or accounts with a status of Disabled. The Disabled status is displayed when a discovered account was set to Managed then Ignored.
Ignore
Select Ignore to set the Status to Ignore to prevent Safeguard for Privileged Passwords from managing the selected account.
An ignored account is not unconfigured as a dependent account. If you choose to Manage the asset later, Safeguard for Privileged Passwords reenables recognition of all the associated accounts.
Show Ignored
Display the accounts with a Status of Ignored (disabled).
Hide Ignored
Hide the accounts with a Status of Ignored (disabled).
Refresh
Retrieve and display an updated list of discovered accounts. Ignored accounts are not displayed if Hide Ignored is selected.
Search
Enter the character string to be used to search for a match. For more information, see Search box on page 63.
The following information displays.
Table 73: Discovery: Discovered Accounts properties grid
Property
Description
Status
The discovered account may be:
l Managed: A discovered account that is managed
l Blank (no value): A discovered account that was not auto managed when discovered
l Ignored: A discovered account that was not auto managed and was ignored from discovery
l Disabled: A discovered account that previously had the status of Managed and then was marked Ignored
Name
The name of the account in Safeguard that maps to the discovered account associated with the asset. This can be a local account or
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
252
�Property
Domain Name
Account Name Account Discovery Job
Description an Active Directory account The domain name of the account if the account is an Active Directory account. The account to which the account is associated. Name of the discovery schedule.
Asset Discovery Rule The name of the Asset Discovery rule applied to discover the account.
Date/Time Discovered
The date and time when the service or task was discovered.
Service Discovery Results
Setting up Service Discovery To discover Windows services, you must first create an Account Discovery job, including an Account Discovery Rule, and select Discovery Services. When the discovery job is run, services are discovered. The discovery of services is not dependent on the discovery rules. For more information, see Adding an Account Discovery job on page 244.
Viewing Service Discovery Results Service Discovery is configured on an Account Discovery job but runs separately. You can view the results of service discovery by time frame.
1. Navigate to Administrative Tools | Discovery and click the Service Discovery Results tile.
2. On the Service Discovery Results grid:
l Click Refresh to refresh the results. l Select the time frame of the completed jobs you want to display which ranges
from the last 24 hours to the last 7, 30, 60, or 90 days. Or, click Custom to create a custom time frame.
3. Click Search and enter the character string to be used to search for a match. For more information, see Search box on page 63.
4. View the following information displays for each job: l User: The user who ran the job or Automated System, if the job is run on an automated schedule. l Date: The most recent date the Account Discovery job successfully ran.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
253
�l Asset: The asset that is associated with the discovery job.
l Event: The outcome of running the discovery job event, which may be Service Discovery Started, Service Discovery Succeeded, or Service Discovery Failed. Succeeded and failed appear in Event on the Service Discovery Results dialog. All three events display in the Activity Center.
l Partition: The partition in which the discovered service accounts will be managed.
l Profile: The partition profile that will govern the discovered service accounts.
l Account Discovery Job: Name of the discovery schedule.
l Appliance: The name of the Safeguard for Privileged Passwords Appliance.
l # Accounts Found: The number of service accounts found during the discovery job.
5. For additional detail on a Service Account Discovery job result, double-click the result row to view the Service Account Discovery Results pop-up window. On this window, click # of Accounts Found to see a list of the accounts.
Discovered Services
The Discovery | Discovered Services tile displays the following for the selected partition on which the services were discovered. If desired, dependencies must be manually removed.
The Asset Administrator or delegated administrator can configure service discovery jobs to scan Windows assets and discover Windows services and tasks that may require authorization credentials. If the Windows asset is joined to a Windows domain, the authorization credentials can be local on the Windows asset or be Active Directory credentials.
Running Service Discovery jobs automatically and manually
l Service discovery jobs run automatically in the background if Discover Services check box is selected. If the Automatically Configure Dependent Systems check box is selected, any directory accounts that are discovered in the Service Discovery job are automatically configured as dependent accounts on the asset where the service or task was discovered. For more information, see Adding an Account Discovery job on page 244.
l You can manually run a Service Discovery job from Administrative Tools | Assets | Discovered Services. For more information, see Discovered Services tab (asset) on page 182.
Discovered services and tasks association to known Safeguard accounts
Service discovery jobs associate Windows services and tasks with accounts that are already managed by Safeguard for Privileged Passwords. The accounts put under management display with an Account Status of Managed. When the account's password
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
254
�is changed by Safeguard, Safeguard updates the password corresponding to the services or tasks on the asset according to the asset's profile change settings.
Service Discovery with Active Directory
A discovered service or task configured to use Active Directory authentication can be automatically associated to the asset with the account managed by Safeguard. Effectively, the asset will have an account dependency on the account.
To automatically associate, the Account Discovery job (which runs when Safeguard synchronizes the directory) must have the Automatically Manage Found Accounts check box selected. For more information, see Adding an Account Discovery rule on page 246.
View Service Discovery job status
From the Activity Center, you can select the Activity Category named Service Discovery Activity, which shows the Event outcomes: Service Discovery Succeeded, Service Discovery Failed, or Service Discovery Started.
Discovered Services toolbar and properties
Navigate to Administrative Tools | Discovery | Discovered Services tile. Use these toolbar buttons to manage the discovered services.
Table 74: Discovery: Discovered Services toolbar
Option
Description
Partition
Select the partition for the discovered services.
Show |
Ignore
The Show and Ignore buttons control the Service Ignored column on this window so the administrator can either display or ignore the rows.
The Account Status column is controlled by the Manage and Ignore buttons on the Discovered Accounts grid. For more information, see Discovered Accounts on page 251.
Show Ignored
Display the accounts with a Status of Ignored.
Hide Ignored
Hide the accounts with a Status of Ignored.
Refresh
Retrieve and display an updated list of discovered accounts. Ignored accounts are not displayed if Hide Ignored is selected.
Search
Enter the character string to be used to search for a match. For more information, see Search box on page 63.
The grid shows the Asset Name, Account, Domain Name, System Name, and Account Status for the Discovered Account that Safeguard found that is matched up with the service discovered. The service is identified by a Service Name (with a Service Type of Service or Task).
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
255
�Table 75: Discovery: Discovered Services properties
Property
Description
Asset Name
The name of the asset where the service or task was discovered.
Account
The name of the account that maps to the Discovered Account column.
Domain Name
The domain name of the account if the account is an Active Directory account. Used to help determine uniqueness.
System Name
The system or asset that hosts the discovered mapped account.
Account Status
The Account Status column is controlled by the Manage and Ignore buttons on the Discovered Accounts grid. For more information, see Discovered Accounts on page 251.
The discovered account may be:
l Managed: A discovered account that is managed
l Blank (no value): A discovered account that was not auto managed when discovered
l Ignored: A discovered account that was not auto managed and was ignored from discovery
l Disabled: A discovered account that previously had the status of Managed and then was marked Ignored
Dependent Account
A check displays if the account is associated as an account dependency on the asset. The value is blank if the account is not associated as an account dependency of the asset. This automatic dependency mapping only happens if the Automatically Manage Found Accounts option is selected on the Account Discovery job associated with the partition profile that is associated to the asset. For more information, see Adding an Account Discovery job on page 244.
Service Type
Type of service discovered. Values may be Service or Task.
Service Name
The name of the discovered service or task.
Service Enabled
A check displays if the service or task on the asset is enabled on the target machine. If there is no check mark, the service or task is disabled on the target machine.
Service Ignored
Ignored means the service or task will not show up in the grid. In other words, the service or task is hidden. This is controlled by the
Show | Ignore actions on this grid.
Discovered Account The discovered account name. If the account has an Account Status of Managed, then the Account, Domain Name, and
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
256
�Property
Date/Time Discovered
Description System Name display. The date and time when the service or task was discovered.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Discovery
257
�16
Entitlements
A Safeguard for Privileged Passwords entitlement is a set of access request policies that restrict system access to authorized users. Typically, you create entitlements for various job functions; that is, you assign permissions to perform certain operations to specific roles such as Help Desk Administrator, Unix Administrator, or Oracle Administrator. Password release entitlements consist of users, user groups, and access request policies. Session access request entitlements consist of users, user groups, assets, asset groups, and access request policies.
The Auditor and the Security Policy Administrator have permission to access Entitlements. An administrator creates an entitlement then creates one or more access request policies associated with the entitlement, and finally add users or user groups.
Go to Administrative Tools and click Entitlements. The Entitlements view displays.
If there are one or more invalid or expired policies, a Warning and message like Entitlement contains at least one invalid policy. displays. Go to the Access Request Policy tab to identify the invalid policy. For more information, see Access Request Policies tab on page 261.
The following information displays about the selected entitlement:
l General tab: Displays the general and time restriction settings information for the selected entitlement.
l Users tab: Displays the user groups or users who are authorized to request access to the accounts or assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a Safeguard for Privileged Sessions join and was assigned and used by a Sessions Appliance. The certificate users created during the join can be added to the Users tab but are not there by default.
l Access Request Policies tab: Displays the access request policies that govern the accounts or assets in the selected entitlement, including session access policies.
l History tab: Displays the details of each operation that has affected the selected entitlement.
Use these toolbar buttons to manage entitlements.
l
Add Entitlement: add entitlements to Safeguard for Privileged Passwords. For
more information, see Adding an entitlement on page 265.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
258
�l
Delete Selected: Remove the selected entitlement. For more information, see
Deleting an entitlement on page 283.
l
Refresh: Update the list of entitlements.
l
Search: You can search by a character string or by a selected attribute with
conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
Related Topics
Adding an entitlement Modifying an entitlement Creating an access request policy Modifying an access request policy Deleting an access request policy
General tab
The Administrative Tools | Entitlements | General tab lists information about the selected entitlement.
Large tiles at the top of the tab display the number of Users, Accounts, and Assets associated with the selected entitlement. Clicking a tile heading opens the corresponding tab.
Table 76: Entitlements General tab: General properties
Property
Description
Name
The entitlement name.
Priority
A unique number that determines the processing order of the entitlement in relation to other entitlements. For more information, see About priority precedence on page 266.
Table 77: Entitlements General tab: Time restrictions properties
Property
Description
Time Restrictions
The days and times this entitlement is in effect. For more information, see About time restrictions on page 268.
Expires
The day and time this entitlement expires.
Description: Information about the selected entitlement.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
259
�Related Topics
Modifying an entitlement
Users tab
The Administrative Tools | Entitlements | Users tab displays the users and user groups who are authorized to request access for the accounts and assets in the scope of the selected entitlement's policies. Certificate users are included in the display if the user was created during a Safeguard for Privileged Sessions join and was assigned and used by a Sessions Appliance. The certificate users created during the join can be added to the Users tab but are not there by default.
Click Add User or User Group from the details toolbar to add one or more requester users or user groups to the selected entitlement.
Table 78: Entitlements: User tab properties
Property
Description
Type
Type of member:
l Group l User
Name
Name of the user or user group included in the selected entitlement.
Provider
The name of the authentication provider:
l Local
l Certificate
l The name of an external provider such as a Microsoft Active Directory domain name.
Domain Name
If applicable, the name of the domain of the user group or user
Use these buttons on the details toolbar to manage the requester users associated with the selected entitlement.
Table 79: Entitlements: Users tab toolbar
Option
Description
Add User or User Group
Add a requester user group or requester user to the entitlement. For more information, see Adding users or user groups to an entitlement on page 280.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
260
�Option
Remove Selected
Refresh
Details
Search (case sensitive)
Description Remove the selected user or user group from the entitlement.
Update the list of requester users or user groups. View additional details about the selected user or user group.
To locate a specific user (or user group) or set of users (or user groups) in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding users or user groups to an entitlement
Access Request Policies tab
The Administrative Tools | Entitlements | Access Request Policies tab displays the password release policies that govern the accounts in the selected entitlement.
IMPORTANT:The selection made on the Entitlement | Access Request Policy tab takes precedence over the selections on Settings | Cluster | Managed Networks page. If a Managed Networks rule includes nodes from different SPS clusters, SPP will only select the nodes from the same cluster that was assigned on the Session Settings page of the Access Request Policy tab.
Click Create Access Policy from the details toolbar to add a policy to the selected entitlement.
Table 80: Entitlements: Access Request Policies tab properties
Property
Description
Priority
A unique number that determines the processing order of the policy. For more information, see About priority precedence on page 266.
Name
The name of the access request policy.
Access Type
Indicates the type of access requested:
l Password Release l RDP l SSH l Telnet
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
261
�Property Scope Description Approvals Reviews Emergency
Time Restrictions Expired
Invalid
Description
The number of unique account groups, accounts (including the number of accounts in the specified account groups), asset groups, and assets (including the number of assets in the specified asset groups) governed by the selected policy.
Information about the selected policy.
A displays if there are approver settings for the access request policy. For more information, see Approver tab on page 272.
A displays if there are reviewer settings for the access request policy. For more information, see Reviewer tab on page 274.
A displays if a user can request emergency access to the accounts and assets governed by the policy.
Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset.For more information, see Emergency tab on page 279.
A displays if time restrictions are specified for access requests for accounts and assets governed by the policy. For more information, see Time Restrictions tab on page 279.
A Warning displays for the entitlement when it contains at least one expired policy. You can configure Safeguard for Privileged Passwords to notify you of an impending entitlement or policy expiration by sending an event notification to a syslog server, in an email message, or a SNMP trap. For more information, see External Integration settings on page 377.
A Warning displays for the entitlement when it contains at least one invalid policy.
Check the following if there is an invalid policy.
l Validate that the SPS cluster is still joined to SPP.
l Validate the SPS cluster is available.
l Validate there are no network issues that prevent SPP from communicating with SPS.
l Validate SPP can communicate with the SPS cluster.
l Validate that the assigned session connection policy is on the SPS cluster master.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
262
�Property
Description
l Validate the session connection policy is still compatible with SPP given what the administrator changed.
For more information, see Managed networks on page 366.
Use these buttons on the details toolbar to manage your access request policies.
Table 81: Entitlements: Access Request Policies tab toolbar
Option
Description
Create Access Policy
Add an access request policy to the selected entitlement. For more information, see Creating an access request policy on page 268.
Delete Selected
Remove the selected policy from the selected entitlement. For more information, see Deleting an access request policy on page
281.
Refresh
Update the list of access request policies.
Edit Access Policy
Modify the selected policy. For more information, see Modifying an access request policy on page 282.
Copy Access Policy
Make a copy of the selected policy. For more information, see Copying an access request policy on page 282.
Details
View additional details about the selected policy. For more information, see Viewing and editing policy details on page 282.
Search (case insensitive)
To locate a specific policy or set of policies in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
History tab
The Administrative Tools | Entitlements | History tab allows you to view or export the details of each operation that has affected the selected entitlement. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
263
�l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 82: Entitlements: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected entitlement.
Event
The type of operation made to the selected entitlement:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE:A membership operation indicates a relationship change with a related or parent object such as a user or user group was added or removed from the membership of an entitlement.
Related Object
The name of the related object
Related Object Type The type of the related object
Parent
The name of the object to which the selected entitlement is a child
Parent Object Type The parent object type
Select an event to display this additional information for some types of events (for example, create and update events).
Table 83: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
264
�Managing entitlements
Use the controls and tabbed pages on the Entitlements page to perform the following tasks to manage Safeguard for Privileged Passwords entitlements:
l Adding an entitlement l Adding users or user groups to an entitlement l Creating an access request policy l Deleting an access request policy l Modifying an access request policy l Copying an access request policy l Viewing and editing policy details l Modifying an entitlement l Deleting an entitlement
Adding an entitlement
It is the responsibility of the Security Policy Administrator to add entitlements to Safeguard for Privileged Passwords.
To add an entitlement 1. Navigate to Administrative Tools | Entitlements. 2. Click Add Entitlement from the toolbar. 3. In the Entitlement dialog, provide information in each of the tabs:
General tab
Time Restrictions tab
Where you add general information about the entitlement Where you indicate entitlement time restrictions
Related Topics
Adding users or user groups to an entitlement
General tab
Navigate to Administrative Tools | Entitlements| (add or edit entitlement). On the General tab, specify the following information about the entitlement.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
265
�Table 84: Entitlement: General tab properties
Property
Description
Name
Enter a unique name for the entitlement. Limit: 50 characters
Description
Enter descriptive text about the entitlement. Limit: 255 characters
Priority
The priority of this entitlement compared to other entitlements.
If a user desires to access an account in the scope of two different entitlements, then the entitlement with the highest priority (that is, the lowest number) takes precedence. For more information, see About priority precedence on page 266.
About priority precedence
An entitlement defines which users are authorized to checkout passwords for accounts in the scope of its policies. A policy defines scope (that is, which accounts) and the rules for checking out passwords, such as the duration, how many approvals are required, and so on. It is possible for an account to be governed by more than one entitlement, or is in the scope of more than one policy within an entitlement. Safeguard for Privileged Passwords uses both entitlement and policy priorities to determine which policy to use for a password release. Safeguard for Privileged Passwords first considers the entitlement priority, then the priorities of access request policies within that entitlement.
Example scenario:
l Entitlement A (priority 1) l Policy: Week Day Policy. l Policy time restrictions: Monday through Friday 8:00 a.m. to 5:00 p.m. l Scope: AccountX
l Entitlement B (priority 2) l Policy 1: Sunday AM (priority 1) l Policy time restrictions: Sunday 8:00 to 12:00. l Scope: AccountX l Policy 2: Sunday PM (priority 2) l Policy time restrictions: Sunday 13:00 to 17:00. l Scope: AccountX
Notice that AccountX is in the scope of all three of these policies.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
266
�If a user requests the password for AccountX for Sunday at 4 p.m., Safeguard for Privileged Passwords first considers Entitlement A because it is priority 1. When it determines that the policy time restrictions prevent the password release, it then considers Entitlement B. Safeguard for Privileged Passwords first considers Entitlement B's priority 1 policy. When it determines that the time restrictions prevent the password release, it then considers Policy 2. Once the request is satisfied, Safeguard for Privileged Passwords grants the request.
To change an entitlement's priority
1. Select the priority number in the entitlement list. 2. Enter another number.
To modify a policy's priority
1. In Entitlements, select an entitlement and switch to the Access Request Policies tab.
2. Double-click a policy, or select a policy and click Edit Access Policy. 3. Enter or select a new priority number. 4. Click the Refresh button.
Time Restrictions tab
Time restrictions control when the entitlement is in effect relative to the user's time zone. For more information, see About time restrictions on page 268.
On the Time Restrictions tab, specify the time restriction properties for the entitlement.
Navigate to Administrative Tools | Entitlements| (add or edit entitlement).
Table 85: Entitlement: Time Restrictions tab properties
Property
Description
Use Time Restrictions
Select this option to enforce time restrictions.
Daily calendar
Select and drag the hours you want to allow.
Have the Entitlement Expire on Date and Time
Select this option to enforce an expiration date, then enter the date and time.
When an entitlement expires, all the access request policies associated with the entitlement also expire. To set an expiration date on a policy, see Creating an access request policy.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
267
�About time restrictions
An entitlement's time restrictions enforce when Safeguard for Privileged Passwords uses a policy; a policy's time restrictions enforce when a user can access the account passwords. If the entitlement and the policy both have time restrictions, the user can only check out the password for the overlapping time frame.
Time restrictions control when the entitlement or policy is in effect relative to a user's time zone. Although Safeguard for Privileged Passwords Appliances run on Coordinated Universal Time (UTC), the user's time zone enforces the time restrictions set in the entitlement or policy. This means that if the appliance and the user are in different time zones, Safeguard for Privileged Passwords enforces the policy in the user's time zone set in his account profile.
Creating an access request policy
It is the responsibility of the Security Policy Administrator to define access request policies in Safeguard for Privileged Passwords. A policy defines:
l The scope, which may be assets, asset groups, accounts, or account groups. l The access type, which may be password, SSH, RDP (remote desktop), or telnet. l The rules for checking out passwords, such as the duration, how many approvals are
required, and so on.
Considerations
l An access request policy is only assigned to one cluster. l An access request policy is only used in the entitlement in which it is created. If you
delete an entitlement, all access request policies associated with that entitlement are deleted. You cannot copy an access request policy and add it to another entitlement; access request policies are entitlement-specific.
To add an access request policy to an entitlement
1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list and open the Access
Request Policies tab. 3. Click Create Access Policy from the details toolbar. 4. In the Access Request Policy dialog, provide information in each of the tabs:
General tab
Where you add general information about the access request policy as well as specify the type of access being requested
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
268
�Scope tab
Requester tab
Approver tab
Reviewer tab
Access Config tab
Session Settings tab Time Restrictions tab Emergency tab
Where you assign assets, asset groups, accounts, or account groups to an access request policy
Where you configure the access request policy requester settings
Where you configure the access request policy approver settings
Where you configure the access request policy reviewer settings
Where you define the access settings for the selected type of request including allowing users to request passwords from their respective linked accounts
Where you configure the recording settings for session access requests
Where you indicate policy time restrictions
Where you enable emergency access for the accounts governed by the access request policy
Related Topics
Deleting an access request policy Modifying an access request policy Copying an access request policy Viewing and editing policy details Reasons
General tab
On the General tab, enter the following information for the access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 86: Access Request Policy: General tab properties
Property
Description
Name
Enter a unique name for the access request policy. Limit: 50 characters
Description
Enter descriptive text that explains the access request policy.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
269
�Property Priority
Access Type
Have the Policy Expire on Date and Time
Description
Limit: 255 characters
The priority of this policy compared to other policies in this entitlement.
If a user desires to access an account in the scope of two different request polices within an entitlement, then the policy with the highest priority (that is, the lowest number) takes precedence. For more information, see About priority precedence on page 266.
Specify the type of access being requested:
l Password
l RDP
l SSH
l Telnet
NOTE: You can configure an access request policy for a password release, however, if the Privileged Passwords module license is not installed, you will not be able to submit a password release request.
Similarly, you can configure an access request policy for a session request, but if the embedded sessions module for Safeguard for Privileged Passwords license is not installed, you will not be able to initiate an RDP or SSH session request.
If applicable, select this check box to enforce an expiration date for the policy. Enter the expiration date and time.
Scope tab
Use the Scope tab to assign accounts, account groups, assets, and asset groups to an access request policy. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
1. On the Scope tab: 1. Click Add from the details toolbar and select one of the following options: l Add Account Group l Add Account l Add Asset Group: Only available for a session access request (that is, when access type RDP, SSH, or Telnet is selected on the General tab.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
270
�l Add Asset: Only available for a session access request (that is, when access type RDP, SSH, or Telnet is selected on the General tab.
2. In the selection dialog, make a selection then click OK.
If you do not see the selection you are looking for, depending on your Administrator permissions, you can create it in the selection dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)
2. Repeat step one to make additional selections. You can add multiple types of objects to a policy; however, you can only add one type of object, like an accounts or account group, at a time.
All of the selected objects appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click Delete.
Requester tab
Use the Requester tab to configure the requester settings for an access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 87: Access Request Policy: Requester tab properties
Property
Description
Reasons
Click Select Reason to add one or more reasons to the selected access request policy. Then, when requesting access to a password or a session, a user can select a predefined reason from a list. Click OK to add a reason.
NOTE: You must have reasons configured in Safeguard for Privileged Passwords to use this option. For more information, see Reasons on page 303. If you do not see the reason you are looking for, you can create a reason from the Reasons selection dialog by clicking the Create New toolbar button.
Require Reason
Select this check box to require that a requester provide a Reason when requesting access. This option is only available if you have selected Reasons for the policy.
If you add reasons to a policy, and leave this option cleared, the users will have the option of choosing a reason; but they will not be required to select a reason.
Require Comment
Select this check box to require that a requester provide a Comment when making an access request.
Require Ticket Number
Select this check box to require that a requester provide a ticket number when making an access request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
271
�Property
Description
The ticket number can be defined and not validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used to approve a password or session request and is tracked through the Activity Center.
You can validate the ticket against your company's external ticket system, such as ServiceNow, or Remedy, or another ticketing system. To do this, you must have the ticketing system configured in Safeguard for Privileged Passwords to use this option.
For more information, see Ticketing systems on page 413.
Duration of Access Approval
Enter or select the default duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy. The access duration cannot exceed a total of 31 days (44,640 minutes).
Allow Requester to Change Duration
Select this check box to allow the requester the ability to modify the access duration.
Maximum Time Requester Can Have Access
If you select the Allow Requester to Change Duration option, you can set the maximum duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy.
The default access duration is seven days. The maximum access duration is 31 days.
The users can change the access duration, but they cannot access the accounts or assets governed by this policy for longer than the maximum access duration time.
Approver tab
Use the Approver tab to specify the approver settings for an access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 88: Access Request Policy: Approver tab properties
Property
Description
Auto-Approved
Select this option to automatically approve all access requests for accounts and assets governed by this policy.
Notify when Account is AutoApproved | To
(Optional) When no approvals are required, enter an email address or select To to choose a user to notify when access is auto-approved.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
272
�Property
Approvals Required
Notify if approvers have pending requests after To
Description
If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.
NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108.
Select this option to require approval for all access requests for accounts and assets governed by this policy. Enter the following information:
l Qty: Enter or select the minimum number of approvals required from the selected users or user groups listed as Approvers.
l Approvers: Browse to select one or more users or user groups who can approve access requests for accounts and assets governed by this policy.
Use the Clear icon to remove an individual approver user or user group from this list or right-click and select Remove All to clear all users from the list.
Click Add or Delete to add or remove approver sets.
The order of the approver sets is not significant, but all requirements must be met; that is, a request must obtain the number of approvals from each approver set defined.
The users you authorize as approvers receive alerts when an access request requires their approval if they have Safeguard for Privileged Passwords configured to send alerts.
TIP:As a best practice, add user groups as approvers rather than individuals. This makes it possible to add an individual approver to a pending access request. In addition, you can modify an approvers list without editing the policy.
(Optional) Select this check box to enable notifications.
l Set the amount of time (days, hours, and minutes) to wait before notifying the escalation notification contact list about pending approvals.
l Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user. You can enter email addresses for non-Safeguard for Privileged Passwords users.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
273
�Property
Approval Anywhere has been enabled. View enabled users.
Description
If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.
IMPORTANT:Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified on page 559.
NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108.
Indicates that the Approval Anywhere feature has been configured. Click the users link to view a list of the users who are authorized to approve requests using this feature.
You can add users as Approval Anywhere approvers by clicking the Add toolbar button in the Approval Anywhere Users dialog.
Reviewer tab
Use the Reviewer tab to define the reviewer settings for an access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 89: Access Request Policy: Reviewer tab properties
Property
Description
Review Not Required
This check box is selected by default, indicating that no review is required for completed access requests for accounts and assets governed by this policy.
Review Required Select this check box to require a review of completed access requests for accounts and assets governed by this policy.
l Qty: Enter or select the minimum number of people required to review a completed access request.
l Reviewers: Browse to select one or more users or groups of users who can review access requests for accounts and assets governed by this policy.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
274
�Property
Description
Use the Clear icon to remove an individual reviewer user or user group from this list or right-click and select Remove All to clear all users from the list.
NOTE: A reviewer can only review an access request once it is completed.
TIP:As a best practice, add user groups as reviews rather than individuals. This makes it possible to add an individual reviewer to a pending access request. In addition, you can modify a reviewers list without editing the policy.
NOTE: The users you authorize as reviewers receive alerts when an access request requires their review if they have Safeguard for Privileged Passwords configured to send alerts.
Require Comment Select this check box if the reviewer is required to enter a comment when reviewing an access request.
Pending reviews do not block access
Select this check box when you want to allow new access requests whether a prior request is approved or not approved. In other words, no requests will be blocked based on the approval status of a prior request.
Notify if reviewers have pending reviews after
To
(Optional) Select this check box to enable notifications.
l Set the amount of time (days, hours, and minutes) to wait before reminding the escalation notification contact list about pending reviews.
l Enter an email address or select To to choose an email address of a Safeguard for Privileged Passwords user.
If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.
NOTE: You can enter email addresses for non-Safeguard for Privileged Passwords users.
IMPORTANT:Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified on page 559.
NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
275
�Access Config tab
Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 90: Access Request Policy: Access Config tab properties
Property Description
Access Type This is a read-only field displaying the type of access selected on the General tab:
l Password l SSH l RDP l Telnet
Include password release with sessions requests
If Access Type is SSH, RDP, or Telnet, select this check box to include a password release with session access requests.
Terminate expired sessions
If Access Type is SSH, RDP, or Telnet, select this check box to terminate sessions that have expired.
Change password after checkin
Select this check box if the password is to be changed after the user checks it back in. For password release requests, this option is selected by default.
Allow
Select this check box to allow multiple users access to the accounts and
simultaneous assets governed by this policy. Use the next check box to identify how
access
many users can have access at once.
Maximum users at one time
When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time.
Asset-Based If Access Type is SSH, RDP, or Telnet, select one of the following options
Session
to define the type of account credentials to be used to access the asset or
Access
account when a session is requested:
l None (default): The credentials are retrieved from the vault when the session is requested.
l User Supplied: The requester user must provide the credentials when the session is requested.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
276
�Property
Allow password access to linked accounts
Description
l Linked Account: The requester user's account is linked to an asset account that will be used when the session is requested.
l Directory Account: Use the Browse button to select one or more directory accounts to be used when the session is requested.
If the Directory Account was migrated from an SPP version prior to 2.7, the directory account identifier may be blank, because earlier SPP versions understood only one assignment and version 2.7 results in multiple assignments.
If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user's linked account is governed by the other configurations defined in this policy. For more information, see Linked Accounts tab (user) on page 448.
Session Settings tab
External sessions module
You select the one cluster or appliance to which the policy applies.
1. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy), then the Session Settings tab.
2. If you see a message like No SPS connection policies found., you may have selected a policy with an invalid connection policy. For more information, see Access Request Policies tab on page 261.
3. In SPS Connection Policy, select the cluster or appliance to which the policy applies. l The default is safeguard_default. l If you are using telnet with SPS, the telnet Connection Policy created in SPS is available. l Select Sps Initiate if the access policy is for use by Safeguard for Privileged Sessions (SPS) to create an SPS initiated Access Request. l For information on the SPS feature availability and use, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. l For information on the toggle to set the Session Module Password Access Enabled, see Session Appliances with SPS join. You will see the following message if SPP has not been joined or the join has been deleted: No SPS connection policies found.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
277
�l For other policies, the host name and IP address of the cluster master is displayed first followed by the SPS cluster description.
If a policy is not functional, you will see the Warning icon next to a selection. You can view the network segments that can be serviced by specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) Appliances within a clustered environment. For more information, see Managed networks on page 366.
Embedded sessions module
If you are using the embedded sessions module for Safeguard for Privileged Passwords, use the Session Settings tab to configure the settings for session access requests (below). The settings on this tab only apply to RDP and SSH (session) access requests. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 91: Access Request Policy: Sessions Settings tab properties
Property Description
Record sessions
For SSH and RDP, this check box is selected by default, indicating that all sessions for the accounts and assets governed by this policy are to be recorded.
Enable Command Detection (SSH)
For SSH session requests, select the Enable Command Detection check box to enable command detection, which means commands that are executed on the target host are detected and logged.
SSH
If SSH is selected as the access type on the General tab, select one or more
Controls of the following options to create a session that uses the specified protocol:
l Allow SFTP (Secure File Transfer)
l Allow SCP (Secure Copy)
l Allow X11 Forwarding (Forwards the graphical X-server session from the server to the client.)
NOTE: The data transferred during a session using one of these protocols is currently not available for play back in this initial release of Safeguard.
Enable Windows Title Detection (RDP)
For RDP session requests, select the Enable Windows Title Detection check box to enable windows title detection, which means the titles of all windows opened on the desktop during a privileged session are detected and logged.
You can configure Safeguard for Privileged Passwords to send these actions to a syslog server, in an email message, or via an SNMP trap. For more
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
278
�RDP InSession Controls
information, see External Integration settings on page 377.
If RDP is selected as the access type on the General tab, select the following option if you want to allow the user to transfer data via the clipboard:
l Allow Clipboard
Selecting this option allows the users to copy a file or text from the client machine and paste it to the remote server. The data copied during a session using this option is currently not available for play back in this initial release of Safeguard.
Time Restrictions tab
Use the Time Restrictions tab to specify time restrictions for the access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 92: Access Request Policy: Time Restriction tab properties
Property
Description
Use Time Restrictions
Select this option to specify time restrictions for access requests for accounts and assets governed by this policy.
Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see About time restrictions on page 268.
Daily calendar
Select and drag the days and hours you want to allow the policy to be effective.
Reset
Click Reset to remove any time restrictions set in the daily calendar.
Emergency tab
Use the Emergency tab to enable emergency access for the accounts and assets governed by the access request policy.
Table 93: Access Request Policy: Emergency tab properties
Property
Description
Enable Emergency Select this check box to allow users to request emergency access
Access
to accounts and assets governed by this policy. Clear this option to
disallow emergency access.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
279
�Property
Description
Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset.
Notify When Account is Released with Emergency access | To
(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user.
If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.
You can enter email addresses for non-Safeguard for Privileged Passwords users.
To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108.
IMPORTANT:Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified on page 559.
Ignore Time Restrictions
This check box is selected by default, indicating that Safeguard for Privileged Passwords is to ignore time restrictions when a user requests emergency access. Clear this check box if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period.
Adding users or user groups to an entitlement
When you add users to an entitlement, you are specifying which people can request passwords to the accounts governed by the selected entitlement's access request policies, or which people can request sessions for the accounts and assets governed by the selected entitlement's access request policies. A user can be a Sessions Appliance certificate user. For more information, see Session Appliances with SPS join on page 373.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
280
�It is the responsibility of the Security Policy Administrator to add users to entitlements. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions on page 507.
To add requester users to an entitlement 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list and click the Users tab. 3. Click Add User or User Group from the details toolbar. 4. Select one or more users or user groups from the list in the Users/User Groups selection dialog, and click OK.
If you do not see the user or user group you are looking for, depending on your Administrator permissions, you can create them in the Users/User Groups selection dialog. (You must have Authorizer Administrator or User Administrator permissions to create users or Security Policy Administrator permissions to create user groups.)
To create new users or user groups in the Users/User Groups selection dialog 1. Click Create New, then select Create a New User or Create a New User Group. For more information about creating users or user groups, see Adding a user or Adding a user group. 2. Create additional users or user groups as required. 3. Click OK to add the new users and user groups to the selected entitlement's membership.
Deleting an access request policy
IMPORTANT: When you delete a policy, Safeguard for Privileged Passwords deletes it permanently, but it does not delete the accounts governed by the policy.
To delete an access request policy from an entitlement 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab. 3. Select a policy. 4. Click Delete Selected. 5. Confirm your request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
281
�Modifying an access request policy
Access request polices can be migrated. For more information, see Creating an access request policy on page 268.
To modify an access request policy 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement and open the Access Request Policies tab. 3. Double-click a policy, or select a policy and click Edit Access Policy. 4. Select the view of the policy's information you want to modify (General, Time Restrictions, Scope, and so on).
Copying an access request policy
You cannot copy a policy and add it to another entitlement; policies are entitlement-specific.
To copy an access request policy 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab. 3. Choose a policy and click Copy Access Policy. 4. You must type in a unique policy name. 5. Edit the new policy's settings as desired.
Viewing and editing policy details
You must have Security Policy Administrator permissions to modify policy settings.
To view and editing the details of an entitlement's policy 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list and open the Access Request Policies tab. 3. Select a policy and click Details. The policy's properties dialog displays. 4. To edit the properties, double-click a property name or click the Edit icon to the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
282
�right of a property name (such as General). The Access Request Policies dialog displays allowing you to make the necessary changes. For more information, see Creating an access request policy on page 268.
Modifying an entitlement
To modify an entitlement 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement. 3. Select the view of the entitlement's information you want to modify (General, Users, or Access Request Policies). For example: l To change the selected entitlement's name, description, or time restrictions, double-click the General information on the General tab or click the Edit icon. NOTE: You can also double-click an entitlement name to open the General settings edit window. l To add authorized requesters to the selected entitlement, switch to the Users tab. For more information, see Adding users or user groups to an entitlement on page 280. l To modify an access request policy, switch to the Access Request Policies tab. For more information about access request policy details, see Creating an access request policy. 4. To view or export the details of each operation that has affected the selected entitlement, switch to the History tab. For more information, see History tab on page 263.
Deleting an entitlement
IMPORTANT: When you delete an entitlement, Safeguard for Privileged Passwords deletes all access request policies associated with that entitlement.
To delete an entitlement 1. Navigate to Administrative Tools | Entitlements. 2. In Entitlements, select an entitlement from the object list.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
283
�3. Click Delete Selected. 4. Enter the name of the entitlement to confirm you want to delete the entitlement.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Entitlements
284
�17
Partitions
A partition is a named container for assets that can be used to segregate assets for delegated management. It is the responsibility of the Asset Administrator to add partitions to Safeguard for Privileged Passwords. Partitions allow you to set up multiple asset managers, each with the ability to define password guidelines for the managed systems in their own workspace. Typically, you partition assets by geographical location, owner, function, or by operating system. For example, Safeguard for Privileged Passwords can enable you to group Unix assets in a partition and delegate the Unix administrator to manage it. Every partition should have a partition owner. For more information, see Adding a partition on page 292.
You must assign all assets, and the accounts associated with them, to a partition. By default, Safeguard for Privileged Passwords assigns all assets and their associated accounts to the default partition, but you can set a different partition as the default.
Navigate to Administrative Tools | Partitions to display the following information about the selected partition.
l General tab (partitions): Displays general information about the selected partition.
l Assets tab (partitions): Displays the assets assigned to the selected partition.
l Accounts tab (partitions): Displays the accounts assigned to the selected partition.
l Profiles tab (partitions): Displays the profiles associated with this partition. When a partition is added, a default asset profile is created for the partition, which can be edited, but not deleted.
l History tab (partitions): Displays the details of each operation that has affected the selected partition.
Use these toolbar buttons to manage partitions.
l
Add Partition: Add a partition to Safeguard for Privileged Passwords. For more
information, see Adding a partition on page 292.
l
Delete Selected: Remove the selected partition. For more information, see
Deleting a partition on page 299.
l
Refresh: Update the list of partitions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
285
�l
Set as Default: Set a partition as the default. All new assets you add are
automatically assigned to the default partition. For more information, see Setting a
default partition on page 296.
l
Search: You can search by a character string or by a selected attribute with
conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
About partition profiles
The partition profile includes the schedules and rules governing the partition's assigned assets and the assets' accounts. For example, the partition profile defines how often a password check is required on an asset or account.
A partition can have multiple partition profiles, each assigned to different assets, if desired. An account is governed by only one profile. If an account is not explicitly assigned to a profile, the account is governed by the one assigned to the parent asset. If that asset does not have an assigned profile, the partition's default profile is assigned.
When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. You can create multiple profiles to govern the accounts assigned to a partition. Both assets and accounts are assigned to the scope of a profile.
For example, suppose you have an asset with 12 accounts and you configure the partition profile to check and change passwords every 60 days. If you want the password managed for one of those accounts every seven days, you can create another profile and add the individual account to the new profile. Now, Safeguard for Privileged Passwords will check and change all the passwords on this asset every 60 days except for this account, which will change every seven days.
Implicit and explicit association
It is important to understand the difference between implicit and explicit assignments to a profile.
Implicit associations
Safeguard for Privileged Passwords makes implicit assignments. For example, when you add an asset to Safeguard for Privileged Passwords, it automatically adds the asset to the default partition and assigns it to the scope of the default profile. This is called implicit association. Assets implicitly inherit the partition's default profile. Similarly, accounts inherit their parent asset's profile. That means when you add an account to an asset, Safeguard for Privileged Passwords implicitly adds that account to its asset's profile.
Later, if you reassign the asset to another profile, Safeguard for Privileged Passwords automatically reassigns all of the asset's associated accounts to the new profile.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
286
�Explicit associations
Safeguard for Privileged Passwords allows you to explicitly add an asset or an account to a specific profile. When you explicitly assign an asset to a profile, it overrides the implicit inheritance from the partition so the asset's profile is no longer determined by its partition. Similarly, when you explicitly assign an account to a profile, Safeguard for Privileged Passwords overrides the implicit inheritance from the asset and the account's profile is no longer determined by its asset.
Now, if you reassign the asset to another profile, Safeguard for Privileged Passwords will not reassign the asset's associated accounts that were explicitly assigned to the old profile.
Resetting the default profile
If you set another profile as the default, Safeguard for Privileged Passwords implicitly reassigns all assets and their associated accounts to that new default, but it will not reassign any assets or accounts that you have explicitly assigned to a profile. Once the implicit inheritance is broken, changing a partition's default profile has no effect on the scope of a profile. For more information, see Setting a default partition profile.
Related Topics
Assigning assets or accounts to a partition profile
Assigning a profile to an asset
Account Password Rules
How do I manage accounts on unsupported platforms
General tab (partitions)
The General tab lists information about the selected partition.
Large tiles at the top of the tab display the number of Assets, Accounts, and Profiles associated with the selected partition. Clicking a tile heading opens the corresponding tab.
Navigation: Administrative Tools | Partitions | General tab.
Table 94: Partitions General tab: General properties
Property
Description
Name
The partition name
Delegated Owner
The users who are responsible for managing the assets and accounts in the selected partition
Description: Information about the selected partition
Related Topics
Adding a partitionModifying a partition
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
287
�Modifying a partition
Assets tab (partitions)
The Assets tab displays the assets assigned to the selected partition.
Click Add Asset from the details toolbar to add one or more assets to the selected partition.
Navigate to Administrative Tools | Partitions | Assets tab.
Table 95: Partitions: Assets tab properties
Property
Description
Name
The asset name.
Profile
The name of the profile that manages the asset.
Account Discovery Job
The Account Discovery job assigned to discover accounts on this asset that meet the rules criteria. Each asset in a partition can have a separate and unique Account Discovery job.
Session Request
A check in this column indicates that session access requests are enabled for the asset.
Description
Descriptive information entered when the asset was added.
Use these buttons on the details toolbar to manage the assets assigned to the selected partition.
Table 96: Partitions: Assets tab toolbar
Option
Description
Add Asset
Add one or more assets to the selected partition.
Refresh
Retrieve and display an updated list of assets associated with the selected partition.
Search
To locate a specific asset in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding assets to a partition Removing assets from a partition
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
288
�Accounts tab (partitions)
The Accounts tab displays the accounts assigned to the selected partition.
NOTE: By default, all accounts associated with an asset are assigned to the same partition profile, but you can reassign them. For more information, see Creating a profile on page 294.
Navigate to Administrative Tools | Partitions | Accounts tab.
Table 97: Partitions: Accounts tab properties
Property
Description
Name
The account name.
Domain Name
The domain name of the account if the account is an Active Directory account. Used to help determine uniqueness.
Parent
The partition in which the asset where the account resides.
Profile
The name of the profile that manages the account.
Service Account
A check in this column indicates that the account is a service account.
Password Request
A check in this column indicates that password release requests are enabled for the account.
Session Request
A check in this column indicates that session access requests are enabled for the account.
Needs a Password
Displays if a password is not set for the account. For more information, see Checking, changing, or setting an account password on page 156.
Description
Descriptive information entered when the account was added.
Use these buttons on the details toolbar to manage the accounts assigned to the selected partition.
Table 98: Partitions: Accounts tab toolbar
Option
Description
Refresh
Retrieve and display an updated list of assets and accounts associated with the selected partition.
Search
To locate a specific asset or account in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
289
�Related Topics
Adding assets to a partition Removing assets from a partition
Profiles tab (partitions)
The Profiles tab lists the profiles associated with this partition. For more information, see About partition profiles on page 286.
Click Create Profile from the details toolbar to add a profile to the selected partition.
Navigate to Administrative Tools | Partitions | Profiles tab.
Table 99: Partitions: Profiles tab properties
Property
Description
Name
Password management profile name.
Default
"Default" displays in this column for the default profile. For more information, see Setting a default partition profile on page 297.
Description
Information about the selected profile.
Use these buttons on the details toolbar to manage your partitions profiles.
Table 100: Partitions: Profiles tab toolbar
Option
Description
Create Profile
Add a profile to the selected partition. For more information, see Creating a profile on page 294.
Deleted Selected
Remove the selected partition profile.
If you delete a profile, Safeguard for Privileged Passwords reassigns all assets and accounts to the default profile.
Refresh
Update the list of partition profiles.
Edit Profile
Modify the selected partition profile. For more information, see Modifying a partition profile on page 295.
Set as Default
Set the selected profile as the default partition profile. For more information, see Setting a default partition profile on page 297.
Details
View additional details about the selected partition profile.
Search
To locate a specific partition profile or set of profiles in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
290
�History tab (partitions)
The History tab allows you to view or export the details of each operation that has affected the selected partition. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 101: Partitions: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected partition.
Event
The type of operation made to the selected partition:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE:A membership operation indicates a "relationship" change with a related or parent object such as a delegated administrator was added or removed from the selected partition.
Related Object
The name of the related object.
Related Object Type The type of the related object.
Parent
The name of the object to which the selected partition is a child.
Parent Object Type The parent object type.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
291
�Select an event to display this additional information for some types of events (for example, create and update events).
Table 102: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing partitions
Use the controls and tabbed pages on the Partitions page to perform the following tasks to manage partitions:
l Adding a partition l Adding assets to a partition l Removing assets from a partition l Creating a profile l Modifying a partition profile l Setting a default partition profile l Assigning assets or accounts to a partition profile l Modifying a partition l Deleting a partition l Setting a default partition
Adding a partition
It is the responsibility of the Asset Administrator to add partitions to Safeguard for Privileged Passwords. When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. For more information, see Setting a default partition profile on page 297.
To add a partition 1. Navigate to Administrative Tools | Partitions. 2. Click Add Partition from the toolbar.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
292
�3. In the Partition dialog, enter the following information: a. Name: Enter a unique name for the partition. Limit: 50 characters b. Description: (Optional) Enter information about this partition. Limit: 255 characters c. Delegated Owner: (Optional) Browse to select one or more users to manage the assets and accounts in this partition. You can use the Clear icon to remove an individual delegated owner from this list or right-click and select Remove All to clear all of the delegated owners from the list. By default, an Asset Administrator can manage all partitions; however, you can delegate partition management to a user with no administrator permissions.
When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default partition profile with default schedules and rules. You can:
l Modify the profile for the partition you created. For more information, see Modifying a partition profile on page 295.
l Change the default partition profile. For more information, see Setting a default partition profile on page 297.
Adding assets to a partition
Use the Assets tab on the Partitions view to add one or more assets to a partition. When you assign an asset to a partition, all the accounts associated with that asset are assigned to that partition, as well. You can only assign an asset to one partition at a time. When you assign an asset to a partition, all accounts associated with that asset are automatically reassigned to that partition, as well. Then, any new accounts you add for that asset are automatically assigned to that partition. You can reassign the asset to another partition either from the scope of the other partition or from an asset's General properties. For more information on partition assignment from an asset, see Assigning an asset to a partition. When you associate an asset to a partition, all the accounts associated with that asset, are also added to the scope of that partition. For more information, see About partition profiles on page 286.
To add assets to a partition
1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list and open the Assets tab. 3. Click Add Asset from the details toolbar.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
293
�4. On the Asset dialog, select one or more assets. 5. Click OK. If you do not see the asset you are looking for and are an Asset Administrator, you can create it in the selection dialog by clicking Create New. For more information, see Adding an asset.
Removing assets from a partition
You cannot remove assets from a partition. You can reassign the asset to another partition either from the scope of the other partition or from an asset's General properties. For more information on partition assignment from an asset, see Assigning an asset to a partition. When you associate an asset to a partition, all the accounts associated with that asset, are also added to the scope of that partition. For more information, see About partition profiles on page 286.
Creating a profile
It is the responsibility of the Asset Administrator or the partition's delegated administrator to add profiles to partitions.
To add a profile to a partition 1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list and open the Profiles tab. 3. Click Create Profile from the details toolbar. 4. On the General tab, supply the following information: a. Name: Enter a unique name for the profile. Limit: 50 characters b. Description: Enter information about this profile. Limit: 255 characters 5. On the Check Password tab, select a previously defined check password setting from the drop-down menu. Check password settings are the rules Safeguard for Privileged Passwords uses to verify account passwords. Expand the Description to see information, if available, about the selected check password setting.
l Click Edit to modify the selected check password setting.
l Click Add to create a new check password setting.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
294
�Selecting either of these icons displays the Check Password Settings dialog, allowing you to specify the appropriate check password settings. For more information, see Adding check password settings on page 425. 6. On the Change Password tab, select a previously defined change password setting from the drop-down menu. Change password settings are the rules Safeguard for Privileged Passwords uses to reset account passwords. Expand the Description to see information, if available, about the selected change password setting.
l Click Edit to modify the selected change password setting.
l Click Add to create a new change password setting. Selecting either of these icons displays the Change Password Settings dialog, allowing you to specify the appropriate change password settings. For more information, see Adding change password settings on page 422. 7. On the Account Password Rules tab, select a previously defined account password rule. An account password rule is a complexity rule that governs the construction of the new password created by Safeguard for Privileged Passwords during an automatic password change. Expand the Description to see information, if available, about the selected account password rule.
l Click Edit to modify the selected account password rule.
l Click Add to create a new account password rule. For more information, see Adding an account password rule on page 418. 8. Click OK to save your selections and create the partition profile.
When creating a new partition profile, the Password Sync Groups tab is not displayed. This tab is displayed while editing a partition profile. For more information, see Modifying a partition profile on page 295. You can use the Password Sync Groups tab to add or update a password sync group governed by the partition profile change schedule. For more information, see Password sync groups on page 427.
Related Topics
Assigning assets or accounts to a partition profile Setting a default partition profile Assigning a profile to an asset Account Password Rules
Modifying a partition profile
Any modifications that you make to a profile affects all the assets and accounts governed by that profile.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
295
�To modify a partition profile 1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list and open the Profiles tab. 3. Select a profile then perform one of the following. l To modify the settings or rules, either double-click the profile or click the Edit Profile icon. l To add assets to the profile, click the Details icon and switch to the Assets tab of the details window. l To add accounts to the profile, click the Details icon and switch to the Accounts tab of the details window. l To add password sync groups, click the Details icon and switch to the Password Sync Groups tab of the details window. On the Password Sync Groups tab, add or update a password sync group governed by the partition profile change schedule. For more information, see Password sync groups on page 427.
l Click Add to create a new password sync group associated with the partition profile and assign accounts. The Password Sync Group dialog displays. For more information, see Adding a password sync group.
l Click Delete Selected to remove the selected password sync group.
l Click Refresh to refresh the selected password sync group.
l Click Edit to modify the selected sync group and account assignments. The Password Sync Group dialog displays. For more information, see Modifying a password sync group on page 430.
l Click Change Sync Group Password to reset the selected sync group password. When selected, accounts in the sync group re-sync with the new sync group password.
Related Topics
Assigning assets or accounts to a partition profile Creating a profile
Setting a default partition
Each Asset Administrator can set a unique default partition and partition profile so that all new assets that administrator adds are automatically assigned to the default partition and default partition profile. For more information, see Setting a default partition profile on page 297.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
296
�To set the default partition
1. Navigate to Administrative Tools | Partitions. 2. In Partitions, right-click (or press and hold) a partition and choose
Default from the context menu. -OR3. Select a partition and click Set as Default from the toolbar.
Set as
Setting a default partition profile
When you create a new partition, Safeguard for Privileged Passwords creates a corresponding default profile with default schedules and rules. Each Asset Administrator can set a unique default partition and partition profile. Once you set a default profile, all new assets and accounts you add are automatically assigned to that profile. Safeguard for Privileged Passwords sets the default schedules to "Never" verify or reset passwords. To change the settings, see Modifying a partition profile. When you associate an asset to a partition, all the accounts associated with that asset, are also added to the scope of that partition. For more information, see About partition profiles on page 286.
To set another profile as the default
1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list and open the Profiles tab. 3. Select a profile that is not the current default and click Set as Default from the
details toolbar or context menu.
Assigning assets or accounts to a partition profile
This topic explains how to assign an asset or an account to a partition profile. You can only add assets and accounts to a profile that are assigned to the scope of the partition.
You can also configure Safeguard for Privileged Passwords to run automatic Asset Discovery or Account Discovery jobs. For more information, see Discovery on page 225.
Only associate accounts to a partition profile that you want Safeguard for Privileged Passwords to manage. For example, a directory can be added to any partition as an asset and any partition profile can be assigned. If directory user accounts are associated with a partition profile, Safeguard for Privileged Passwords will automatically change the user passwords according to the change password schedule in the profile. Depending on the settings, this could prevent a directory user from logging in to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
297
�To add assets or accounts to a partition profile 1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list and open the Profiles tab. 3. Select a profile and click the Details icon. 4. To add an asset to the selected partition profile, switch to the Assets tab of the partition profile's details window. a. Click Add Asset. b. On the Asset dialog, select the assets to be added. c. Click OK. 5. To add an account to the selected partition profile, switch to the Accounts tab of the partition profile's details window. a. Click Add Account. b. On the Account dialog, select the accounts to be added. c. Click OK.
If you do not see the account you are looking for, it might be assigned to a different partition. If you have have Asset Administrator permissions to create assets and accounts, you can click Create New to add an account. For more information, see Adding an account.
Related Topics
Assigning a profile to an asset Setting a default partition profile
Modifying a partition
To modify a partition 1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list. 3. Select the view of the partition's information you want to modify (General, Assets, Accounts, or Profiles). For example: l To change a partition's name or description, or delegate partition management to a user, click the Edit icon. NOTE: You can also double-click a partition name to open the General settings edit window. l To assign assets to the partition, open the Assets tab. NOTE: You can multi-select items to assign more than one asset to a
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
298
�partition. l To modify the password validation and reset settings, open the Profiles tab,
select a profile, and click the Edit icon. 4. To set the default partition, select the partition, then click Set as Default from the
toolbar or context menu. 5. To view or export the details of each operation that has affected the selected
partition, open the History tab. For more information, see History tab on page 263.
Deleting a partition
When deleting a partition, you must designate another partition to transfers all assets and accounts. The partition profiles and associated profile settings, discovery jobs, and history data for the partition you are deleting are deleted along with the profile.
To delete a partition 1. Navigate to Administrative Tools | Partitions. 2. In Partitions, select a partition from the object list. 3. Click Delete Selected. 4. In the Asset Partition dialog, select the partition where assets and accounts are to be reassigned. 5. Click OK to reassign the assets and accounts and remove the selected partition.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Partitions
299
�18
Settings
(web client) Settings In the web client, click the Settings menu on the left to go to the Settings: Appliance page. The following Settings are available. See each section for a description of the functions available.
l Appliance Information (including shutting down and restarting the appliance): For more information, see Appliance Information on page 307.
l Licensing: For more information, see Licensing on page 312. l Networking: For more information, see Networking on page 318. l Time: For more information, see Time on page 321.
Additional information is available for Networking and Time. For more information, see How do I modify the appliance configuration settings on page 570.
(desktop client) Settings Using the desktop client, the Settings page in the Administrative Tools is where you configure Safeguard for Privileged Passwords to run backups, install updates, manage clusters, manage certificates, enable event notifications, enable external integration, define profile configuration settings, define user password rules, define discovery rules, and run troubleshooting tools. You must have administrator permissions to access the Settings page and the administrator permissions you have determine what you can do. Use the Search control at the top of the Settings page to locate a particular setting. For example, if you type password and press the Enter key, a list of all the password settings appears; select an entry from this list to display the selected settings page. The following Settings are available. See each section for a description of the functions available.
l Access Request settings l Appliance settings l Asset Management settings
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
300
�l Backup and Retention settings l Certificate settings l Cluster settings l External Integration settings l Messaging settings l Profile settings l Safeguard Access settings
Access Request settings
Use the Access Request settings to enable (or disable) access request and password management services and to define global reason codes that can be used when creating access request policies.
Navigate to Administrative Tools | Settings | Access Request.
Table 103: Access Request settings
Setting
Description
Enable or Disable Services (Access and management services)
Toggle on
Toggle off
Where you enable or disable the following Safeguard for Privileged Passwords services:
l Session requests l Password requests l Check password management l Change password management
Reasons
Where you configure access request reason codes, which can then be used when creating access request policies.
Enable or Disable Services (Access and management services)
Safeguard for Privileged Passwords allows you to enable or disable access request and password management services. These settings control session and password release requests, manual account password validation, and reset tasks, as well as the automatic profile check and change tasks in Partitions. All services are enabled by default. The toggles appear blue with the switch to the right when a service is enabled, and gray with the switch to the left when a service is disabled.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
301
�These global settings are enabled by default. By default, these services are disabled for service accounts and for accounts and assets found as part of a discovery job.
Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.
It is the responsibility of the Appliance Administrator to manage the access request and password key management services.
Navigate to Administrative Tools | Settings | Access Request | Enable or Disable Services.
Table 104: Enable or Disable Services settings
Setting
Description
Requests Toggle on or
Toggle off
Session Requests Enabled
Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.
Click the Session Requests Enabled toggle to disable this service so sessions can not be requested.
NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.
In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details.
Password Requests Enabled
Password requests are enabled by default, indicating that authorized users can make password release requests
Click the Password Requests Enabled toggle to disable this service so passwords can not be requested.
NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.
Password Management
Toggle on or
Toggle off
Check Password Management Enabled
Check password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.
Click the Check Password Management Enabled toggle to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
302
�Setting
Change Password Management Enabled
Sessions Module Toggle on or
Session Module Password Access Enabled
Description
disable the password validation service.
NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.
When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.
Change password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.
Click the Change Password Management Enabled toggle to disable the password reset service.
NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.
When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.
Toggle off
Session module password access is disabled by default. When the toggle is on, Safeguard for Privileged Passwords (SPP) can create an access request and check out a password from Safeguard for Privileged Sessions (SPS) on behalf of another user. When the toggle is switched off, this ability is revoked. This functionality supports Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. For more information, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Reasons
In an access request policy, a Security Policy Administrator can require that a requester provide a reason for requesting access to a password or session. Then, when requesting access, the user can select a predefined reason from a list. For example, you might use these access request reasons:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
303
�l Software Updates l System Maintenance l Hardware Issues l Problem Ticket
To configure access request reasons 1. Navigate to Administrative Tools | Settings | Access Request | Reasons. 2. Click Add Reason to add a new reason. 3. In the Reason dialog, enter the following: a. Name: Enter a name for the reason. Limit: 50 characters Required b. Description: Enter a description for the reason. Limit: 255 characters Required 4. Click Add Reason. 5. To edit a reason, click Edit Reason. The Reason dialog appears allowing you to modify the name or description. 6. To delete a reason, click Delete Reason. In the confirmation dialog, click Yes.
Related Topics
Creating an access request policy
Appliance settings
Use the Appliance settings to view general information about the appliance, run diagnostic tools, and reset or update the Safeguard for Privileged Passwords hardware appliance. Safeguard for Privileged Passwords can be set up to use a virtual appliance. For more information, see Using the virtual appliance and web management console on page 44. Navigate to Administrative Tools | Settings | Appliance. Safeguard for Privileged Passwords provides the following information to help you resolve many common problems you may encounter as you deploy and use your appliance.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
304
�Table 105: Appliance settings
Setting
Description
Appliance Diagnostics
Where you execute a trusted, secure diagnostics package to help solve a configuration issue, synchronization issue, clustering issue, or other internal issues.
Appliance Information
Where you view general information about the appliance, as well as its performance utilization and the memory usage. This page also contains power controls to shut down or restart your appliance.
Network Diagnostics Where you run diagnostic tests on your appliance.
Enable or Disable Services
Where you enable or disable the Application to Application functionality.
Factory Reset from Where you perform a factory reset to revert your appliance to its the desktop client original state when it first came from the factory.
Licensing
Where you add or update a Safeguard for Privileged Passwords license.
Lights Out Management (BMC)
Where you enable and disable lights out management, which allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC).
Networking
Where you view and configure the primary network interface, and if applicable, the sessions network interface.
Operating system licensing
Where you configure the operating system for the virtual appliance.
Support bundle
Where you create a support bundle containing system and configuration information to send to One Identity Support to analyze and diagnose issues with your appliance.
If you have the embedded sessions licensed, this is where you enable (and disable) session debug logging to be included in a support bundle.
Time
Where you enable Network Time Protocol (NTP) and set the primary and secondary NTP servers.
NOTE: A replica in the cluster will always reference the primary appliance as its NTP server.
Updates
Where you upload and install an update file. For more information, see Updates on page 322.
In addition to the appliance options, Safeguard for Privileged Passwords provides these troubleshooting tools:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
305
�Table 106: Additional troubleshooting tools
Tool
Description
Activity Center
View the details of specific events or user activity. For more information, see Activity Center on page 90.
LCD status messages
An LCD screen on the appliance to view the status of the appliance as it is starting up or shutting down. For more information, see LCD status messages on page 544.
Recovery Kiosk (Serial Kiosk)
A terminal or laptop connected directly to the appliance to view basic appliance information, restart the appliance remotely, shut down the appliance, reset the bootstrap administrator's password to its initial value, perform a factory rest, or to generate and send a support bundle to a Windows share. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
Appliance Diagnostics
Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering, as well as other other internal challenges. The appliance diagnostics package is available from the web Support Kiosk, not the Serial Kiosk (Recovery Kiosk). The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria that may include the minimum Safeguard version, appliance ID, and expiration time-stamp UTC. New product code and database changes are not included in an appliance diagnostics package.
Navigate to Administrative Tools | Settings | Appliance | Appliance Diagnostics.
1. The state of the appliance displays (for example, Online). Click update the state.
Refresh to
2. If no appliance diagnostics package has been loaded, click Upload Diagnostics, select the appliance diagnostics package file that has an .sgd extension, then click Open.
l If the upload criteria is not met, the appliance diagnostics package is not uploaded and a message like the following displays: The minimum Safeguard version needed to run this diagnostic package is <version>.
l If the upload is successful, the Diagnostic Package Information displays with the Status of Staged. You can:
l Select Execute and wait until the Status changes to Completed or Error.
l Select Remove to delete the appliance diagnostics package and the associated log file.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
306
�3. Once uploaded, you can perform these activities.
l If the Expiration Date has not passed, you can select Execute to execute the appliance diagnostics package again.
l Select Delete to delete the appliance diagnostics package, the associated log file, and stop any appliance diagnostics package that is running. Before uploading a different appliance diagnostics package, you must delete the current one because there can be only one appliance diagnostics package per appliance.
l Select Download Log to save the log file. Audit log entries are available through the Activity Center during and after execution and are part of the appliance history. A log is also available during and after execution until the diagnostic package has been deleted.
Appliance Information
It is the responsibility of the Operations Administrator or the Appliance Administrator to monitor the status of the appliance. To go to Appliance Information:
l From the web client, click the Settings menu on the left to go to the Settings: Appliance page. Click Appliance Information .
l From the desktop client, navigate to Administrative Tools | Settings | Appliance | Appliance Information.
The following information displays.
Table 107: Appliance properties
Property
Description
Appliance Name
The name of the appliance. To modify this name, click Edit.
Host
The appliance network server IP address.
Client Version
(If applicable) The version of the Safeguard for Privileged Passwords desktop client application.
Appliance Version The version of the Safeguard for Privileged Passwords Appliance.
Uptime
The amount of time (hours and minutes) the appliance has been running.
(web client) Power (shut down or restart) Power
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
307
�Use the Settings: Appliance page, Power, you can enter a Reason and click the button to shut down or restart your appliance.
l For more information on shutting down the appliance, see Shutting down the appliance on page 309.
l For more information on restarting the appliance, see Restarting the appliance on page 310.
(desktop client) Additional information and power down In the desktop client, the view also contains two tabbed pages to display general information and performance data for the appliance. Appliance: General tab properties Disk displays the amount of used and free disk space.
Table 108: General tab: Appliance properties
Property
Description
Manufacturer
The system manufacturer.
Model
The system model.
Bios Description
The system bios description.
Bios Serial Number The system's bios serial number.
Serial Number
The media access control address (MAC address) assigned to the network interface for communications.
Ship Date
The appliance ship date.
Processor
The processor information.
Virtual Memory
The virtual memory allocation.
Physical Memory
The physical memory allocation.
TLS 1.2 only Toggle on Toggle off
Click this toggle to disable earlier versions of the Transport Layer Security (TLS) protocol and use only TLS v1.2.
NOTE: You must reboot your appliance after enabling TLS 1.2 only.
Power Use the power controls to shut down or restart your appliance.
l For more information on shutting down the appliance, see Shutting down the appliance on page 309.
l For more information on restarting the appliance, see Restarting the appliance on page 310.
Appliance: Performance tab properties
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
308
�Table 109: Performance tab: Performance properties
Property
Description
Processor
Displays the CPU information and the performance utilization of your appliance.
Memory
Displays the memory usage of your appliance; what is currently in use and what is free.
Setting the appliance name
Safeguard for Privileged Passwords automatically assigns a name to the appliance; however, you can change the name from the desktop client, Appliance Information page.
To set the appliance name 1. From the desktop client, navigate to Administrative Tools | Settings | Appliance | Appliance Information. 2. Click Edit to enable the Appliance Name text box. 3. Enter a new appliance name and click Save.
Shutting down the appliance
You can shut down an appliance from the Windows desktop client, web client, or directly from the appliance itself.
CAUTION: Rebooting the appliance causes a service outage for any current users.
To shut down an appliance 1. Go to Appliance Information: l From the web client, click Settings on the left. The Settings: Appliance page displays. Click Appliance Information . l From the desktop client, navigate to Administrative Tools | Settings | Appliance | Appliance Information. 2. Type an explanation for shutting down the Safeguard for Privileged Passwords Appliance in the Reason box and click Shut Down. IMPORTANT: After the appliance powers off, you will need physical access to start it. Press the Green check mark button on the front panel of the appliance for NO MORE than one second to power on the appliance.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
309
�CAUTION: Once the Safeguard appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.
3. To confirm your action, enter the words Shut Down in the box and click OK.
4. The Safeguard for Privileged Passwords 2000 Appliance LCD screen displays LCD service terminating.
NOTE: You can also use the Red X button on the front panel of the appliance to shut it down. Press and hold the Red X button for four seconds until it displays POWER OFF.
CAUTION: Once the Safeguard appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.
Restarting the appliance
Use the Power controls on the Administrative Tools view in the Windows desktop client to restart an appliance.
To restart the appliance
1. Go to Appliance Information: l From the web client, click Settings on the left. The Settings: Appliance page displays. Click Appliance Information . l From the desktop client, navigate to Administrative Tools | Settings | Appliance | Appliance Information.
2. Type an explanation for restarting the Safeguard for Privileged Passwords Appliance in the Reason box and click Restart.
3. To confirm your action, enter the word Restart in the box and click OK. 4. The Safeguard for Privileged Passwords 2000 Appliance LCD screen displays the run
level status of the appliance as it is starting up. For more information, see LCD status messages on page 544.
Enable or Disable Services
The Appliance Administrator can enable or disable services using toggles. The toggle
appears blue with the switch to the right (
toggle on) when the service is enabled, and
gray with the switch to the left when the service is disabled (
toggle off).
Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
310
�l Application to Application Enabled toggle: Use this toggle to enable or disable Application to Application service. It is the responsibility of the Appliance Administrator to manage the Application to Application service. The Application to Application service is disabled by default. For more information, see Application to Application on page 378.
l Audit Enabled toggle: Use this toggle to send Safeguard for Privileged Passwords data to Safeguard for Privileged Sessions (SPS) to audit the Safeguard privileged management software suite. The feature is disabled by default. NOTE: This feature is not fully functional until a future release of Safeguard for Privileged Sessions is available.
Factory Reset from the desktop client
As an Appliance Administrator, you can use the Factory Reset feature to reset a Safeguard for Privileged Passwords Appliance to recover from major problems or to clear the data and configuration settings on the appliance.
CAUTION: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, performing a factory reset may change the default SSL certificate and default SSH host key.
Factory reset on a clustered appliance
Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58.
To perform a factory reset from the desktop client
1. Navigate to Administrative Tools | Settings | Appliance | Factory Reset. 2. Click Factory Reset. 3. In the Factory Reset confirmation dialog, enter the words Factory Reset and
click OK. The appliance will go into Maintenance mode to revert the appliance. Once completed, you will be prompted to restart the desktop client. If the appliance was in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, when you log in to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
311
�the appliance, you will be prompted to add your Safeguard for Privileged Passwords licenses.
Licensing
It is the responsibility of the Appliance Administrator to manage the Safeguard for Privileged Passwords licenses. For more information, see Product licensing on page 42.To avoid disruptions in the use of Safeguard for Privileged Passwords, the Appliance Administrator must configure the SMTP server, and define email templates for the License Expired and the License Expiring Soon event types. This ensures you will be notified of an approaching expiration date. For more information, see Enabling email notifications on page 393.
To enter licensing information when you first log in The first time you log in as the Appliance Administrator, you are prompted to add one or more licenses. The Success dialog displays when a license is added. On the virtual appliance, the license is added as part of Initial Setup. For more information, see Setting up the virtual appliance on page 45.
To add new licenses from Settings 1. Go to Licensing: l From the web client, click Settings on the left. The Settings: Appliance page displays. Click Licensing . l From the desktop client, navigate to Administrative Tools | Settings | Appliance | Licensing. 2. Click to upload a new license file. 3. Browse to select the license file. Once you add a license, you will see the current license information and a link that allows you to update the license.
These tasks can also be performed from Licensing: l To add another module license, click Add License and complete the information.
l To delete a license, select the license, then click Delete.
(desktop client) To update a module license 1. Navigate to Administrative Tools | Settings | Appliance | Licensing. 2. Select Update License in the lower left corner of a module's licensing
information pane. 3. Browse to select the license file. Select Open.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
312
�Lights Out Management (BMC)
The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.
It is the responsibility of the Appliance Administrator to enable and configure the Lights Out Management feature. When Lights Out Management is enabled, the Appliance Administrator can set or change the password and modify the network information for the baseboard management console (BMC). When disabled, Safeguard for Privileged Passwords immediately resets the password to a random value and resets the network settings to default values.
IMPORTANT: This feature requires a LAN interface to be enabled and configured. Safeguard for Privileged Passwords's BMC supports the following LAN interfaces to provide this functionality:
l SSH
l IPMI v2
l Web
l Serial over Lan
It is strongly recommended that the LAN interface only be enabled in trusted environments.
To enable Lights Out Management
1. Access Lights Out Management in one of two ways:
l Navigate to Administrative Tools | Settings | Appliance | Lights Out Management (BMC).
l Use the virtual appliance Support Kiosk, Lights Out Managment (BMC). For more information, see Support Kiosk on page 49.
2. Click the Enable Lights Out Management toggle to enable or disable this feature.
Set
toggle on or
toggle off.
3. Once enabled, enter the following information about the BMC:
a. IP address: The IPv4 address of the host machine.
b. Netmask: The network mask IPv4 address.
c. Default Gateway: The default gateway IPv4 address.
4. Click the Set BMC Admin Password button to set the password for the host machine.
Maximum password length: 20 characters.
NOTE: If this feature was previously enabled, you will see an Update BMC Admin Password button instead. Optionally, click the Update BMC Admin Password
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
313
�button to reset the password for the host machine.
5. Click OK to save the settings on the host machine.
NOTE: Once Lights Out Management is enabled in Safeguard for Privileged Passwords, you can access the BMC via a web interface or by using SSH to connect to the IPMI port to remotely manage the power state and serial console to Safeguard for Privileged Passwords. The default user for accessing the BMC is ADMIN.
Network Diagnostics
Safeguard for Privileged Passwords makes these diagnostic tests available for the Appliance Administrator and Operations Administrator.
NOTE: When you run these diagnostic tests, they are run on the appliance.
Navigate to Administrative Tools | Settings | Appliance | Network Diagnostics.
Table 110: Appliance Tests
Test
Description
Ping
To verify network connectivity and response time between the appliance to the specified host.
NS Lookup
To obtain DNS details of the specified host in relation to the appliance.
Trace Route
To obtain route information; traceroute determines the paths packets take from one IP address to another.
Telnet
To test TCP/IP connectivity between the appliance and specified host.
Show Routes
To retrieve routing table information.
Related Topics
Troubleshooting Frequently asked questions
Ping
Use the ping test to verify network connectivity and response time between the Safeguard for Privileged Passwords Appliance and the specified host. Navigate to Administrative Tools | Settings | Appliance | Diagnostics.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
314
�Table 111: Ping diagnostic test settings
Property
Description
Ping through
Select the network interface to issue the diagnostic command:
l Network (X0): To ping the primary interface.
l Sessions (X1): To ping the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
IP or Hostname Enter the remote host's IP address or Hostname.
Ping
Click Ping to run the test. The test results display in the Output window.
More Settings
Select More Settings to configure these additional (optional) options:
l Resolve IP addresses to hostnames l Number of echo requests to send l Send buffer size l Set 'don't fragment' flag in packet (IPv4 only) l Time to live l Type of serve l Record route for count hops (IPv4 only) l Time stamp for count hops (IPv4 only) l Timeout in milliseconds to wait for each reply
NS Lookup
Use the NS Lookup query to obtain the domain name server or IP address of the specified host in relation to the Safeguard for Privileged Passwords Appliance.
Navigate to Administrative Tools | Settings | Appliance | Diagnostics.
Table 112: NS Lookup diagnostic test settings
Property
Description
Network Interface Select the network interface to issue the diagnostic command:
l Network (X0): To query at the primary interface.
l Sessions (X1): To query at the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
315
�Property
IP or Hostname Record Type Lookup
Description Safeguard for Privileged Passwords.
Enter the remote host's IP address or Hostname. Select the type of DNS record to be queried. Click Lookup to run the test. The test results display in the Output window.
Trace Route
Use the Trace Route test to obtain route information, such as the paths packets take from one IP address to another.
Navigate to Administrative Tools | Settings | Appliance | Diagnostics.
Table 113: Trace Route diagnostic test settings
Property
Description
Trace route through
Select the network interface to issue the diagnostic command:
l Network (X0): To test the primary interface.
l Sessions (X1): To test the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
IP or Hostname Enter the remote host's IP address or Hostname.
Trace
Click Trace to run the test. The test results display in the Output window.
More Settings
Select More Settings to configure these additional (optional) options:
l Resolve IP addresses to hostname l Maximize number of hops to search for target l Timeout in milliseconds to wait for each reply
Telnet
Use telnet to test TCP/IP connectivity between the Safeguard for Privileged Passwords Appliance and the specified host. Navigate to Administrative Tools | Settings | Appliance | Diagnostics.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
316
�Table 114: Telnet diagnostic test settings
Property
Description
Connect through Select the network interface to issue the diagnostic command:
l Network (X0): Select to test the primary interface.
l Sessions (X1): Select to test the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
IP or Hostname Enter the remote host's IP address or Hostname.
Port
Enter the port number on a target host.
Connect
Click Connect to run the test. The test results display in the Output window.
More Settings
Select More Settings to configure this additional (optional) option:
l Connection Timeout
Show Routes
Use Show Routes to retrieve routing tables to further investigate connectivity issues. Navigate to Administrative Tools | Settings | Appliance | Diagnostics.
Table 115: Show Routes diagnostic test settings
Property
Description
Show Routes through
Select the network interface to issue the diagnostic command:
l Network (X0): To retrieve routing tables for the primary interface.
l Sessions (X1): To retrieve routing tables for the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
Show Routes
Click Show Routes to run the test. The test results display in the Output window.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
317
�Networking
On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.
It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.
CAUTION: For Azure, network settings user interfaces are read-only. Network settings configured by the Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined.
(web client) To modify the networking configuration settings
1. Click Settings on the left. The Settings: Appliance page displays.
2. Click Networking to configure the appliance. 3. Continue to the Network settings
(desktop client) To modify the networking configuration settings 1. Navigate to Administrative Tools | Settings | Appliance | Networking. 2. Click the Edit icon next to the Network Interface or Proxy Server heading to edit
or configure the network properties. 3. Network settings
Network settings
Complete the network settings. Network Interface X0 (primary interface)
Table 116: Network Interface X0 properties
Property
Description
MAC Address
The media access control address (MAC address), a unique identifier assigned to the network interface for communications
IP Address
The IPv4 address of the network interface
Netmask
The IPv4 network mask
Default Gateway
The IPv4 default gateway
IPv6 Address
The IPv6 address of the network interface
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
318
�Property IPv6 Prefix Length IPv6 Gateway DNS Servers DNS Suffixes
Description
The IPv6 subnet prefix length
The IPv6 default gateway
The IP address for the primary DNS servers The network suffixes for the DNS servers
NOTE: You can modify the network suffixes for the DNS servers by clicking the Edit icon next to the Network Interface X0 heading.
Proxy Server X0
The Proxy Server X0 settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard for Privileged Passwords uses the configured proxy server for outbound web requests to external integrated services, such as Starling.
NOTE: Only HTTP web proxy is supported.
Table 117: Proxy Server X0 properties
Property Description
Proxy URI The IP address or DNS name of the proxy server.
Port
The port number used by the proxy server to listen for HTTP requests.
Value: Integer from 1 to 65535.
NOTE: If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.
Username
The user name used to connect to the proxy server.
NOTE: The username and password are only required if your proxy server requires them to be specified.
Password
The password required to connect to the proxy server.
NOTE: The username and password are only required if your proxy server requires them to be specified.
Network Interface X1 (embedded sessions interface)
NOTE: If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
Table 118: Network Interface X1 properties
Property
Description
MAC Address
The MAC address, a unique identifier assigned to the session
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
319
�Property
IP Address Netmask Default Gateway IPv6 Address IPv6 Prefix Length IPv6 Gateway DNS Servers DNS Suffixes
Description interface for communications The IPv4 address of the session interface The IPv4 network mask The IPv4 default gateway The IPv6 address of the session interface The IPv6 subnet prefix length The IPv6 default gateway The IP address for the primary DNS servers The network suffixes for the DNS servers
Operating system licensing
It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the Azure deployment. Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.
1. Navigate to Administrative Tools | Settings | Appliance | Operating System
Licensing. Click Refresh anytime to refresh the settings. 2. The display shows if Windows is licensed with KMS or licensed with a product
key. Click Details to see additional information. 3. Click Edit to change the operating system license and select one of the
following options. l License automatically with KMS: If you select this option, Safeguard will use DNS to locate the KMS server automatically. l Specify a KMS server: If KMS is not registered with DNS, enter the network IP address of your KMS server. l Specify a license key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
4. Click OK.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
320
�Support bundle
To analyze and diagnose issues, One Identity Support may ask the Appliance Administrator or Operations Administrator to send a support bundle containing system and configuration information.
NOTES: As an alternative, you can use the Recovery Kiosk to generate and send a support bundle to a Windows share. For more information, see Recovery Kiosk (Serial Kiosk) on page 549. Virtual appliance support bundles are generate from the web management console. For more information, see Support Kiosk on page 49..
To create a support bundle
1. Navigate to Administrative Tools | Settings | Appliance | Support Bundle. NOTE: Select the Include Session Log check box if you want to include the Sessions debug log in the support bundle. This check box is only available if you are using the hardware SPP Appliance and are licensed for and are using the embedded sessions module.
2. Click Generate Support Bundle. 3. Browse to select a location to save the support bundle .zip file and click Save. 4. Send the support bundle to One Identity Support. For more information, see About us
on page 650.
Related Topics
Troubleshooting Frequently asked questions
Time
Time displays the current appliance time and allows you to enable Network Time Protocol (NTP) and set the primary and secondary NTP servers. In addition, when enabled, the NTP client status can be displayed. It is the responsibility of the Appliance Administrator to manage the appliance time.
NOTE: A warning appears if your local time is not within five minutes of the appliance time. One Identity recommends that you set an NTP server to eliminate possible timerelated issues. NOTE:Clustered environments: NTP setting changes are made on the primary appliance in a cluster. When a replica appliance is enrolled into the cluster, it points to the primary appliance's VPN IP address as the Primary NTP Server and the NTP client service is enabled on the replica appliance. When performing a failover operation to promote a replica to be the new primary, the Primary NTP Server is preserved and
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
321
�applied from the 'old' primary appliance.
To enable Network Time Protocol (NTP) and set the primary and secondary NTP servers
1. Go to Time: l In the web client, click Settings on the left. The Settings: Appliance page displays. Click Time . l In the desktop client, navigate to Administrative Tools | Settings | Appliance | Time.
2. Select the Enable Network Time Protocol (NTP) check box to enable NTP. 3. Provide the following information:
l Primary NTP Server: Enter the IP address or DNS name of the primary NTP server.
l Secondary NTP Server: (Optional) Enter the IP address or DNS name of the secondary NTP server.
4. Click OK or Save to save your selections. When NTP is enabled, the following information about the NTP client status is displayed: l Last Sync Time l Leap Indicator l Poll Interval l Precision l Reference ID l Root Delay l Root Dispersion l Source l Stratum NOTE: Select Show Last Sync Details and Hide Details to display more or less information.
Related Topics
How do I set the appliance system time
Updates
It is the responsibility of the Appliance Administrator to update or upgrade Safeguard for Privileged Passwords by installing an update file to modify the software or configuration of the running appliance.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
322
�Download the latest update from: https://support.oneidentity.com/one-identity-safeguard-for-privilegedpasswords/download-new-releases
Embedded sessions
If you are using the embedded sessions module and have never joined Safeguard for Privileged Passwords (SPP) with an external Safeguard for Privileged Sessions (SPS) appliance, after upgrading to SPP 2.9, check the network settings for the X1 interface. Manually restore the settings, if needed.
Clustered environment
Apply the patch so all appliances in the cluster are on the same version. The procedure for patching cluster members depends on the Safeguard for Privileged Passwords version you are currently running.
l If you are running Safeguard for Privileged Passwords 2.0.1.x or earlier, you must unjoin replica appliances, install the patch on each appliance, and then enroll the replica appliances to rebuild your cluster. For more information, see Patching cluster members in the Safeguard for Privileged Passwords 2.0 Administration Guide.
l If you are running Safeguard for Privileged Passwords 2.1.x or 2.2.x, you can use the enhanced cluster patching feature where unjoining replica appliances is no longer required. For more information, see Patching cluster members on page 493.
To install an update file
1. Back up your system before you install an update file. For more information, see Backup and restore on page 341.
2. Navigate to Administrative Tools | Settings | Appliance | Updates. The current appliance and client versions are displayed.
3. Click Upload a File and browse to select an update file. NOTE: When you select a file, Safeguard for Privileged Passwords uploads it to the server, but does not install it.
4. Once the file has successfully uploaded, click one of the following: l Install Now to install the update file. NOTE: Once you install an update file, you cannot uninstall it. l Remove to delete the file from the server without installing it.
The Updates pane shows the upgrade progress and when the appliance has been successfully upgraded.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
323
�Asset Management settings
Use the Asset Management settings to define and manage dynamic tags for assets and asset accounts which include directory accounts. Asset Management settings allow you to add a custom platform.
Navigate to Administrative Tools | Settings | Asset Management.
Table 119: Asset Management settings
Setting
Description
Custom platforms Where you add a custom platform
Tags
Where you view and manage dynamic tags for assets and asset accounts
Custom platforms
The Asset Administrator adds a custom platform that includes uploading the custom platform script with the platform's commands and details. Auditors and Partition Administrators have read only rights. Custom platforms are global across all partitions. The custom platform can be selected when adding or updating an asset.
Create and manage custom platforms in Administrative Tools | Settings | Asset Management | Custom Platforms.
The Custom Platform pane displays the following.
Table 120: Custom platform: Properties
Property
Description
Name
The name of the platform type which may be a product name.
Version
The version of the target platform to use as an identifier.
Architecture
The CPU architecture to use as an identifier. If not applicable, use Any.
Platform Script
The name of the custom platform script file displays once selected.
Allow Sessions Requests
If selected, session access requests are allowed.
Use the following toolbar buttons to manage the custom platform settings.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
324
�Table 121: Custom Platform: Toolbar
Option
Description
Add
Add a custom platform. For more information, see Adding a custom platform.
Delete Selected
Remove the selected custom platform.
CAUTION: If the custom platform is associated with an asset, deleting the custom platform may halt password validation and reset. A warning displays, indicating that the asset will be assigned to the Product platform type Other. Enter Force Delete to confirm the deletion.
Refresh View
Download Selected Script
Update the list of custom platforms.
View the custom platform script parameters including:
l Supported operations, for example Suspend and Restore Accounts, Check System, Check Password, Change Password
l Details including Name, Task, Type, Default, and Description
Download the selected custom platform JSON script.
Related Topics
Creating a custom platform script Adding a custom platform
Creating a custom platform script
A custom platform script identifies the platform's commands and associated details. Scripts are written in JSON. Scripts include metadata, parameters, function blocks, operations, and if/then constructs to authenticate to the platform and perform password validation and reset. The custom platform script is uploaded when adding the custom platform.
You can create an asset and accept default values in the associated custom script. If you later upload a new version of the custom platform script with different defaults, the asset defaults are not changed.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
325
�Sample scripts
Sample custom platform scripts and command details are available at the following links available from the on GitHub:
l Safeguard Custom Platform Home l The Structure of a Custom Platform Script l Writing A Custom Platform Script l Command-Reference
l Sample Scripts
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.
During development, check your JSON using a validator.
Adding a custom platform
It is the responsibility of the Asset Administrator to configure the rules so Safeguard for Privileged Passwords handles custom platforms. The custom platform script must be available for uploading. For more information, see Creating a custom platform script on page 325.
To add a custom platform
1. Have the custom platform script file available to upload.
2. Navigate to Administrative Tools | Settings | Asset Management | Custom Platforms.
3. Click Add. 4. These fields display:
a. Name: Enter the unique name of the platform type, which may be a product name.
b. Version: Enter the version of the target platform to use as an identifier. c. Architecture: Enter the CPU architecture to use as an identifier. If not
applicable, use Any. d. Platform Script: Click Browse. Navigate to and select the script file. Click
Open. The selected custom platform script file displays.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
326
�e. Select the Allow Sessions Requests check box to allow session access requests. This check box is typically selected for SSH. Clear the Allow Sessions check box to prohibit session access requests.
5. Click OK. If the custom platform script has errors, an error message like the following displays: Definition was not a valid json object .
Tags
Asset Administrators can define rules that will dynamically add tags to assets and asset accounts so that they can be easily identified and added to dynamic groups. Use the Administrative Tools | Settings | Asset Management | Tags pane to create and manage dynamic tags for assets and asset accounts.
In addition, Asset Administrators can manually add static tags to assets and accounts on the General tab of the Assets or Accounts view. For more information, see Manually adding a tag to an asset and Manually adding a tag to an account.
The Tags pane provides a centralized view of all the tags defined for assets and asset accounts, regardless of how they were assigned. It displays the following details.
Table 122: Tags: Properties
Property
Description
Name
The name assigned to the tag when it was created.
Asset Partition
The asset partition to which the tag belongs.
Rules
Indicates whether there is a rule associated with the selected tag. A check mark in this column indicates that the tag has an asset or asset account rule.
Description
Information about the tag.
Use these toolbar buttons to manage tags.
Table 123: Tags: Toolbar
Option
Description
New
Add a dynamic tag. For more information, see Adding a tag for dynamic tagging of assets or asset accounts on page 328.
Delete
Remove the selected tag. For more information, see Deleting an asset or asset account tag on page 332.
Refresh
Update the list of tags.
Edit
Modify the selected tag. For more information, see Modifying an asset or asset account tag on page 333.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
327
�Option
Copy Occurrences Search
Description
NOTE: You cannot modify the partition assignment of an existing tag using the Edit operation. Use the Copy operation to clone the tag and assign it to an additional partition. Use the Delete operation to remove the tag from the existing partition.
Clone the selected tag and assign it to one or more additional partitions. For more information, see Copying an asset or asset account tag to another partition on page 333.
NOTE: If the tag already exists in the partition, the tag will be replaced with the cloned one.
View a list of assets and asset accounts that are assigned to the selected tag. For more information, see Viewing asset and asset account tag assignments on page 334.
Search for a specific tag or set of tags in this list.
Related Topics
When does the rules engine run for dynamic grouping and tagging
Adding a tag for dynamic tagging of assets or asset accounts
Use the New button on the Tags pane in the Asset Management settings page to add a dynamic tag for an asset or asset account.
To add an asset or asset account dynamic tag 1. Navigate to Administrative Tools | Settings | Asset Management | Tags. 2. Click the New toolbar button. The Tag dialog displays. 3. On the General tab, enter the following information: l Name: Enter a unique name for the tag. l Description: Enter information about the tag. l Partition: Click Browse to select the partition to which this tag is to be assigned. 4. On the Account Rules tab, enter the conditions for an account rule. l Include an account rule for this tag: Select this check box if you want to include an account rule. l Rule editor: Use the rule editor to define conditions for tagging asset
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
328
�accounts.
Table 124: Asset Account Rules tab: Rule editor controls
Property
Description
AND | OR
Click AND to group multiple search criteria together, where all criteria must be met in order to be included.
Click OR to group multiple search criteria together; where at least one of the criteria must be met in order to be included.
Attribute
In the first query clause box, select the attribute to be searched. Valid attributes include:
l Name (Default)
l Description
l Platform
l Disabled
l Tag
l Service Account
l Partition Name
l Asset Name
l Asset Tag
l Domain Name
l NETBIOS Name
l Distinguished Name (You cannot do a one level search with this attribute.)
l SID
l Discovered Group Name (Use this selection to not specify the domain in the search. To specify the domain, select Discovered Group Distinguished Name.)
l Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the group belongs.)
l Directory Container (If you use the operator Equal, one level is found.)
Operator
In the middle clause query box, select the operator to be used in the search. The operators available depend upon the data type of the attribute selected.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
329
�Property
Search string |
Add Grouping | Remove Preview
Description
For string attributes, the operators may include: l Contains (Default) l Does not contain l Starts with l Ends with l Equals l Not equal
For boolean attributes, the operators may include: l Is True l Is False
In the last clause query box, enter the search string or value to be used to find a match.
Click to the left of a search clause to add an additional clause to the search criteria. Click to remove the search clause from the search criteria.
Click the Add Grouping button to add an additional set of conditions to be met. A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions. Click the Remove button to remove a grouping from the search criteria.
Click Preview to run the query in order to review the results of the query before adding the dynamic tag.
5. On the Asset Rules tab, enter the conditions for an asset rule.
l Don't include an asset rule for this tag: Select this check box if you do not want to include an asset rule. Selecting this check box disabled the rule editor controls on this page. Proceed to the next tab.
l Rule editor: Use the rule editor to define conditions for tagging assets.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
330
�Table 125: Asset Rules tab: Rule editor controls
Property
Description
AND | OR
Click AND to group multiple search criteria together, where all criteria must be met in order to be included.
Click OR to group multiple search criteria together, where at least one of the criteria must be met in order to be included.
Attribute
In the first query clause box, select the attribute to be searched. Valid attributes include:
l Name (default)
l Description
l Platform
l Disabled
l Tag
l Discovery Job Name
l Partition Name
l Profile
l Network Address
l Discovered Group Name (Use this selection to not specify the domain in the search. To specify the domain, select Discovered Group Distinguished Name.)
l Discovered Group Distinguished Name (Use this selection to specify the search is for the domain to which the group belongs.)
l Directory Container (If you use the operator Equal, one level is found.)
Operator
In the middle clause query box, select the operator to be used in the search. The operators available depend on the data type of the attribute selected. For string attributes, the operators may include:
l Contains (Default) l Does not contain l Starts with l Ends with l Equals
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
331
�Property
Search string |
Add Grouping | Remove
Preview
Description
l Not equal For boolean attributes, the operators may include:
l Is True l Is False
In the last clause query box, enter the search string or value to be used to find a match.
Click to the left of a search clause to add an additional clause to the search criteria. Click to remove the search clause from the search criteria.
Click the Add Grouping button to add an additional set of conditions to be met. A new grouping is added under the last query clause in a group and appears in a bordered pane showing that it is subordinate to the higher level query conditions. Click the Remove button to remove a grouping from the search criteria.
Click Preview to run the query in order to review the results of the query before adding the dynamic tag.
6. On the Summary tab, review your selections.
l Account Rules: Open the Account Rules tab to review the conditions for an asset account rule.
l Asset Rules: Open the Asset Rules tab to review the conditions for an asset rule.
7. Click Add to create the tag, close the dialog, and return to the Tags pane.
Deleting an asset or asset account tag
A tag can be assigned to multiple object types. That is, you can have the same tag assigned to assets and asset accounts including directory accounts. When deleted, all references to a tag will be removed, no matter how it was assigned (dynamically or manually).
To delete an asset or asset account tag 1. Navigate to Administrative Tools | Settings | Asset Management | Tags. 2. Select the tag to be deleted. 3. Click the toolbar button. 4. On the Remove Selected confirmation dialog, click Yes.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
332
�5. If the tag is being used, removing the tag may result in changes to your policy configuration; therefore, you are given the opportunity to confirm or cancel the remove operation. l To remove the tag, enter Force Delete and click OK.
Modifying an asset or asset account tag
Use the Edit button on the Tags pane on the Asset Management settings page to modify an asset or asset account tag. You cannot modify the partition assignment of an existing tag using the Edit operation. Use the Copy operation to clone the tag and assign it to an additional partition. For more information, see Copying an asset or asset account tag to another partition on page 333.
To modify an asset or asset account tag 1. Navigate to Administrative Tools | Settings | Asset Management | Tags. 2. Select the tag to be modified. 3. Select the toolbar button. The Tag dialog displays allowing you to modify the selected tag settings. For more information, see Adding a tag for dynamic tagging of assets or asset accounts on page 328.
Copying an asset or asset account tag to another partition
Tags for assets and asset accounts belong to a partition. Use the Copy button on the Tags pane on the Asset Management settings page to clone an asset or asset account tag and assign it to a different partition. You cannot modify the partition assignment of an existing tag using the Edit operation. Use this Copy operation to clone the tag and assign it to an additional partition.
To copy an asset or asset account tag to another partition 1. Navigate to Administrative Tools | Settings | Asset Management | Tags. 2. Click the toolbar button. The Copy to dialog displays, allowing you to select one or more partitions. 3. Select the check box for the partitions to which the selected tag is to be assigned. If you have Asset Administrator permissions, you can create a new partition by clicking Create New. For more information, see Adding a partition on page 292. 4. Click OK. If a tag with the same name already exits in the selected partition, you will be asked if you want to replace the tag.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
333
�Viewing asset and asset account tag assignments
Use the Occurrences button on the Tags pane on the Asset Management page to view a list of all the assets and asset accounts assigned to a tag.
To view asset and asset account tag assignments
1. Navigate to Administrative Tools | Settings | Asset Management | Tags. 2. Select a tag from the list. 3. Click the Occurrences toolbar button.
The Occurrences dialog displays, which contains a list of all the assets and accounts assigned to the selected dynamic tag:
l Name: Name of the asset or account. l Asset: The name of the asset. l Type: Whether the occurrence identifies an Asset or Account associated with
the named Asset. 4. Use the Search box to locate a specific tag or set of tags in this list. Enter the
character string to be used to search for a match. 5. Click Close to close the dialog and return to the Tags pane.
Backup and Retention settings
Use the Backup and Retention settings to manage your Safeguard for Privileged Passwords backups and archive servers.
It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged Passwords backup and retention settings.
To ensure the security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances, and backups taken from a virtual appliance cannot be restored on a hardware appliance.
Navigate to Administrative Tools | Settings | Backup and Retention.
NOTE:When a backup is created, the state of the sessions module is saved. The session module can be either the joined sessions module (SPS) or the embedded sessions module (SPP). Restoring a backup restores the sessions module to the state when the backup was taken regardless of the state when the restore was started.
Table 126: Backup and Retention settings
Setting
Description
Archive servers
Where you add and manage archive servers for storing backup files and session recordings
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
334
�Setting
Description
Audit Log Management
Where you define the audit logs to be archived and purged as well as a schedule for performing the audit log archival task
Backup and restore
Where you initiate or schedule a backup, upload or download a backup file, or specify the archive server where a backup file is to be stored
Backup retention
Where you enable (or disable) backup retention and set the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance
About backups
Safeguard for Privileged Passwords backs up the following:
l All settings, except: l Appliance IP address l Network Time Protocol (NTP) configurations l Domain Name System (DNS) configuration
l Transaction history l All information about Safeguard for Privileged Passwords objects:
l Accounts l Account groups l Assets l Asset groups l Entitlements l Partitions l Users l User groups
Safeguard for Privileged Passwords encrypts and signs the data before it makes it available for downloading to an off-appliance storage. Only a genuine Safeguard for Privileged Passwords Appliance can decrypt the backup, and then only when it is on the appliance. This means that if a backup has been downloaded from an appliance for off-appliance storage, you must first upload it to an appliance, which will verify the signature, ensuring that it is an authentic backup for Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
335
�Archive servers
Archive servers are external physical servers where you store backup files and session recordings. Use the Archive Servers page on the Backup and Retention settings view to configure and manage archive servers.
Navigate to Administrative Tools | Settings | Backup and Retention | Archive Servers. The Archive Servers page displays the following information about previously configured archive servers.
Table 127: Archive Servers: Properties
Property
Description
Name
The name of the archive server.
Archive Method
The transfer protocol type being used.
Network Address
The network DNS name or IP address used to connect to the server over the network.
Storage Path
The file path where you want to store backup files on the archive server.
Description
Information about the archive server.
Use these toolbar buttons to manage archive server configurations.
Table 128: Archive Servers: Toolbar
Option
Description
Add Archive Server
Add an archive server. For more information, see Adding an archive server on page 337.
Delete Selected Remove the selected archive server configuration.
Refresh
Update the list of archive server configurations.
Edit
Modify the selected archive server configuration.
You can store backup files on an external archive server. For more information, see Archive backup on page 347.
You can configure an automatic backup schedule and specify which archive server will be used to automatically archive after the scheduled backup. For more information, see Backup settings on page 343.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
336
�Adding an archive server
Use the Archive Servers page on the Backup and Retention settings view to configure archive servers, which can then be selected to archive a backup file or assigned to an appliance to store its session recordings.
To configure an archive server 1. Navigate to Administrative Tools | Settings | Backup and Retention | Archive Servers.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
337
�2. Click Add Archive Server and provide the following:
Name
Enter the display name for the archive server. Limit: 100 characters
Name Description Network Address Storage Path Archive Method
Port Authentication Type
Enter the display name for the archive server. Limit: 100 characters
Enter information about the archive server. Limit: 255 characters
Enter a network DNS name or the IP address used to connect to the server over the network. Limit: 255 characters
Enter the file path where you want to store backup files on the archive server. Limit: 255 characters
Choose a transfer protocol type: l CIFS: Common Internet File System. l SCP: Secure Copy Protocol l SFTP: Secure File Transfer Program
The port used by SSH to log in to the managed system. NOTE: Not applicable for CIFS archive mode.
Select the type of authentication to be used to access the archive server:
l Password (default) l Directory Account l SSH
NOTE: Not applicable for CIFS archive mode.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
338
�SSH Key Generation and Deployment Settings
Account Name Password Service Account
Auto Accept SSH Host Key Test Connection
If SSH is selected as the authentication type, select one of the following settings:
l Automatically Generate the SSH Key
l Install and Use SSH Key from Safeguard for Privileged Passwords
Optionally, select Manually Deploy the SSH key check box
Browse to select the SSH key to be used.
If Password or SSH is selected as the authentication type, enter the service account name.
If Password or SSH is selected as the authentication type, enter the service account password.
If Directory Account is selected as the authentication type, click Select Account to chose the service account is be used to access the archive server.
Select this check box to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
Click this button to verify that the appliance can communicate with this archive server. For more information, see About Test Connection on page 194.
3. Click OK.
Once you have configured your archive servers, you need to designate a target archive for both your backup files and session recordings.
l For backup files, see Archive backup on page 347 l For session recordings, see Session Recordings Storage Management on page 438
Audit Log Management
Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to purge audit logs from the Safeguard for Privileged Passwords Appliance and archive older audit logs to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.
CAUTION: The initial and subsequent archiving and purging of audit logs can take hours. The cluster is locked during the process. Carefully schedule and monitor this process.
To define and schedule when to perform an audit log archival task:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
339
�1. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Management.
2. Select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.
l Configure the following:
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time. You
can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
340
�For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values: For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2. l Time Zone: Select the time zone.
3. Select an approach: a. Archive and delete logs: i. For Archive and delete audit logs older than __ days, enter the number of days that should pass before audit logs are archived to an archive server and deleted off the appliance. ii. Select Send to archive server to store the audit logs externally from the appliance. NOTE: This option is only available if you have configured an archive server. For more information, see Adding an archive server on page 337. iii. Click Test to test the connection to the archive server. b. To delete audit logs from the appliance and not back them up on an archive server, enter the days in Delete audit logs older than __ days.
4. Click OK.
Backup and restore
It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups. As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the backup files, use Delete to remove them from the desktop client application. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention settings.
NOTE:When a backup is created, the state of the sessions module is saved. The session module can be either the joined sessions module (SPS) or the embedded sessions module (SPP). Restoring a backup restores the sessions module to the state when the backup was taken regardless of the state when the restore was started. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore. The Safeguard for Privileged Passwords Backup and Restore page lists this information for the backups that are currently in the database.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
341
�Table 129: Safeguard for Privileged Passwords Backup and Restore: Properties
Property
Description
Date
The date of the backup
Time
The time of the backup
Progress
The status of the backup: Running or Complete
File Size (MB)
The size of the backup file in megabytes
Appliance Name
The name of the appliance
Appliance Version The version of the Safeguard for Privileged Passwords Appliance
User
The name of the user that created the backup
Last Archived Date The date the selected backup ran
Archive Server Name
The name of the server on which the backup was archived
Use these toolbar buttons to manage Safeguard for Privileged Passwords backups
Table 130: Safeguard for Privileged Passwords Backup and Restore: Toolbar
Option
Description
Run Now
Create a backup copy of the data that is currently on the appliance. For more information, see Run Now on page 343.
Delete
Remove the selected backup file from the Backups page and the Safeguard for Privileged Passwords database.
Refresh
Update the list of backup files on the Backups page.
Settings
Where you configure an automatic backup schedule. For more information, see Backup settings on page 343.
Download
Save the selected backup file in a location on your appliance. For more information, see Download on page 345.
Upload
Retrieve a backup file from a file location and add it to the Backups page list. For more information, see Upload on page 345.
Restore
Overwrite the current data and restore Safeguard for Privileged Passwords to the selected backup. For more information, see Restore on page 345.
Archive
Store a backup file on an external archive server. For more information, see Archive backup on page 347.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
342
�Run Now
To create a new backup
1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
2. Click Run Now. Safeguard for Privileged Passwords makes a copy of the current database.
CAUTION: If you restore a backup that is older than the Maximum Password Age set in the Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.
TIP:As a best practice, perform backups more frequently than the Maximum Password Age setting.
CAUTION:Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.
Backup settings
Settings is where you configure an automatic backup schedule. If you schedule a backup and a backup has already occurred for that interval (minute, hour, day, week, or month), Safeguard for Privileged Passwords will not execute another backup until the following minute, hour, day, week, or month. For example, if a backup has already occurred today and you set the backup schedule to run a daily backup, Safeguard for Privileged Passwords will not run the backup until tomorrow. The backup schedule window end time must be after the start time.
To schedule backups
1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
2. Click Settings. 3. In the Backup Settings dialog, specify the backup schedule. Select Backup Every
to run the job along per the run details you enter. (If you deselect Backup Every, the details are lost.)
l Configure the following: To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
343
�l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time. You
can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
l Time Zone: Select the time zone.
4. Select Send to archive server to store the backup files externally from the appliance.
NOTE: This option is only available if you have configured an archive server. For
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
344
�more information, see Adding an archive server on page 337. You configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance on the Backup retention page.
Download
Safeguard for Privileged Passwords allows you to save a selected backup file in a location on your computer.
To download the backup file 1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore. 2. Select a backup file and click Download. 3. Browse to select a location of your choice. 4. Give the file a name and click OK.
NOTE:Safeguard for Privileged Passwords copies the backup file; it does not remove the backup from the list displayed on the Backup and Restore page.
Upload
Safeguard for Privileged Passwords allows you to retrieve a backup file from a file location and add it to the Safeguard for Privileged Passwords Backup and Restore page list on the appliance.
To upload a backup file 1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore. 2. Click Upload. 3. Browse to select a backup file and click Open.
Restore
Safeguard for Privileged Passwords allows you to restore the data on your appliance with data from a selected backup. Safeguard for Privileged Passwords does not restore the appliance IP address, NTP settings, or the DNS settings. To verify that these settings are correct after a restore, go to Settings | Appliance Information.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
345
�CAUTION: If you restore a backup that is older than the Maximum Password Age set in the Login Control settings, all user accounts (including the bootstrap administrator) will be disabled and you will have to reset all of the user account passwords. If your bootstrap administrator's password is locked out, you can reset it from the Recovery Kiosk. For more information, see Admin password reset on page 552.
Version considerations when restoring a backup
An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 2.2.0.6958. Only the data is restored; the running version is not changed.
If the administrator attempts to restore a version earlier than 2.2.0.6958, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '2.2.0.6958' for restore.
You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version].
The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.
To restore the Safeguard for Privileged Passwords appliance from a selected backup
1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
2. Select a backup. If the backup file is not listed, you can Upload it first.
3. Click Restore.
4. When the Restore dialog diplays, enter the word Restore in the box and click OK.
Safeguard for Privileged Passwords automatically restarts the appliance, if necessary.
5. After restoring from backup verify that the following are set correctly.
l Check the archive server in the automated backup schedule. If necessary, set the correct archive server. For more information, see Archive backup on page 347.
l If you are using the embedded sessions module, check the archive server in the session archive settings. If necessary, set the correct archive server. For more information, see Assigning an archive server to an appliance on page 439.
l If you restored a backup to a different appliance, managed networks will no longer have any assigned appliances. Password management and discovery tasks will fail. For more information, see Managed networks on page 366.
6. Once the appliance is fully operational, it asks you to restart the Windows desktop client. All modifications to Safeguard for Privileged Passwords objects since the backup was created will be lost.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
346
�CAUTION: After a restore, requesters, approvers, and reviewers will not have access to any access request workflow events that were in process at the time of the backup. The Activity Center displays those workflow events as incomplete.
Archive backup
Safeguard for Privileged Passwords allows you to store backup files on an external archive server.
To archive a backup file 1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore. 2. Select the backup to be archived.
3. Click Archive and select Archive Backup. 4. In the Archive Servers selection dialog, choose an archive server.
NOTE: You can add an archive server from the Archive Servers selection dialog by clicking the Add Archive Server toolbar button. Safeguard for Privileged Passwords copies the backup file to the archive server.
Backup retention
It is the responsibility of the Appliance Administrator to configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance.
To configure the appliance backup retention settings 1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard for Privileged Passwords Backup Retention. 2. Select the Enable Backup Retention check box. 3. Enter the maximum number of backup files you want to store on the appliance. 4. Click OK.
Once Safeguard for Privileged Passwords saves the maximum number of backup files, next time it performs a backup, it deletes the backup file with the oldest date.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
347
�Certificate settings
Use the Certificate settings to manage the certificates used to secure Safeguard for Privileged Passwords. The panes on this page display default certificates that can be replaced or user-supplied certificates that have been added to Safeguard for Privileged Passwords.
It is the responsibility of the Appliance Administrator to manage the certificates used by Safeguard for Privileged Passwords.
Navigate to Administrative Tools | Settings | Certificates.
Table 131: Certificates settings
Setting
Description
Audit Log Signing Certificate
Where you manage the audit log signing certificate used to validate audit logs stored on an archive server.
Certificate Signing Request
Where you can view and manage certificate signing requests (CSRs)
Sessions Certificates
Where you manage session certificates, including installing session certificates or creating CSRs to enroll a sessions certificate. If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions.
SSL Certificates
Where you manage SSL certificates, including installing SSL certificates or creating CSRs to enroll a public SSL certificate.
Trusted Certificates
Where you add and manage certificates trusted by Safeguard for Privileged Passwords, for example your company's root Certificate Authority (CA) certificate.
About certificates
The certificate infrastructure in Safeguard for Privileged Passwords consists of the following.
Replaceable certificates
Safeguard for Privileged Passwords ships with the following default certificates which are meant to be replaced:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
348
�l A self-signed SSL certificate for HTTPS. The name of the SSL certificate matches the hostname of the Safeguard for Privileged Passwords Appliance and uses the appliance's default IP addresses as the Subject Alternative Name (SAN).
l A self-signed Certificate Authority (CA) certificate used by the embedded sessions module that generates server SSL certificates on-the-fly to secure RDP connections when an RDP session is initiated using Safeguard for Privileged Passwords. The requester must accept the certificate in order to launch a remote desktop session.
l A signing certificate used to validate that archived audit logs were created by and came from Safeguard for Privileged Passwords.
User-supplied certificates
Safeguard for Privileged Passwords allows you to specify the security certificates to be used. When replacing or adding certificates, keep the following considerations in mind:
l Safeguard for Privileged Passwords supports Certificate Signing Requests (CSRs) to enroll any type of certificate. CSRs use the Public-Key Cryptography Standard (PKCS) #10 format.
l For imports, Safeguard for Privileged Passwords must access the relevant network resources to validate the CRL end points specified in the signed CSR.
l For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files that follow the PKCS #12 standard.
l For SSL certificates, Safeguard for Privileged Passwords allows you to upload or use a CSR to enroll multiple certificates that can then be applied to different appliances.
l Safeguard for Privileged Passwords provides an SSL certificate store that allows you to assign any uploaded or enrolled SSL certificate to any appliance.
l Prior to adding an asset that uses SSL server certificate validation, you must add the server's signing authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords
l For embedded sessions certificates, uploading a new certificate or using a CSR to enroll a new certificate will replace the default certificate supplied with Safeguard for Privileged Passwords.
Audit Log Signing Certificate
The Audit Log Signing Certificate pane on the Certificates setting page displays details about the certificate used to sign the audit log files saved to an archive server. The audit log signing certificate proves that the audit logs were created by and came from a particular Safeguard for Privileged Passwords cluster. This signing certificate is used by administrators who want to verify that the exported Audit Log History originated from their Safeguard for Privileged Passwords cluster. This
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
349
�certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed audit log.
A common signature format is used. Each audit log archive is hashed using the SHA256 hash algorithm. The hash value is signed with the audit log signing certificate private key using RSA signing with PSS signature padding. The signature file is created using the same file name as the archive file but with the .sig file extension.
It is recommended to generate the CSR from within the Safeguard for Privileged Passwords user interface using the Add Certificate | Create Certificate Signing Request (CSR) option. For more information, see Creating a Certificate Signing Request for audit logs on page 351.
While Safeguard for Privileged Passwords ships a default audit log signing certificate, One Identity recommends that you load your own.
If you replace the default certificate with your own, the certificate must have the following:
l Enhanced Key Usage extension with the Server Authentication (1.3.6.1.5.5.7.3.1) OID value.
l Digital Signature key Usage extension with the Server Authentication (2.5.29.37.3) OID value.
You can have only one audit log signing certificate defined, which is used by all Safeguard for Privileged Passwords Appliances in the same cluster. That is, Safeguard for Privileged Passwords uses the default certificate or a certificate you uploaded to replace the default certificate.
Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate. The following properties and controls are available to manage your audit log signing certificate.
Table 132: Audit Log Certificates: Properties
Properties/Controls Description
Refresh
Click Refresh to update the certificate displayed on the Audit Log Certificates pane.
Subject
The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.
Thumbprint
A unique hash value that identifies the certificate.
Add Certificate
Click Add Certificate and select one of the following options to replace the default certificate with a new certificate:
l Install Certificate generated from CSR l Install Certificate with Private Key l Create Certificate Signing Request (CSR)
Use Default
Click Use Default to reset the certificate back to the default.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
350
�Installing an audit log signing certificate
If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key.
NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files which follow the PKCS #12 standard.
To install an audit log signing certificate
1. Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
2. Click the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option: l Install Certificate generated from CSR l Install Certificate with Private Key
3. Browse to select the certificate file (.pfx file) and click OK. 4. Once installed, this new certificate will replace the default certificate listed on the
Audit Log Signing Certificates pane.
Creating a Certificate Signing Request for audit logs
If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.
To create a CSR for an audit log signing certificate
1. Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
2. Click the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
3. In the Certificate Signing Request dialog, enter the following information: a. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters. NOTE: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country. b. Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, or common names) that are to be protected by this certificate.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
351
�c. Key Size: Select the bit length of the private key pair: l 1024 l 2048 (default) l 4096
NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security. 4. Click OK to save your selections and enroll the certificate. Certificates enrolled via CSR are listed in the Certificate Signing Request pane.
Certificate Signing Request
Some certificates require a digital signature before a certification authority (CA) can process the certificate request. The Certificate Signing Request pane displays details about any certificates enrolled via Certificate Signing Requests (CSRs). From this pane, you can also delete a CSR.
NOTE:Safeguard for Privileged Passwords supports the Public-Key Cryptography Standard (PKCS) #10 format for CSRs.
Navigate to Administrative Tools | Settings | Certificates | Certificate Signing Request. Certificates enrolled via a CSR appear on this pane including the following details.
Table 133: Certificate Signing Request: Properties
Property
Description
Subject
The distinguished name of the person or entity to whom the certificate is being issued
Certificate Type
The type of certificate requested:
l Audit Log Signing Certificate l SSL Certificate l For embedded sessions:
l RDP Connection Signing Certificate l Timestamping Authority Certificate l Session Recording Signing Certificate
Thumbprint
A unique hash value that identifies the certificate
Key Size
The bit length of the private key pair
Use these toolbar buttons to manage certificate signing requests.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
352
�Table 134: Certificate Signing Request: Toolbar
Option
Description
Delete Selected Delete the selected CSR from Safeguard for Privileged Passwords.
Refresh
Update the list of CSRs.
Sessions Certificates
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions.
The Sessions Certificates pane on the Certificates setting page displays details about the certificates that are used by Safeguard for Privileged Passwords to provide Privileged Sessions functionality.
l The Timestamping Certificate Authority and the Session Recording Signing Certificate are used to sign an SSH or RDP session recording.
l The RDP Connection Signing Certificate is specific to an RDP session. When an RDP connection is established through Safeguard, the Privileged Sessions module generates an RDP certificate, which is then signed by the RDP Connection Signing Certificate. This generated certificate is then presented to the RDP client.
Each of these certificates must be trusted by the client workstations that will make sessions requests and review sessions. This may be accomplished by signing the certificates with an enterprise root authority that is trusted by the client workstations (recommended), or the certificates may be distributed to each workstation via group policy or other distribution means.
NOTE: While Safeguard for Privileged Passwords ships with default certificates, One Identity recommends that you load your own.
Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
Table 135: Sessions Certificates
Certificate Description
Timestamping Certificate Authority
This certificate is used to sign time stamps embedded in session recordings to prove when the session recording occurred.
NOTE: If you replace the default certificate with your own, the certificate must have:
l A Key Usage extension with a Digital Signature value
l An Enhanced Key Usage extension, marked as critical, with the Time Stamping (1.3.6.1.5.5.7.3.8) OID value
You must also have the certificate's private key.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
353
�Certificate
Session Recording Signing Certificate
RDP Connection Signing Certificate
Description
When playing back recorded sessions using the Desktop Player, this certificate's public key, in addition to the certificate's issuer, must be available if you want to validate the signed time stamps.
This certificate is used to sign the session recording files to prevent manipulation and prove that they were created by, and came from, Safeguard for Privileged Passwords.
NOTE: If you replace the default certificate with your own, the certificate must have an Enhanced Key Usage extension with the Server Authentication (1.3.6.1.5.5.7.3.1) OID value
You must also have the certificate's private key.
When playing back recorded sessions using the Desktop Player, this certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed recording.
This is a Certificate Authority (CA) certificate that issues the server SSL certificate presented when a user connects a privileged session via RDP. Each time that an RDP connection is established through Safeguard, an SSL certificate is generated by this CA on-the-fly; therefore, this CA certificate should already be trusted as part of the customer's enterprise PKI.
You must also have the certificate's private key.
You can have only one certificate of each type defined. That is, Safeguard for Privileged Passwords uses the default certificate or a certificate you uploaded to replace the default certificate.
For each of these certificates, the following properties and controls are available to manage your sessions certificates.
Table 136: Sessions Certificates: Properties
Properties/Controls Description
Refresh
Click Refresh to update the list of certificates on the Sessions Certificates pane.
Subject
The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.
Thumbprint
A unique hash value that identifies the certificate.
Add Certificate
Click Add Certificate and select one of the following options to replace the default certificate with a new certificate:
l Install Certificate generated from CSR l Install Certificate with Private Key
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
354
�Properties/Controls Description
l Create Certificate Signing Request (CSR)
Use Default
Click Use Default to reset the certificate back to the default.
Related Topics
What is required for Safeguard for Privileged Passwords, embedded sessions module How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
Installing a sessions certificate
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key. NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files that follow the PKCS #12 standard.
To install a session certificate
1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
2. Click the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option: l Install Certificate generated from CSR l Install Certificate with Private Key
3. Browse to select the certificate file (.pfx file) and click OK. 4. Once installed, this new certificate will replace the default certificate listed on the
Sessions Certificates pane.
Creating a Certificate Signing Request for Sessions
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
355
�To create a CSR for a sessions certificate
1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
2. Click the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
3. In the Certificate Signing Request dialog, enter the following information: a. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters. NOTE: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country. b. Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, common names) that are to be protected by this certificate. c. Key Size: Select the bit length of the private key pair: l 1024 l 2048 (default) l 4096 NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security.
4. Click OK to save your selections and enroll the certificate. Certificates enrolled via CSR are listed in the Certificate Signing Request pane.
Resetting to use default certificate
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. If you have uploaded and replaced a default sessions certificate, you can reset this user-supplied certificate to use the default certificate provided with Safeguard for Privileged Passwords.
To reset a certificate back to the default sessions certificate:
1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
2. Click Use Default for the certificate that is to be reset to use the default certificate. 3. In the Use Default confirmation dialog, enter the word default and click OK.
Once installed, the default certificate will display in the Sessions Certificates pane and be used by the Privileged Sessions module.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
356
�SSL Certificates
Safeguard for Privileged Passwords enables an Appliance Administrator to upload SSL certificates with private keys or enroll SSL certificates via a CSR.
Initially, the default self-signed SSL certificate used for HTTPS is listed and assigned to the appliance. This default certificate is not a trusted certificate and should be replaced.
Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. The SSL Certificates pane displays the following information for the SSL certificates stored in the database.
Table 137: SSL Certificates: Properties
Property
Description
Appliances
Lists the name of the appliance to which the certificate is assigned.
Subject
The name of the subject (such as user, program, computer, service, or other entity) assigned to the certificate when it was requested.
Alternate DNS Names
Additional or alternate host names (such as IP addresses, sites, common names) that were specified when the certificate was requested. For the default self-signed SSL certificate, the name and IP address of the appliance is used.
Invalid Before
A start date and time that must be met before a certificate can be used.
Expiration Date
The date and time when the certificate expires and can no longer be used.
Thumbprint
A unique hash value that identifies the certificate.
Issued By
The name of the certificate authority (CA) that issued the certificate.
Use these toolbar buttons to manage SSL certificates.
Table 138: SSL Certificates: Toolbar
Option
Description
Add Certificate Upload an SSL certificate.
| Upload Certi-
For more information, see Installing an SSL certificate on page
ficate
358.
Add Certificate Create a CSR to enroll a certificate.
| Create Certi-
For more information, see Creating a Certificate Signing Request
ficate Signing
on page 358.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
357
�Option
Description
Request (CSR)
Assign Certificate to Appliance(s)
Assign the selected certificate to one or more appliances.
For more information, see Assigning a certificate to appliances on page 359.
Unassign Certi- Unassign the selected certificate from one or more appliances. ficate
Delete Selected
Delete the selected certificate from Safeguard for Privileged Passwords.
Refresh
Update the list of SSL certificates available (uploaded to Safeguard for Privileged Passwords).
Installing an SSL certificate
To install an SSL certificate
1. Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. 2. Click Add Certificate and select Upload Certificate. 3. Browse to select the certificate file. 4. After the certificate has been uploaded, assign the certificate to one or more
appliances. For more information, see Assigning a certificate to appliances on page 359. You may also upload the certificate's root CA to the list of trusted certificates. For more information, see Trusted Certificates on page 360.
CAUTION: Improper access to the private SSL key could compromise traffic to and from the appliance. For the most secure configuration, create a Certificate Signature Request (CSR) and have it signed by your normal signing authority. Then use the signed request as your Safeguard for Privileged Passwords SSL Webserver Certificate. This way, no administrator will have access to the private SSL key that is used by Safeguard for Privileged Passwords and the traffic will be secure.
Creating a Certificate Signing Request
A certificate signing request (CSR) is submitted to a Certificate Authority (CA) to obtain a digitally signed certificate. When creating a CSR, you uniquely identify the user or entity that will use the requested certificate. Safeguard for Privileged Passwords allows you to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
358
�upload or enroll SSL certificates using CSRs. Once uploaded or enrolled, the SSL certificate is added to the SSL certificate store allowing you to assign it to one or more Safeguard for Privileged Passwords Appliances.
To create a CSR for SSL
1. Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. 2. Click Add Certificate and select Create Certificate Signing Request (CSR). 3. In the Certificate Signing Request dialog, enter the following information:
a. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters. NOTE: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.
b. Alternate DNS Names: Optionally, enter additional host names (such as, IP addresses, sites, common names) that are to be protected by this certificate.
c. Key Size: Select the bit length of the private key pair: l 1024 l 2048 (default) l 4096
NOTE: The bit length determines the security level of the SSL certificate. A higher bit length means stronger security. 4. Click OK to save your selections and enroll the certificate. Certificates enrolled via CSR are listed in the SSL Certificates pane and the Certificate Signing Request pane.
Assigning a certificate to appliances
Safeguard for Privileged Passwords supports an SSL certificate store that is owned by the cluster. This allows you to assign any SSL certificate that you have previously uploaded or enrolled via CSR to any appliance in your clustered environment.
To assign a certificate to appliances
1. Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. 2. Select a certificate from the grid and click the Assign Certificate to Appliance(s)
toolbar button. 3. In the Appliances selection dialog, select one or more appliances and click OK to
save your selection.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
359
�Trusted Certificates
It is the responsibility of the Appliance Administrator to add or remove trusted root certificates to the Safeguard for Privileged Passwords Appliance, if necessary, in order for the SSL certificate to resolve the chain of authority. When Safeguard for Privileged Passwords connects to an asset that has the Verify SSL Certificate option enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the trusted certificate store.
Navigate to Administrative Tools | Settings | Certificates | Trusted Certificates. The Trusted Certificates pane displays the following information for the user-supplied certificates added to the trusted certificate store.
Table 139: Trusted certificates: Properties
Property
Description
Subject
The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.
Invalid Before
A "start" date and time that must be met before a certificate can be used.
Expiration Date
The date and time when the certificate expires and can no longer be used.
Thumbprint
A unique hash value that identifies the certificate.
Issued By
The name of the certificate authority (CA) that issued the certificate.
Adding a trusted certificate
Prior to adding an asset that uses SSL server certificate validation, add the certificate's root CA and any intermediate CAs to the Trusted Certificates store in Safeguard for Privileged Passwords.
To add a trusted certificate 1. Navigate to Administrative Tools | Settings | Certificates | Trusted Certificates. 2. Click Add Certificate from the details toolbar. 3. Browse to select a certificate file (DER Encoded file: .cer or .der). 4. Click Open to add the selected certificate file to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
360
�Removing a trusted certificate
To remove certificates from the appliance 1. Navigate to Administrative Tools | Settings | Certificates | Trusted Certificates. 2. Select a certificate. 3. Click Delete Selected from the details toolbar. IMPORTANT: Safeguard for Privileged Passwords does not allow you to remove built-in certificate authorities.
Cluster settings
Use the Cluster settings to create a clustered environment, to monitor the health of the cluster and its members, and to define managed networks for high availability and load distribution.
It is the responsibility of the Appliance Administrator or the Operations Administrator to create a cluster, monitor the status of the cluster, and define managed networks.
Before creating a Safeguard for Privileged Passwords cluster, become familiar with the Disaster recovery and clusters chapter to understand:
l Primary and replica appliances
l Consensus
l Supported clusters in Safeguard for Privileged Passwords
l Ports
l Offline Workflow to automatically or manually enable access request, approval, and release in the event an appliance loses consensus with the cluster (for example, by losing connectivity or availability): Manually control Offline Workflow Mode.
l Enrollment into a cluster: Enrolling replicas into a cluster
l Recover a cluster that has lost consensus: For more information, see Resetting a cluster that has lost consensus on page 497.
Navigate to Administrative Tools | Settings | Cluster.
Table 140: Cluster settings
Setting
Description
Cluster
Where you create and manage a cluster and monitor the health of the
Management cluster and its members.
Managed networks
Where you define managed networks to distribute the task load for the clustered environment.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
361
�Setting Offline Workflow (automatic)
Session Appliances with SPS join
Description
Where you configure Offline Workflow Mode to automatically trigger if an appliance has lost consensus (quorum) and, optionally, automatically resume online workflow. You can also manually Enable Offline Workflow and Resume Online Operations from this dialog. For more information, see About Offline Workflow Mode on page 486.
Where you view, edit, and delete join connections when a Safeguard for Privileged Sessions (SPS) cluster is joined to a Safeguard for Privileged Password (SPP) for session recording and auditing. For more information, see SPP and SPS sessions appliance join guidance on page 600.
Cluster Management
Navigate to Administrative Tools | Settings | Cluster | Cluster Management. The Cluster Management page is divided into left and right panes. If you do not see the right pane, click an appliance node in the left pane.
The health indicators on the nodes indicate if cluster members are in an error,
warning, locked, or healthy state.
l Cluster view pane: The left pane displays a graphical representation of the primary and replica appliances belonging to the cluster.
l Appliance details and cluster health pane: The right pane displays details about the appliance selected in the left pane. From this pane you can run maintenance and diagnostic tasks against the selected appliance.
Cluster Management toolbar
Use these toolbar buttons on the Cluster Management page to manage the members of a cluster.
Table 141: Cluster Management: Toolbar
Option
Description
Back
Return to the main Settings view.
Add Replica
Join an appliance to the primary appliance as a replica. For more information, see Enrolling replicas into a cluster on page 482.
Refresh
Update the list of appliances in a cluster.
Reset Cluster
Reset a cluster to recover a cluster that has lost consensus. For more information, see Resetting a cluster that has lost
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
362
�Option
Description consensus on page 497.
CAUTION: Resetting a cluster should be your last resort. It is recommended that you restore from a backup rather than reset a cluster.
Enable Offline Workflow
(appliance has lost consensus)
Manually place the appliance in Offline Workflow Mode. The appliance will run in isolation from the rest of the cluster. For more information, see Manually control Offline Workflow Mode on page 489.
Resume Online Opera- Manually reintegrate the appliance with the cluster and
tions (appliance is in
merge audit logs. For more information, see To manually
Offline Workflow Mode)
resume online operations on page 490.
Cluster view pane
Navigate to Administrative Tools | Settings | Cluster | Cluster Management. Initially, the Cluster view pane (left pane) displays a single primary node for the appliance you are currently logged in to. As you join appliances to the cluster, replica nodes will be shown as being connected to the primary node. The health indicators on the nodes and in the upper-right corner of this pane provide a quick view as to whether cluster members are in an error, warning, or healthy state.
A warning icon identifies a potential issue with the cluster. An error icon indicates a definite problem impacting the functionality of the cluster. A lock icon indicates the cluster is locked. Expand the View More section to see more details. Clicking a member of the cluster in this pane displays details about the appliance and the health of the cluster member. For more information, see Appliance details and cluster health pane on page 363.
Appliance details and cluster health pane
Cluster members periodically query other appliances in the cluster to obtain their health information. Cluster member information and health information is cached in memory, with the most recent results displayed on the Cluster settings screen. Navigate to Administrative Tools | Settings | Cluster | Cluster Management. In the cluster view (left pane), click a member of the cluster to refresh the display of the right pane. From the right pane you can monitor the health of the selected appliance and perform operations against the appliance:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
363
�l Unjoin: Click Unjoin to remove a replica from the cluster. For more information, see Unjoining replicas from a cluster on page 483.
l Failover: Click Failover to promote a replica to the primary appliance. For more information, see Failing over to a replica by promoting it to be the new primary on page 491.
l Activate: Click Activate to activate a read-only appliance so it can add, modify and delete data. For more information, see Activating a read-only appliance on page 492.
CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.
l Diagnose: Click Diagnose to open the Diagnostics pane where you can perform the following:
l View appliance information. For more information, see Appliance Information on page 307.
l Run diagnostic tests against the appliance. For more information, see Network Diagnostics on page 314.
l Perform a factory reset. For more information, see Factory Reset from the desktop client on page 311.
l View or edit networking settings. For more information, see Networking on page 318.
l Generate a support bundle. For more information, see Support bundle on page 321.
l View or edit time settings. For more information, see Time on page 321.
l Check Health: Click Check Health to capture and display the current state of the selected appliance.
l Restart: Click Restart to restart the selected appliance. Confirm your intentions by entering a Reason and clicking Restart.
Below the toolbar, this pane displays the following information about the appliance selected in the cluster view.
Table 142: Appliance properties
Property
Description
Appliance name
The name of the appliance.
IP address
The IPv4 address (or IPv6 address) of the appliance configuration interface.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
364
�Property
Appliance type Appliance state Disk Space
Description
NOTE: You can modify the appliance IP address. For more information, see How do I modify the appliance configuration settings on page 570.
Indicates either Primary or Replica.
Indicates the appliance state. For a list of available states, see Appliance states on page 502.
The amount of used and free disk space.
Click View More to show or hide this additional information.
Appliance
Property Serial Number Uptime
Description
The serial number of the appliance
The amount of time (days, hours, and minutes) the appliance has been running
Primary (displayed on replicas)
Property Network Address MAC Address Link Present Link Latency
Description
The network DNS name or the IP address of the primary appliance in the cluster
The media access control address (MAC address), a unique identifier assigned to the network interface for communications
Displays either Yes or No to indicate if there is an open communication link
The amount of time (in milliseconds) it takes for the primary to communicate with the replica. Network latency is an expression of how much time it takes for a packet of data to get from one designated point to another. Ideally, latency is as close to zero as possible.
Information
Property Last Health Check
Description
Last date and time Safeguard for Privileged Passwords obtained the selected appliance's information
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
365
�Property Version Errors
Warnings
Description
The appliance version number
Errors are reported. For example, if an appliance is disconnected from the primary (no quorum), an error message may be: Request Workflow: Cluster configuration database health could not be determined.
Warnings are reported. For example, if an appliance is disconnected from the primary (no quorum), a warning message may be: Policy Data: There is a problem replicating policy data. Details: Policy database slave IO is not running. The Safeguard primary may be inaccessible from this appliance.
Managed networks
Managed networks are named lists of network segments serviced by a specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) appliance in a clustered environment. Managed networks are used for scheduling tasks, such as password change, account discovery, sessions recording, and asset discovery to distribute the task load. Using managed networks, you can:
l Distribute the load so there is minimal cluster traffic.
l Specify to use the appliances that are closest to the target asset to perform the actual task.
An SPP cluster has a default managed network that consists of all cluster members. Other managed networks can be defined.
CAUTION: If the role of a managed host that belongs to a joined SPS cluster is changed or if a managed host is added or removed from the cluster, SPP will detect the change by querying each Central Management node and attempt to stay in sync with the SPS cluster topology. If the Central Management node is down, SPP warns the administrator there may be invalid policies with a message like: The session connection policy was not found, in addition to flagging each broken Access Request Policy with an Invalid notation (Administrative Tools | Entitlements | Access Request Policies tab). Based on the size of your network and other factors, this will take one to 10 minutes and, during this time window, an unavailable managed host may continue to appear on the Managed Networks page. Any requests made will be invalid and will not be able to be launch sessions.
Task delegation
A Safeguard for Privileged Passwords' cluster delegates platform management tasks (such as password check and password change) to appliances based on platform task load. The
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
366
�primary appliance performs delegation and evaluates cluster member suitability using an internal fitness score that is calculated by dividing the number of in-use platform task threads by the maximum number of allowed platform task threads.
The maximum number of allowed platform task threads can be adjusted using the Appliance/Settings API and adjusting the MaxPlatformTaskThreads value. By adjusting this number, you can tune task distribution.
IMPORTANT: Adjusting the MaxPlatformTaskThreads will impact SPP's available resources for handling access requests and may impact user experience. Best practice is to engage Professional Services if the value may need to be changed.
Increasing the maximum number of allowed platform task threads will decrease the fitness score thus increasing the number of tasks passed to that appliance.
The fitness score is cached and is recalculated in 8-minute intervals when the scheduler is not busy. When the scheduler is running tasks, the fitness score is calculated more frequently so the scheduler can dynamically adjust.
Precedence
The selection made on the Entitlement | Access Request Policy tab takes precedence over the selections on Settings | Cluster | Managed Networks page. If a Managed Networks rule includes nodes from different SPS clusters, SPP will only select the nodes from the same cluster that was assigned on the Session Settings page of the Access Request Policy tab.
Navigate to Administrative Tools | Settings | Cluster | Managed Networks. The Managed Networks page displays the following information about previously defined managed networks. Initially, this page contains the properties for the Default Managed Network, which implicitly includes all networks and is served by all appliances in the cluster.
IMPORTANT: Discovery and password check and change will not work if a managed network has been configured with a subnet but is not assigned to an appliance (the appliance is blank). If the managed network does not have an assigned appliance, a message like the following displays: No appliances in network '<NameOfEmptyNetwork>' available to execute platform task request. To resolve the issue, assign at least one appliance to manage the passwords and/or sessions or delete the managed network entry.
Table 143: Managed Networks: Properties
Property
Description
Name
The name assigned to the managed network when it was added to Safeguard for Privileged Passwords.
Subnets
A list of subnets included in the managed network.
Double-click an entry in the Managed Networks grid to display details about the subnets associated with the selected managed
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
367
�Property
Description
network.
If you have joined Safeguard for Privileged Sessions, the following apply:
l Passwords Managed By: The SPP appliance ID, which includes the MAC address followed by the IP address of the node.
l Sessions Managed By: If applicable, the SPS appliance host name followed by the IP address of the SPS node.
Passwords Managed By The host name and IP address of the appliances and the MAC address assigned to manage the specified subnets.
Sessions Managed By Description
The host name and IP address of the cluster nodes.
The descriptive text entered when defining the managed network.
Click a managed network row to bring up the Managed Network dialog where the properties are editable.
Table 144: Managed Networks: Editable Properties
Property
Description
Name
The name assigned to the managed network when it was added to Safeguard for Privileged Passwords.
Description
The descriptive text entered when defining the managed network.
Subnets
A list of subnets included in the managed network.
Click Add to add a subnet.
Click Delete to delete the selected subnet.
Passwords Managed By The host name and IP address of the appliances and the MAC address assigned to manage the specified subnets.
Click Add to make a selection.
Sessions Managed By
Click Delete to delete the selected host name and IP address.
The host name and IP address of the cluster master for the managed nodes.
Click Add to make a selection given this information: Host
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
368
�Property
Description Name, Network Address, and cluster Master or Replica.
Click Delete to delete the selected host name and IP address.
Use these toolbar buttons to define and maintain your managed networks.
Table 145: Managed Networks: Toolbar
Option
Description
New
Add a managed network. For more information, see Adding a managed network on page 369.
Delete Selected
Remove the selected managed network from Safeguard for Privileged Passwords. You cannot delete the Default Managed Network.
Refresh
Update the list of managed networks.
Edit
Modify the selected managed network configuration. You can not modify the Default Managed Network.
Resolve Network
Locate an IP address in a managed network's list of subnets. For more information, see Resolving IP address on page 370.
Adding a managed network
Use the Managed Networks page on the Cluster settings view to add managed networks, which can be used to distribute the task load in a clustered environment. It is the responsibility of the Appliance Administrator to define and maintain managed networks.
To add a managed network
1. Navigate to Administrative Tools | Settings | Cluster | Managed Networks. 2. Click Add. 3. In the Managed Network dialog, provide the following information:
a. Name: Enter the display name for the managed network. This may be the name of the Safeguard for Privileged Sessions Appliance used to authenticate the joined SPS session connection. Limit: 50 characters
b. Description: (Optional) Enter information about the managed network. Limit: 255 characters
c. Subnets: Click Add to specify the subnets, or group of hosts, to be
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
369
�managed. Enter each subnet using CIDR notation. For example, 0.0.0.0/0.
NOTE: You can add a subnet to only one managed network. You will receive an error if you attempt to add the same subnet to another managed network. If you are unsure if an IP address has already been associated with a managed network, use the Resolve Network search box. For more information, see Resolving IP address on page 370. d. Passwords Managed By: Select the appliances to be used to manage the specified subnets. NOTE: You do not need to specify an appliance when you initially define a managed network. You can use the Edit button to specify the managing appliance at a later time. e. Sessions Managed By: If applicable, select the Safeguard for Privileged Sessions (SPS) appliance to associate with the managed network. 4. Click OK to save your selections and add the managed network.
Deleting a managed network
To delete a managed network 1. Navigate to Administrative Tools | Settings | Cluster | Managed Networks. 2. Select the managed network to be deleted, click Delete. 3. In the confirmation dialog, click Yes.
Resolving IP address
As an Appliance Administrator, you can use the Managed Networks page to search for an IP address within a managed network's list of subnets.
To find an IP address in a managed network 1. Navigate to Administrative Tools | Settings | Cluster | Managed Networks. 2. In the Resolve Network search box, type the IP address, and press Enter. The managed network that contains the subnet that most closely matches the IP address is highlighted. If there are no subnets that match the IP address, the Default Managed Network is highlighted.
Offline Workflow (automatic)
To reduce potential downtime, the Appliance Administrator can configure Offline Workflow Mode to be performed automatically. Offline Workflow Mode allows an appliance that has
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
370
�lost consensus (quorum) to operate in isolation from the cluster to process access requests using cached policy data.
To ensure the outage is not a short-lived outage, the default time before the appliance is automatically switched to Offline Workflow Mode is 15 minutes. The time threshold can be changed to five minutes or more.
If automatic Offline Workflow Mode is enabled, you can enable automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. The minutes to wait after consensus is restored before automatically resuming online workflow defaults to 15 minutes. The time threshold can be changed to five minutes or more.
When Offline Workflow Mode settings are configured to run automatically, an Appliance Administrator can override the automatic settings and manually place an appliance in Offline Workflow Mode or manually restore an appliance to online workflow, as needed.
The user views status messages that clearly communicate the appliance state and the ability to request passwords.
For general information on Offline Workflow Mode, see About Offline Workflow Mode.
Navigate to Administrative Tools | Settings | Cluster | Offline Workflow. The Offline Workflow page displays the following information.
Table 146: Offline Workflow: Properties
Property
Description
Enable Automatic Offline Workflow
To automatically place the appliance in Offline Workflow Mode when the appliance loses connection and cannot establish consensus.
Automatic Offline Workflow Threshold Minutes
The number of minutes after consensus is lost before the appliance is automatically switched over to Offline Workflow Mode. The default is 15 minutes and can be changed to five minutes or more. The threshold set does not persist after a reboot.
Automatic Resume Online Workflow
If you selected Enable Automatic Offline Workflow, you can select Automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored.
Automatic Resume Online Workflow Threshold
The number of minutes after consensus is restored that the appliance is automatically switched over to online workflow. The default is 15 minutes and can be changed to five minutes or more.
Use these toolbar buttons to define and maintain your managed networks.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
371
�Table 147: Offline Workflow: Toolbar
Option
Description
Refresh
Updates the information displayed on the page
Enable Offline Workflow
Triggers Offline Workflow Mode
Resume Online Operations
Triggers moving the appliance from Offline Workflow Mode back to online operations
Enable automatic Offline Workflow
Use the Offline Workflow page to configure automatic settings to control Offline Workflow Mode. You can manually override the automatic settings. For more information, see Manually override automatic Offline Workflow on page 372.
To configure automatic settings to control Offline Workflow Mode
1. Navigate to Administrative Tools | Settings | Cluster | Offline Workflow. 2. On the Offline Workflow dialog, select Enable Automatic Offline Workflow so
the appliance will be automatically placed in Offline Workflow Mode when the appliance loses connection and cannot establish consensus. 3. Identify the number of Minutes after consensus is lost before the appliance is automatically switched over to Offline Workflow Mode. The Automatic Offline Workflow Threshold defaults to 15 minutes and can be changed to five minutes or more. 4. If you selected the first check box to enabled automatic Offline Workflow Mode, you can select Automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. 5. Identify the number of Minutes after consensus is restored that the appliance is automatically switched over to online workflow. The Automatic Resume Online Workflow Threshold defaults to 15 minutes and can be changed to five minutes or more. 6. Click OK.
Manually override automatic Offline Workflow
Use the Offline Workflow page to manually enable offline workflow or resume online operations. For details on either of these operations, see Manually control Offline Workflow Mode. Before resuming online operations, see Considerations to resume online operations.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
372
�To manually Enable Offline Workflow This option is only available when the appliance has lost consensus with the cluster.
1. Navigate to Administrative Tools | Settings | Cluster | Offline Workflow. 2. Click Enable Offline Workflow to manually trigger Offline Workflow Mode. 3. In the dialog box, type in Enable Offline Workflow and click Enter. The appliance
is in Offline Workflow Mode and enters maintenance. 4. You can verify requests and view health checks on the Cluster Management
window. For more information, see Cluster Management on page 362.
To manually Resume Online Operations This option is only available when the appliance is in Offline Workflow Mode.
1. Navigate to Administrative Tools | Settings | Cluster | Offline Workflow. 2. Click Resume Online Operations to manually trigger moving the appliance from
Offline Workflow Mode back to online operations. 3. In the dialog box, type in Resume Online Operations and click Enter. 4. When maintenance is complete, click Restart Desktop Client. The appliance is
returned to Maintenance mode. 5. You can verify requests and view health checks on the Cluster Management
window. For more information, see Cluster Management on page 362.
Session Appliances with SPS join
CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa. Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.
NOTE: if you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
373
�Safeguard for Privileged Passwords join guidance
Before initiating the join, review the steps and considerations in the join guidance. For more information, see SPP and SPS sessions appliance join guidance on page 600.
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.
CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Standard operating procedure after the initial join
If you add another SPS cluster after the initial join, follow these standard operating procedures:
1. Add join connections. See Viewing, deleting, or editing join connections later in this topic.
2. Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy on page 268.
3. Assign the managed networks. For more information, see Managed networks on page 366.
Connection deletion: soft delete versus hard delete
Depending on your goals, you can perform a soft delete or a hard delete.
Soft delete the connection
When a session connection is deleted from the desktop client, the connection information is soft deleted so that a rejoin of the same SPS appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a rejoin avoids "breaking" all of the Access Request Polices that referenced the previous session connection.
If the session connection is deleted, a caution displays when you navigate to Administrative Tools | Entitlements | Access Request Policies and go to the Session Settings tab. For more information, see Session Settings tab on page 277.
Hard delete the connection
A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a rejoin is not desired or retaining the previous session connection values is preventing an SPS appliance from joining or rejoining. A hard delete can only be performed from the API using the following steps:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
374
�1. In a browser, navigate to https://<your-ip-address>/service/core/swagger. 2. Authenticate to the service using the Authorize button. 3. Navigate to Cluster->GET /v3/cluster/SessionModules and click Try it out!. 4. Identify if the unwanted session connection exists on the list:
a. If the unwanted session connection exists in the list, then: i. Note the ID of the session connection. ii. Navigate to Cluster DELETE /v3/cluster/SessionModules.
iii. Enter the ID. iv. Click Try it out!". v. Go to step 3. b. If the unwanted session connection does not exist in the list, then:
i. Set the includeDisconnected parameter to true. ii. Click Try it out!. iii. If the unwanted session connection exists in the list, then go to step 4a to
delete the entry a second time which will result in a hard delete. 5. The process is complete and the session connection is permanently removed.
Viewing, deleting, or editing join connections
Once the join is complete, navigate to Administrative Tools | Settings | Cluster | Session Appliances to view, delete, or edit join connections. The Session Appliances pane displays the following session details.
Table 148: Session Appliances: Properties
Property
Description
Host Name
The host name of the SPS appliance host cluster master.
Network Address
The network DNS name or IP address of the session connection.
Description
(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).
Connection User
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.
Thumbprint
A unique hash value that identifies the certificate.
Managed Hosts
Other nodes in the SPS cluster identified by the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
375
�Property
Description
managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown.
Click a Host Name row to bring up the Session Module Connection dialog.
Table 149: Session Module Connection: Properties
Property
Description
Node ID
The name of the Safeguard for Privileged Sessions Appliance used to authenticate the joined SPS session connection.
Host Name
The host name of the SPS appliance host cluster master.
SPP Username
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.
Description
(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).
Network Address
The network DNS name or IP address of the session connection.
Use Host Name (not IP address)
If checked, the connection string used to launch a session uses the host name of the SPS appliance rather than the IP address.
Use these toolbar buttons to manage sessions.
Table 150: Sessions Management: Toolbar
Option
Description
Delete Selected
Remove the selected joined SPS session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete earlier in this topic.
Edit
Modify the selected joined SPS session connection Description or Network Address on the Session Module Connection dialog.
Refresh
Update the list of joined SPS session connections.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
376
�Option
Session Module Password Access Enabled
Toggle on Toggle off
Description
CAUTION: This functionality supports the join with Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. The toggle function is used to enable an SPS initiated session to get the session credentials from SPP. For information see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Reversing the SPP to SPS join
Once a Safeguard for Privileged Passwords (SPP) cluster node has been configured to use the Safeguard Sessions Appliance, it can be reversed by a factory reset of the Safeguard Passwords Appliance. The factory reset redeploys the Safeguard Passwords Appliance session module. For more information, see Factory Reset from the desktop client on page 311.
Another way to reverse the join to Safeguard for Privileged Sessions is to restore a backup that was taken before the first join of Safeguard for Privileged Sessions (SPS).
For more information, see Backup and Retention settings on page 334.
External Integration settings
The Appliance Administrator can:
l Configure the appliance to send event notifications to various external systems. l Integrate with an external ticketing system or track generic ticket numbers. l Configure both external and secondary authentication service providers.
However, it is the Security Policy Administrator's responsibility to configure the Approval Anywhere feature. Navigate to Administrative Tools | Settings | External Integration.
Table 151: External Integration settings
Setting
Description
Application to Application
Where you configure application registrations to use the Application to Application service, which allows third-party applications to retrieve credentials from Safeguard for Privileged Passwords
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
377
�Setting Approval Anywhere
Email Identity and Authentication SNMP Starling
Syslog Ticketing systems
Description
Where you define the Safeguard for Privileged Passwords users who are authorized to use Approval Anywhere to approve access requests
Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur
Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords
Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur
Where you join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling TwoFactor Authentication (2FA) and Starling Identity Analytics & Risk Intelligence
Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event
Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system
Application to Application
In order for third-party applications to use the Application to Application service to integrate with the Safeguard for Privileged Passwords vault, you must first register the application in Safeguard for Privileged Passwords. This can be done using the Administrative Tools | Settings | External Integration | Application to Application pane described below. Once the application is registered, you can enable or disable the service. For more information, see Enable or Disable Services on page 310.
The Application to Application pane displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations. The Application to Application pane displays the following details about application registrations.
Table 152: Application to Application: Properties
Property
Description
Name
The name assigned to the application's registration.
Certificate User
The name of the certificate user associated with the registered application.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
378
�Property
Description
NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified.
Enable/Disable
Toggle on
Toggle off
Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when the service is enabled, and gray with the switch to the left when the service is disabled. Click the toggle to enable or disable an application registration.
NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again.
Description
Information about the application's registration.
Use these toolbar buttons to manage application registrations.
Table 153: Application to Application: Toolbar
Option
Description
Add
Add an application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration on page 382.
Delete Selected
Remove the selected application registration from Safeguard for Privileged Passwords. For more information, see Deleting an
application registration on page 384.
Refresh
Update the list of application registrations.
Edit
Modify the selected application registration.
API Keys
Display the API keys that were generated for Access Request Broker or Credential Retrieval. An API key can then be copied and used in the third-party application to authenticate with Safeguard for Privileged Passwords.
NOTE: For credential retrieval, the registration process generates an API key for each managed account. However, for access request broker, the registration process generates a single API key for all users or user groups that are added.
About Application to Application functionality
Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
379
�l Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
l Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.
NOTE: If Offline Workflow Mode is triggered, Application to Application operations will be halted for the number of minutes it takes to move to Offline Workflow Mode. For more information, see About Offline Workflow Mode on page 486.
Credential retrieval
A credential retrieval request using the Application to Application service allows the thirdparty application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.
For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the Safeguard for Privileged Passwords vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.
Access request broker
An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.
For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with Safeguard for Privileged Passwords through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in Safeguard for Privileged Passwords and the user who entered the ticket will be notified when access is granted.
In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with Safeguard for Privileged Passwords. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to Safeguard for Privileged Passwords other than for the purpose specified. The properties associated with an application registration are:
l API key: As part of the registration process, an API key is generated. An administrator must then copy this API key and make it available to the third-party
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
380
�application. l Certificate user: In addition to the API key, the application registration must be
associated with a certificate user. The certificate that is associated with the certificate user must be signed by a certificate authority that is also trusted by Safeguard for Privileged Passwords.
NOTE: Use your corporate PKI for issuing this certificate and installing it on the third-party application.
The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed. An Appliance Administrator can use the desktop client or Safeguard for Privileged Passwords API to enable the service. Using the desktop client:
1. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service.
2. Click the Application to Application Enabled toggle to enable the service ( toggle on).
Using the API, use the following URL:
https://appliance/service/appliance/v2/A2AService/Enable In addition, you can check the current state of the service using this same desktop client page or using the following URL:
https://appliance/service/appliance/v2/A2AService/Status
Related Topics
Setting up Application to Application Making a request using the Application to Application service
Setting up Application to Application
In order to use Application to Application integration with Safeguard for Privileged Passwords, you must perform the following tasks:
Step 1: Prepare third-party application for integration with Safeguard for Privileged Passwords.
Step 2: Appliance Administrator enables Application to Application service in Safeguard for Privileged Passwords.
Using the desktop client, navigate to Administrative Tools | Settings | Appliance
| Enable or Disable Service and click the Application to Application Enabled
toggle to
toggle on.
-OR-
Use the following URL: https://appliance/service/appliance/v2/A2AService/Enable
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
381
�Step 3: Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords. For more information, see Adding an asset and Adding an account Step 4: User Administrator adds certificate users to Safeguard for Privileged Passwords. For more information, see Adding a user on page 451. Step 5: Security Policy Administrator adds application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration on page 382. Step 6: Get the API key and copy/paste it into the third-party application in order to make requests from the third-party application. For more information, see Making a request using the Application to Application service on page 385.
Adding an application registration
To allow a third-party application to perform one of the tasks provided by the Application to Application service, you must register the third-party application with Safeguard for Privileged Passwords.
Prerequisites
l User Administrator adds certificate users to Safeguard for Privileged Passwords. l Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords.
To add an application registration
1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
2. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
3. Click Add. The New Registration dialog displays.
4. On the General tab, specify the following information: a. Name: Enter a name for the application registration. b. Description: Enter information about the application registration. c. Certificate User: Click Browse to select a certificate user who is associate with the third-party application being registered. A certificate user must be specified. If not specified when you initially add an application registration, click Edit on the Application to Application pane to specify the certificate user. NOTE: For SignIR, connect as a certificate user using A2A API key for the retrievable account you want to monitor that is assigned an A2A registration for Retrievable Accounts. The connected certificate user will receive event
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
382
�notifications for any events related to that account (for example, password change, update, and delete). For more information, see Making a request using the Application to Application service on page 385.
d. I want to configure this registration for: Select the tasks to be performed by the Application to Application service:
l Access Request Broker: Select this check box if you want the thirdparty application to create an access request on behalf of another user.
l Credential Retrieval: Select this check box if you want the thirdparty application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.
l Visible to certificate user: Select this check box to make the registration, including the API keys, visible by the certificate user that is configured for the A2A registration.
Depending on the check boxes selected, additional tabs are displayed.
5. If Access Request Broker is selected, the Access Request Broker tab displays a list of users for which the third-party application can create an access request on behalf of.
l Click to add a user or user group to the list.
l Click Edit Restrictions to specify IP address restrictions for all of the users and user groups in the list.
A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.
The IP address notation can be:
l An IPv4 or IPv6 address (for example, 10.5.32.4)
l An address range in CIDR notation (for example, 10.5.0.0/16)
l Click to remove the selected user from the list.
6. If Credential Retrieval is selected, the Credential Retrieval tab displays a list for which the third-party can retrieve credentials from Safeguard for Privileged Passwords without going through the normal workflow process.
l Click to add an account to the list.
l Click Restrictions in the Restrictions column to specify IP address restrictions for the selected account.
A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
383
�The IP address notation can be: l An IPv4 or IPv6 address (for example, 10.5.32.4) l An address range in CIDR notation (for example, 10.5.0.0/16)
l Click to remove the selected account from the list. 7. Click Create Registration. Once an application registration is added to Safeguard for Privileged Passwords, the thirdparty application can authenticate with Safeguard for Privileged Passwords using the API key that was generated and the certificate that was associated with the registration. To make a request, you must retrieve the relevant API key for the application using an authorized account (that is, using bearer token authentication) and install the correct certificate on the host that will make the request. For more information, see Making a request using the Application to Application service on page 385.
Deleting an application registration
Click Delete on the Application to Application pane in the External Integration settings view to delete an application registration from Safeguard for Privileged Passwords.
To delete an application registration 1. Navigate to Administrative Tools | Settings | External Integration | Application to Application. 2. Select the application registration to be deleted. 3. Click the toolbar button. 4. Confirm your request.
Regenerating an API key
If, as the Security Policy Administrator, you discover that the API key has been stolen or misplaced, you can regenerate the API key at any time. When you regenerate an API key, it invalidates the old API key and prevents any services from using that key to access the Application to Application service.
To regenerate an API key 1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator. 2. Navigate to Administrative Tools | Settings | External Integration | Application to Application. 3. Select an application registration from the list. 4. Click from the toolbar.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
384
�5. On the API Keys dialog, select the API key to be replaced. 6. Click .
You can now view or copy the new API key to the clipboard and use this new API key in your third-party application to access the Application to Application interfaces. See Making a request using the Application to Application service.
Making a request using the Application to Application service
Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:
l Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
l Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.
A third-party application authenticates with Safeguard for Privileged Passwords using an API key and a client certificate, rather than the bearer token normally used to authenticate Safeguard for Privileged Passwords API requests. To make a request, you must first retrieve the API key for the application from Safeguard for Privileged Passwords using an authorized user account (that is, using bearer token authentication), and install the correct certificate on the host that will be making the request. The certificate must be installed in the certificate store of the authorized certificate user that will make the request.
Prerequisites
l Register the third-party application with Safeguard for Privileged Passwords. For more information, see Adding an application registration on page 382.
l Associate the third-party application with an existing Safeguard for Privileged Passwords certificate user.
To make a credential retrieval request from the third-party application
1. Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the desktop client or API. Using the desktop client: l Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
385
�l Navigate to Administration Tools | Settings | External Integration | Application to Application.
l Click to display the API keys.
l On the API Keys dialog, select the API key and click .
Using the Safeguard for Privileged Passwords API:
l Use the following URL to retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The ID property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.
https://<Appliance IP>/service/core/V2/A2ARegistrations?filter=AppName%20eq%20%22<Application Name>%22
l Use the ID property in the response retrieved for the application registration to retrieve the API key for the selected account from the Safeguard for Privileged Passwords API:
https://<Appliance IP>/service/core/V2/A2ARegistrations/<Id>/RetrievableAccounts?filter=Accou ntName%20eq%20%22<account name>%22%20and%20SystemName%20eq%20%22<system name>%22&fields=ApiKey
2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
3. Ensure that the selected certificate is trusted by Safeguard for Privileged Passwords. That is, install the trusted root certificate in Safeguard for Privileged Passwords.
4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.
l Set the Authorization header in the request to A2A <API key>.
l The type can be Password or PrivateKey. Note that private keys can only be retrieved for service accounts.
l Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:
-CertificateThumbprint <thumbprint>
To retrieve a credential, use the following request:
GET https://<ApplianceIP>/service/A2A/V2/Credentials?type=Password
Host: <ApplianceIP>
Content-Type: application/json
Accept: text/plain
Authorization
A2A <API Key>
This URL returns a string response.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
386
�To make an access request broker request from the third-party application
1. Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the desktop client or API.
Using the desktop client:
l Log in to the Safeguard for Privileged Passwords client as a Security Policy Administrator.
l Navigate to Administration Tools | Settings | External Integration | Application to Application.
l Click to display the API keys.
l On the API Keys dialog, select the API key and click .
Using the Safeguard for Privileged Passwords API:
l Use the following URL is retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The Id property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.
https://<Appliance IP>/service/core/V2/A2ARegistrations?filter=AppName%20eq%20%22<Application Name>%22
l Use the ID retrieved for the application registration to retrieve the API key from the Safeguard API:
https://<Appliance IP>/service/core/V2/A2ARegistrations/<Id>/AccessRequestBroker/ApiKey
2. Ensure that the certificate matching the application's registered CertificateUserThumbprint is installed on the host that will be making the request.
3. Ensure that the selected certificate is trusted by Safeguard for Privileged Passwords. That is, install the trusted root certificate in Safeguard for Privileged Passwords.
4. Create the application request, authenticating with the retrieved API key and the certificate thumbprint.
l Set the Authorization header in the request to A2A <API key>.
l Present the certificate with the request as appropriate for the invoking method. For example, when using the Invoke-WebRequest cmdlet, use the option:
-CertificateThumbprint <thumbprint>
l To create an access request, use the following request:
POST
Host: <Appliance IP>
Accept
application/json
Content-type
application/json
Authorization A2A <API key>
{
"ForUser": "<user name>",
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
387
�"ForUserId": <user id>, "ForProvider": "<providername>", "SystemId": <system id>, "SystemName": "<system name>", "AccountId": <account id>, "AccountName": "<account name>", "AccessRequestType": "<request type>", "RequestedDurationDays": <days> "RequestedDurationHours": <hours>, "RequestedDurationMinutes": <minutes>, "RequestedFor": "<date>, "ReasonCodeId": <reason code id>, "ReasonCode": "<reason name>", "ReasonComment": "<reason comment>", "IsEmergency": <bool>, "TicketNumber": "<ticket>"
}
This URL returns the new request if successful.
Exceptions
Most of the fields in this access request match those in a normal access request, with the exceptions noted here:
The following fields are used to identify the target Safeguard for Privileged Passwords user that will be used to create the request. The result must uniquely identify a valid Safeguard for Privileged Passwords user for which the application has been granted permission to create an access request. If the search results in multiple matches or no matches, an error is returned.
l ForUserId: The database ID of a Safeguard for Privileged Passwords user. This takes priority if it contains a value.
l ForUser: The name of a Safeguard for Privileged Passwords user. This value is ignored if ForUserId contains a value.
l ForProvider: An optional provider name, that can be used to limit the search for ForUser.
The following fields are used to uniquely identify the target system. If the search results in multiple matches or no matches, an error is returned.
l SystemId: The database ID of a Safeguard for Privileged Passwords asset. This field is used to search for a matching asset in the following order:
l System Name: Exact match on the system name
l Network Address: Exact match on the network address
l String search: A string search on all string properties for the asset
The following fields are used to uniquely identify the target account. If the search results in multiple matches or no matches, an error is returned.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
388
�l AccountId: The database ID of a Safeguard for Privileged Passwords account. This takes priority if it contains a value.
l AccountName: This is ignored if AccountId contains a value. This field is used to search for a matching account in the following order:
l Account Name: Exact match on the account name
l String search: A string search on all string properties for the account
The following fields can be used to identify the reason code. If the search results in multiple matches or no matches, the reason code is set to null.
l ReasonCodeId: The database ID of a predefined reason code. This takes priority if it contains a value.
l ReasonCode: The name of a predefined reason code. This is ignored if ReasonCodeId contains a value.
Access request creation
Once the target user and account have been determined, the Application to Application service attempts to create the access request. Normal policy rules determine whether the attempt is successful.
Approval Anywhere
The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.
The Approval Anywhere feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling on page 408. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Approval Anywhere to approve access requests. This can be done using the Administrative Tools | Settings | External Integration | Approval Anywhere pane.
NOTE: In version 2.1 and earlier, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication (2FA) as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.
Navigate to Administrative Tools | Settings | External Integration | Approval Anywhere. The Approval Anywhere pane displays the following about the users authorized to use the Approval Anywhere feature.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
389
�Table 154: Approval Anywhere: Properties
Setting
Description
Name
Name of the Safeguard for Privileged Passwords user.
NOTE: This user must also be added as an approver in an access request policy.
Mobile Phone
Valid mobile phone number in E.164 format for the authorized user.
Alternate Mobile Phone
Alternate mobile phone number in E.164 format.
Email Address
Valid email address for the authorized user.
Use these toolbar buttons to manage the users authorized to use Approval Anywhere.
Table 155: Approval Anywhere: Toolbar
Setting
Description
Add
Add Safeguard for Privileged Passwords users who are authorized to use this feature to approve (or deny) access requests.
NOTE: Approval Anywhere approvers must have a valid mobile phone number in E.164 format and a valid email address defined. If a user does not display a valid mobile phone number or email address, edit the user record before proceeding. For more information, see Modifying a user on page 461.
E.164 format: +<country code><area code><phone number>
NOTE: These same users must also be added as approvers in an access request policy.
Remove
Remove the selected user as an authorized user.
Refresh
Update the list of users authorized to use Approval Anywhere.
Adding authorized user for Approval Anywhere
Once Safeguard for Privileged Passwords is joined to Starling, use the Approval Anywhere pane to add the Safeguard for Privileged Passwords users that can use the Approval Anywhere feature to approve access requests.
NOTE: If you upgraded from a previous version of Safeguard for Privileged Passwords where you have already configured Approval Anywhere, your existing configure will continue to work. However, you will not be able to manage your Approval Anywhere users until you join Safeguard for Privileged Passwords to Starling. Once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
390
�configurations to use the credential string generated by the join process. TIP: Ensure OneTouch approvals is enabled on the two-factor authentication app on your mobile device.
To add users who are authorized to use Approval Anywhere
1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
2. Navigate to Administrative Tools | Settings. 3. Select External Integration | Approval Anywhere. 4. Click Add. 5. In the Users dialog, select users from the list and click OK.
NOTE: Approval Anywhere approvers must have a valid mobile phone number in E.164 format and a valid email address defined. If a user does not display a valid mobile phone number or email address, edit the user record before proceeding. For more information, see Modifying a user on page 461. E.164 format: +<country code><area code><phone number> 6. Add these Approval Anywhere users as approvers in the appropriate access request policy. For more information, see Creating an access request policy on page 268.
Once a user is added as an Approval Anywhere user and as an approver in an access request policy, when an access request requires approval, Safeguard for Privileged Passwords sends a notification to the approver's Starling 2FA mobile app. The approver can either approve or deny the access request directly from the Starling 2FA mobile app.
NOTE: Revoking an access request that has already been approved is not available via the mobile app. You must use the Safeguard for Privileged Passwords desktop or web client to perform that action.
Email
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.
TIP: You must configure the DNS Server and set up the user's email address correctly.
To configure the SMTP Server
1. Navigate to Administrative Tools | Settings | External Integration | Email. 2. To configure the email notifications, enter these global settings for all Safeguard for
Privileged Passwords emails:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
391
�SMTP Server Address
SMTP Port Sender Email
Require Transport Layer Security
Enter the IP address or DNS name of the mail server. When unspecified, Safeguard for Privileged Passwords disables the email client.
NOTE: When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].
NOTE: If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.
Enter the TCP port number for the email service.
Default: 25
Range: 1 to 32767
Enter an email address to use as the "From" address for all emails originating from the appliance.
Required if you specify the SMTP Server Address.
Limit: 512 characters
Select this option to require that Safeguard for Privileged Passwords uses TLS to provide communication security over the internet.
To validate your setup
1. Select the Test Email Settings link. 2. Enter a Send To email address of where to send the test message and click Send.
Safeguard for Privileged Passwords sends an email using the configuration settings.
The grid at the bottom of this pane lists the email templates used to define the content to be included in email notifications. Use these toolbar buttons to manage email templates.
Table 156: Email template: Toolbar
Property
Description
New
Add an email template. NOTE: You can only add a previously deleted template.
Delete
Remove the selected email template.
Refresh
Update the list of email templates.
Edit
Modify the selected email template. For more information, see Modifying an email template on page 393.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
392
�Enabling email notifications
For users to receive email notifications, there are a few things you must configure properly.
To enable email notifications
1. Users must set up their email address correctly. a. Local users: i. The Authorizer Administrator or User Administrator sets this up in the user's Contact Information. For more information, see Adding a user on page 451. -ORii. Users set this up in their My Account settings. For more information, see User information and log out (desktop client) on page 82. b. Directory users must have their email set in the Active Directory or LDAP domain.
2. The Appliance Administrator must configure the SMTP server. For more information, see Email on page 391.
TIP: You can setup email subscriptions to any email event type through the API: https://<Appliance IP>/service/core/swagger/ui/index#/EventSubscribers. For more information, see How do I access the API on page 561.
Modifying an email template
Safeguard for Privileged Passwords provides default email templates for most events, such as when a password change fails or an access request is denied. However, you can customize individual email templates, for example to provide notification when emergency access is granted . Each template corresponds to a single event type; the event triggers an email notification that uses the template.
To modify an email template
1. Open the email template for editing. Navigate to Administrative Tools | Settings | External Integration | Email | Email Templates.
2. In the Email Template dialog: a. Event: The event is selected when adding a new template. For more information, see Enabling email notifications on page 393. b. Subject: Edit the subject line for the email message. As you type, click Insert Event Property Macro to insert predefined text into the subject line. For example, you may create the following subject line:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
393
�Approval is required for {{Requester}}'s request
where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note at the end of this topic.)
Limit: 1024 characters
c. Reply to: Enter the email address of the person to reply to concerning this notification.
Limit: 512 characters
d. Body: Enter the body of the message.
As you type, click Insert Event Property Macro to insert predefined text into the body. For example, you may create the following body for an email template:
{{Requester}} has requested the password for {{AccountName}} on {{AssetName}}
where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note below.)
Limit: 16384 characters
e. Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.
NOTE: Each event type supports specific macros that are appropriate for that type of event. You can enter the macro into the text of the subject line or body using keywords surrounded by double braces rather than inserting the macro. However, Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview.
Identity and Authentication
Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, OpenLDAP 2.4, any SAML 2.0 federated service, or Radius.
To be managed, a directory asset must be added as both an asset and as an identity provider. When adding the identity provider, if the account name matches an account name already linked to an identity provider, the provider is automatically assigned.For more information, see Accounts on page 138.
Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication. The Identity and Authentication pane displays the following details about the identity and authentication providers defined.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
394
�Table 157: Identity and Authentication: Properties
Property Description
Name
The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.
NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling on page 408.
Type
Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations on page 396.
l Active Directory l LDAP l External Federation l Radius (use as a secondary authentication provider) l Radius as Primary (use as a primary authentication provider) l FIDO2
Description Enter any descriptive information to use for administrative purposes.
Use these toolbar buttons to manage identity and authentication provider configurations.
Table 158: Identity and Authentication: Toolbar
Option
Description
Add
Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers on page 398.
Delete Selected
Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.
Refresh
Update the list of identity and authentication providers.
Edit
Modify the selected identity or authentication provider.
Run the directory addition and deletion synchronization process on demand.
Sync Now
In addition, it runs through the discovery, if there are discovery rules and configurations set up.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
395
�Option
Description
Download
Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.
Authentication provider combinations
Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.
NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling on page 408.
NOTE: It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in on page 457.
Using Local as the identity provider
Table 159: Allowable local identity provider combinations Primary authentication Local: The specified login name and password will be used for authentication.
Certificate: The specified certificate thumbprint will be used for authentication.
Secondary authentication None Starling Radius Active Directory LDAP FIDO2 None Starling Radius Active Directory
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
396
�Primary authentication
Secondary authentication
LDAP FIDO2
External Federation: The specified email address or name claim will be None
used for authentication.
Starling
Radius
Active Directory
LDAP
FIDO2
Radius: The specified login name will be used for authentication.
NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.
None Starling Active Directory LDAP FIDO2
Using Active Directory as the identity provider
Table 160: Allowable Active Directory identity provider combinations
Primary authentication
Secondary authentication
Active Directory: The samAccountName or X509 certificate will be used for authentication.
NOTE: The user must authenticate against the domain from which their account exists.
None Starling Radius LDAP
FIDO2
External Federation: The specified email address or name claim will be None
used for authentication.
Starling
Radius
Active Directory LDAP
FIDO2
Radius: The specified login name will be used for authentication.
NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may
None Starling
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
397
�Primary authentication provide its own means of two-factor authentication.
Secondary authentication Active Directory LDAP FIDO2
Using LDAP as the identity provider
Table 161: Allowable LDAP identity provider combinations
Primary authentication
Secondary authentication
LDAP: The specified username attribute will be used for authentication. None Starling Radius Active Directory FIDO2
External Federation: The specified email address or name claim will be None
used for authentication.
Starling
Radius
Active Directory
LDAP
FIDO2
Radius : The specified login name will be used for authentication.
NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.
None Starling Active Directory LDAP FIDO2
Adding identity and authentication providers
It is the responsibility of the Asset Administrator to add directories to Safeguard for use as identity and authentication providers. If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of a User Administrator or Appliance Administrator to create an External Federation or Radius provider to use for authentication.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
398
�To add identity and authentication providers 1. Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication.
2. Click Add. 3. Click the provider:
l Active Directory: See Active Directory and LDAP settings. l LDAP: See Active Directory and LDAP settings. l External Federation: See External Federation settings. l Radius: See Radius settings. l FIDO2: See FIDO2 settings.
Active Directory and LDAP settings
Use the General tab to add the required service account information. The following table lists the properties and designates the properties for Active Directory or LDAP only, if applicable.
Table 162: Active Directory and LDAP: General tab properties
Property
Description
Service Account Domain Name (for Active Directory)
Enter the fully qualified Active Directory domain name, such as example.com.
Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE.
The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.
Network Address (for OpenLDAP)
Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.
Service Account Name (for Active Directory)
Enter an account for Safeguard for Privileged Passwords to use for management tasks. If the account name matches an account name already linked to an identity provider, the provider is automatically assigned.
When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
399
�Property
Description
If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request.
Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object that represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify.
For more information, see About service accounts on page 193.
Service Account Distinguished Name (for OpenLDAP)
Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com
Service Account Password
Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.
Description
Enter information about this external identity provider.
Connect
Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.
Advanced
Open to reveal the following synchronization settings:
Available Domains for Identity and Authentication (for Active Directory)
All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. Clearing the forest root domain will have undesired results when managing directory users and groups. For more information, see Adding a directory user group on page 473.
Port (for LDAP)
Enter port 389 used for communication with the LDAP directory.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
400
�Property
Description
Use SSL Encryption Select to enable Safeguard for Privileged Passwords to
(for OpenLDAP)
encrypt communication with an LDAP directory.
Verify SSL Certificate (for OpenLDAP)
Select to verify the SSL certificate. This option is only available when the Use SSL Encryption option is selected.
Sync additions every
Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.
Default: 15 minutes
Range: Between 1 and 2147483647
Sync deletions every
Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.
Default: 15 minutes
Range: Between 1 and 2147483647
On the Attributes tab, synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.
The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.
To map the Safeguard for Privileged Passwords properties to different directory attributes
1. Browse to select one or more object classes for the users, computers, and groups categories, as applicable.
NOTE: You can use or remove the default object class.
2. If you do not want to use the default property, begin typing in the property box. Safeguard for Privileged Passwords' auto-complete feature immediately displays a list of attributes to choose. Safeguard for Privileged Passwords only allows you to select attributes that are valid for the object classes you have selected for users, groups, and computers.
3. Once you have set all the properties, click Apply.
The following table list the default directory attributes.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
401
�Table 163: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords attribute
Directory attribute
Users
Object Class
Browse to select a class definition that defines the valid attributes for the user object class.
Default: user for Active Directory, inetOrgPerson for LDAP
User Name
sAMAccountName for Active Directory, cn for LDAP
Password
userPassword for LDAP
First Name
givenName
Last Name
sn
Work Phone
telephoneNumber
Mobile Phone
mobile
Email
mail
Description
description
External Federation Authentication
The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user's email address or other unique identifier used by the external Secure Token Service (STS).
For both Active Directory and OpenLDAP 2.4, this will default to the "mail" attribute.
This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication.
For more information, see Adding a directory user group on page 473.
Radius Authentication
The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication.
For Active Directory, this will default to using the samAccountName attribute. For OpenLDAP 2.4, this will default to using the cn attribute.
NOTE: This is only used when processing members of a directory user group in which the group has been configured to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
402
�Safeguard for Privileged Passwords attribute
Managed Objects
Groups Object Class Name Member Description
Directory attribute
use Radius as either the primary or secondary authentication provider. For more information, see Adding a directory user group on page 473.
The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts. Defaults:
l For Active Directory, this defaults to managedObjects. However, you may want to use the directReports attribute based on where you have the information stored in Active Directory.
l For OpenLDAP 2.4, this defaults to the seeAlso attribute. When choosing an attribute, it must exist on the user itself and contain one or more Distinguished Name values of other directory user objects. For example, you would not want to use the owner attribute in OpenLDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an owns attribute to exist on the user such as the default seeAlso attribute. For more information, see Adding a directory user group on page 473.
Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP sAMAccountName for Active Directory, cn for LDAP
member
description
External Federation settings
Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
403
�an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.
NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS.
To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from:
https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.
To add external federation:
1. In the External Federation dialog, supply the following information:
a. Name: The unique name assigned to the external federation service provider. The name is for administrative purposes only and will not be seen by the end users.
b. Realm: The unique realm value (typically a DNS suffix, like contoso.com) that matches the email addresses of users that will use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.
c. Federation Metadata File: Click Browse to select the STS federation metadata xml file.
d. Description: Enter any text. The text is seen only here and used for administrative purposes.
2. Click Download Safeguard for Privileged Passwords Metadata File: You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited. Also see: How do I create a relying party trust for the STS.
Radius settings
Create and configure a Radius server for use as either a primary authentication provider or secondary authentication provider. To use a Radius server for both primary and secondary authentication, you will need to create two authentication providers. The steps to create Radius as a primary provider or secondary provider follow:
1. In the Radius dialog, supply the following information:
a. Name: The unique display name. When creating the Radius provider for primary authentication, this name value will be displayed in the drop-down list on the login page.
b. Type: Choose As Primary Authentication or As Secondary
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
404
�Authentication.
c. Server Address: Enter a network DNS name or the IP address used to connect to the server over the network.
d. Secondary Server Address: (Optional) Enter a network DNS name or the IP address for an additional or redundant server.
e. Shared Secret: Enter the server's secret key. Click secret key.
to show the server's
f. Port: Enter the port number that the Radius server uses to listen for authentication requests. The default is port 1812.
g. Timeout: Specify how long to wait before a Radius authentication request times out. The default is 20 seconds.
h. PreAuthenticate for Challenge/Response: If selected, an Access-Request call containing only the User-Name is sent to the Radius server prior to the user's authentication attempt. This is done to inform the Radius server of the user's identity so it can possibly begin the authentication process by starting a challenge/response cycle. This may be required to seed the user's state data. In addition, the Radius server's response may include a login message that is to be displayed, which is specific to that user.
If the Radius server is not configured to respond with an Access-Challenge, then this will cause the log in to fail and the user will be unable to proceed. This setting is only applicable when using Radius as a secondary authentication provider. The setting has no effect if enabled on a primary authentication provider.
i. Always Mask User Input: If selected, the text box that the user enters their one-time password, or other challenge required by the Radius server, will always be a password style text box in which the user's input is masked and appears as a series of dots, not as clear text. This may be desired when the challenge is not only a one-time password, but also contains the user's PIN. This will prevent any passer-by from seeing the private information. Note, however, that when this setting is enabled, it will also override the Prompt attribute of the Radius server's Access-Challenge response, such that the user's input will always be masked.
j. Description: Enter any text. The text is seen only here and used for administrative purposes.
2. Click OK.
FIDO2 settings
Create and configure FIDO2 for use as a secondary authentication provider. 1. In the FIDO2 dialog, provide the following settings: a. Name: The unique name assigned to the provider. The name is for administrative purposes only and will not be seen by the end users.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
405
�b. Domain Suffix: This must be a DNS name that identifies the appliance. Typically, this will be the DNS name used to access Safeguard. It cannot be an IP address. The value is a a domain string identifying the WebAuthn Relying Party for which the registration or authentication ceremony is performed.
A public key credential can only be used for authentication with the same entity (identified by this value) it was registered with. However, this value can be a registerable domain suffix of what appears in the user's browser when registering. For example, you could enter contoso.com to register against a server at https://www.contoso.com or https://node1.contoso.com. Later, you can use the same authenticator security key to authenticate at either of the locations.
c. Description: Enter any text. The text is seen only here and used for administrative purposes.
2. Click OK.
SNMP
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Safeguard for Privileged Passwords allows you to configure SNMP subscriptions for sending SNMP traps to your SNMP console when certain events occur.
Navigate to Administrative Tools | Settings | External Integration | SNMP. The SNMP pane displays the following about the SNMP subscribers defined.
Table 164: SNMP: Properties
Property
Description
Network Address
The IP address or FQDN of the primary SNMP network server
Port
The UDP port number for SNMP traps
Version
The SNMP version being used
Community
The SNMP community string being used by the SNMP subscriber
Description
The description of the SNMP subscriber
# of Events
The number of events selected to be sent to the SNMP console
Use these toolbar buttons to manage the SNMP subscriptions.
Table 165: SNMP: Toolbar
Option
Description
New
Add a new SNMP subscription. For more information, see Configuring SNMP subscriptions on page 407.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
406
�Option Delete Selected Refresh Edit Copy
Description Remove the selected SNMP subscription. Update the list of SNMP subscriptions. Modify the selected SNMP subscription. Clone the selected SNMP subscription.
Configuring SNMP subscriptions
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.
NOTE:To download Safeguard for Privileged Passwords MIB-module definitions from your appliance, enter the following URL into your web browser; no authentication is required: https://<Appliance IP address>/docs/mib/SAFEGUARD-MIB.mib
To configure SNMP subscriptions
1. Navigate to Administrative Tools | Settings | External Integration | SNMP. 2. Click New to open the SNMP subscription configuration dialog. 3. Provide the following information:
Network Address UDP Port Description Events
Version
Enter the IP address or FQDN of the primary SNMP network server. Limit: 255 characters
Enter the UDP port number for SNMP traps. Default: 162
Enter the description of the SNMP subscriber. Limit: 255 characters
Browse to select one or more SNMP event types. Use the Clear icon to remove an individual event from this list or right-click and select Remove All to clear all events from the list.
NOTE: The SNMP pane displays the number of events that you select, not the names of the events.
Choose the SNMP version: Version 1 or Version 2 Default: Version 2
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
407
�Community
Enter the SNMP community string, such as public.
The SNMP community string is like a user ID or password that allows access to a device's statistics, such as a router. A PRTG Network Monitor sends the community string along with all SNMP requests. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Verifying SNMP configuration
Use the Send Test Event link located under the SNMP table on the Settings | External Integration | SNMP pane.
To validate your setup 1. When configuring your SNMP subscription, on the SNMP dialog, add the test event to your event subscription. 2. Return to the SNMP settings pane: a. Select the SNMP configuration from the table. b. Select Send Test Event. Safeguard for Privileged Passwords sends a test event notification to your SNMP console.
Starling
One Identity Starling Two-Factor Authentication (2FA) is a SaaS solution that provides twofactor authentication on a product allowing organizations to quickly and easily verify a user's identity. This service is provided as part of the One Identity Starling cloud platform. In addition, Starling offers a hybrid service, One Identity Hybrid, that allows you to take advantage of companion features from multiple Starling services, such as Starling TwoFactor Authentication.
Joining Safeguard for Privileged Passwords to Starling adds Safeguard to the One Identity Hybrid service allowing you to use features from the Starling 2FA services. For more information, see Join Starling on page 409.
A video of Safeguard and Starling 2FA and Approval Anywhere can be found on the Support site at One Identity Safeguard Video and Tutorials then scroll to the video, Safeguard and Starling 2FA.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
408
�Join Starling
In order to use Starling 2FA with Safeguard for Privileged Passwords's Approval Anywhere feature or as a secondary authentication provider, you must join Safeguard for Privileged Passwords to Starling. It is the responsibility of the Appliance Administrator to join Safeguard for Privileged Passwords to Starling.
NOTE: In version 2.1 and earlier, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication (2FA) as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process. For additional information and documentation regarding the Starling Cloud platform and Starling Two-Factor Authentication, see Starling Two-Factor Authentication - Technical Documentation.
Prerequisites
See the Starling Release Notes for currently supported platforms. In order to use the companion features from Starling services, first configure the following:
l A valid license for Safeguard for Privileged Passwords with One Identity Hybrid subscription included. NOTE: You must have a valid license for Safeguard: Privileged Passwords or Privileged Sessions.
l Register a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
l Download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.
l If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by Safeguard for Privileged Passwords for outbound web requests to integrated services, see Networking.
To sign up for a Starling One Identity Hybrid service trial account
1. Go to https://www.cloud.oneidentity.com/ and log in or register a new account for the Starling cloud platform. a. From the Starling home page, click Sign in to Starling. b. Enter a valid email address and click Next. c. Enter your password and click Sign In.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
409
�d. On the Create your Account page, enter your organization and your mobile phone number.
NOTE: If the email address you entered does not exist, you will be taken directly to the Create your Account page to register your organization and enter your name, password, and mobile phone number.
When registering for the first time, you will be sent a verification email in which you must click the supplied link in order to complete the registration process.
2. Once logged in, click the Trial button under the One Identity Hybrid tile. Follow the prompts on the screen.
The service will be added to the My Services section and be available for use until the trial period has ended. The number of days left in your trail is indicated by a countdown at the top right of the service access button on the home page of Starling. At any point in the trial you can use the More Information button associated with the service to find out how to purchase the product.
Join Safeguard for Privileged Passwords with Starling
1. Navigate to Administrative Tools | Settings| External Integration | Starling. This pane also includes the following links, which provide assistance with Starling:
l Visit us online to learn more displays the Starling login page where you can create a new Starling account.
l Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
2. Click Join to Starling.
NOTE: The following additional information may be required:
l If you do not have an existing session with Starling, you will be prompted to authenticate.
l If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.
After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. Once Starling is joined, you can configure users to require secondary authentication using Starling. For more information, see Authentication tab (add user) on page 453.
To unjoin Safeguard for Privileged Passwords from Starling
1. In Settings, select External Integration | Starling.
2. Click Unjoin Starling.
Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Approval Anywhere and two-factor authentication as a secondary authentication provider are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account or Collaborator account associated with the Starling One
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
410
�Identity Hybrid subscription can rejoin Safeguard for Privileged Passwords to Starling at any time.
After the join
Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling TwoFactor Authentication:
l Secondary authentication
Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.
A Starling 2FA authentication provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging into Safeguard for Privileged Passwords. For more information, see Configuring user for Starling Two-Factor Authentication when logging in to Safeguard on page 458.
l Approval Anywhere
The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.
Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere. For more information, see Adding authorized user for Approval Anywhere on page 390.
Syslog
Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Using this feature, Appliance Administrators can specify to send different types of messages to different syslog servers.
Navigate to Administrative Tools | Settings | External Integration | Syslog. The Syslog pane displays the following about each syslog server defined.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
411
�Table 166: Syslog server: Properties
Property
Description
Network Address
The IP address or FQDN of the syslog server
Port
The UDP port number for syslog server
Facility
The type of program being used to create syslog messages
Description
The description of the syslog server configuration
# of Events
The number of events selected to be logged to the syslog server
Use these toolbar buttons to manage the syslog server configurations
Table 167: Syslog server: Toolbar
Option
Description
New
Add a new syslog server configuration. For more information, see Configuring a syslog server on page 412.
Delete Selected
Remove the selected syslog server configuration from Safeguard for Privileged Passwords.
Refresh
Update the list of syslog server configurations.
Edit
Modify the selected syslog server configuration.
Copy
Clone the selected syslog server configuration.
Configuring a syslog server
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server.
To configure a syslog server 1. Navigate to Administrative Tools | Settings | External Integration | Syslog. 2. Click New to display the Syslog dialog. 3. In the Syslog dialog, enter the following: a. Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters b. UDP Port: Enter the UDP port number for the syslog server. Default: 514 Range: between 1 and 32767
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
412
�c. Description: Enter a description for the syslog server configuration. Limit: 255 characters
d. Events: Click Browse to select the events to be included in the syslog. On the Event selection dialog, select the events to be included, then click OK.
e. Facility: Choose the type of program to be used to log syslog messages. Default: User-level messages
4. Click OK to save your selection and add the syslog server configuration.
Ticketing systems
You can integrate with an external ticketing system or use ticketing that is not configured with an external ticketing system. Tickets can be viewed in the Activity Center, Ticket # column.
Not integrated with an external ticketing system
Policy Administrators can require requesters to reference a ticket number in their password or session access request but not have the ticket validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request.
Require a ticket number 1. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems.
2. Click Add to add a ticket system. 3. Provide the following:
a. Name: Enter a name to be used in tracking tickets. b. Type: Select Other. c. Regular Expression: Enter the regular expression pattern to validate for an
exact match. For more information, see Regular expressions on page 605. d. Click Validate to validate the Regular Expression entry.
Ticket workflow 1. The Policy Administrator creates an access request policy that requires the requester to provide a ticket number when creating an access request. For more information, see Creating an access request policy 2. When the requester makes a request, they must enter a ticket number on the New Access Request dialog, Request Details tab, Ticket Number field. For more information, see Requesting a password release and Requesting session access.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
413
�3. Safeguard for Privileged Passwords validates the ticket number against the regular expression. If the ticket number is an exact match to the regular expression, the workflow continues.
Integrated with an external ticketing system
Safeguard for Privileged Passwords allows you integrate with your company's external ticket system such as ServiceNow or Remedy. Workflow examples follow.
IMPORTANT: The data items specific to ServiceNow and Remedy (for example, Client ID, Client Secret, and Authentication String) may be optional based on your configuration.
ServiceNow integration workflow example
ServiceNow is a cloud-based issue tracking system. Safeguard for Privileged Passwords can exchange the following ticket types with ServiceNow:
l INC (incident) tickets
l CHG (change) tickets l RITM (request) tickets l PRB (problem) tickets
To use ServiceNow, the root CA Certificate required for ServiceNow must be installed in Safeguard for Privileged Passwords. For more information, see Trusted Certificates on page 360. To add a trusted certificate, see Adding a trusted certificate.
Ticket workflow
1. The Policy Administrator creates an access request policy that requires the requester to provide a ticket number when creating an access request. For more information, see Creating an access request policy
2. When the requester makes a request, they must enter the existing ServiceNow ticket number on the New Access Request dialog, Request Details tab, Ticket Number field. For more information, see Requesting a password release and Requesting session access.
3. Safeguard for Privileged Passwords queries all configured ticket systems to see if that ticket number represents a ticket that exists and is in an open state. For ServiceNow, Safeguard checks the Active property of the identified ticket returned from the ServiceNow API and considers the ticket number valid if the Active property is not false for that incident. a. If the ticket is not active, the request is denied. b. If the ticket is active, the access workflow continues.
Remedy integration workflow
The details in the ServiceNow integration workflow example apply to Remedy ticket systems except Remedy will have a different certificate and ticket types. Safeguard checks
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
414
�the Status property of the incident returned from the Remedy API. The ticket is considered valid if Status is not Closed or Cancelled.
Ticketing pane
Navigate to Administrative Tools | Settings | External Integration | Ticket Systems. The Ticket System pane displays the following about the ticket systems defined.
Ticketing toolbar
Use these toolbar buttons to manage the ticketing systems defined to integrate with Safeguard for Privileged Passwords.
l New: Add a new ticket system.
l Delete Selected: Remove the selected ticket system from Safeguard for Privileged Passwords.
l Refresh: Update the list of ticket systems.
l Edit: Modify the selected ticket system configuration.
To configure Safeguard for Privileged Passwords to integrate with an external ticket system
1. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems.
2. Click Add to add a new ticket system. 3. Provide the following:
a. Name: Enter the name of your ticketing system. b. Type: Select the type of ticketing tracking system:
l ServiceNow: A cloud-based issue tracking system. l Remedy: A request-for-service problem tracking system. c. URL: Enter the web site address to the ticketing system. d. User Name: Enter an account for Safeguard for Privileged Passwords to use to access the ticketing system. e. Password: Enter the user account's password. f. Client Identifier: Enter the ServiceNow Client ID. g. Client Secret: Enter the ServiceNow secret key. h. Authentication String: Enter the authentication credential for the Remedy AR (Action Request) system server. i. Test Connection: Click Test Connection verify the connection works.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
415
�Messaging settings
Safeguard for Privileged Passwords allows you to set the following notifications. Navigate to Administrative Tools | Settings | Messaging.
Table 168: Messaging settings
Setting
Description
Login Notification
Where you enable a login banner that users must acknowledge before they can access Safeguard for Privileged Passwords
Message of the Day Where you set the Message of the Day that displays on the Home page
Login Notification
It is the responsibility of the Appliance Administrator to configure the login notification displayed when a user logs into Safeguard for Privileged Passwords.
To configure the login notification 1. Navigate to Administrative Tools | Settings | Messaging | Login Notification. 2. Select the Message check box and enter a message. 3. Click OK.
Message of the Day
It is primarily the responsibility of the Appliance Administrator to configure the message of the day displayed on the Home page, however any user with administrator permissions has the ability to set the message of the day.
To configure the message of the day 1. Navigate to Administrative Tools | Settings | Messaging | Message of the Day. 2. Choose either the RSS or Subject Line option. 3. When the RSS option is selected, enter a web address. 4. When the Subject line option is selected, enter the following information: l Subject Line: Enter a short description. l Message: Enter the text of up to 255 characters.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
416
�5. Click OK.
Profile settings
Use the Profile settings to define the profile configuration settings, including account password rules and password check and change schedules, which can then be used in partition profile definitions.
Navigate to Administrative Tools | Settings | Profile.
Table 169: Profile settings
Setting
Description
Account Password Rules
Where you define the complexity rules used by Safeguard for Privileged Passwords when constructing new passwords during an automatic account password change
Change Password
Where you define the rules Safeguard for Privileged Passwords uses to reset account passwords
Check Password
Where you define the rules Safeguard for Privileged Passwords uses to verify account passwords
Password sync groups
Where you define the password sync groups and associated accounts so Safeguard for Privileged Passwords can synchronize passwords across accounts
Account Password Rules
Navigate to Administrative Tools | Settings | Profile | Account Password Rules. Account password rules govern the construction of a new password created by Safeguard for Privileged Passwords during an automatic account password change. You can create rules governing the allowable account passwords, such as:
l Set the allowable password length in a range from three to 225 characters. l Set first characters type and last character type. l Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols
along with the minimum amounts of each. l Identify excluded uppercase letters, lowercase letters, numbers, and symbols. l Identify if consecutive letters, numbers, and/or symbols can be repeated
sequentially and, if allowed, set the maximum repetitions allowed.
NOTE: You select an account password rule set when defining a partition's profile. For more information, see Creating a profile on page 294. An account password rule applies
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
417
�to all accounts governed by the profile. Navigate to Administrative Tools | Settings | Profile | Account Password Rules. Use these toolbar buttons to manage your account password rules.
Table 170: Account Password Rules: Toolbar
Option
Description
Add Account Password Rule
Add an account password complexity rule. For more information, see Adding an account password rule on page 418.
Delete Selected Remove the selected rule.
Refresh
Update the list of account password rules.
Edit
Modify the selected rule.
Copy
Clone the selected rule.
Adding an account password rule
It is the responsibility of the Asset Administrator, or a partition's delegated administrator, to configure account password complexity rules.
IMPORTANT: Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136-character password is stored in Safeguard for Privileged Passwords. This causes the following issues:
l Check Password for that account will fail. When Safeguard for Privileged Passwords compares the password on the Unix host with the password in Safeguard for Privileged Passwords, they never match because the Unix host truncated the password generated by Safeguard for Privileged Passwords.
l A user will not be able to log in to the Unix host account successfully with the password provided by Safeguard for Privileged Passwords unless they truncate the password to the allowable length imposed by the operating system.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
418
�To add an account password rule
1. Navigate to Administrative Tools | Settings | Profile | Account Password Rules.
2. Click Add Account Password Rule to open the Account Password Rule dialog.
3. Browse to select the partition.
4. Enter a Name for the account password rule (up to 50 characters).
5. Enter a Description for the account password rule (up to 255 characters).
6. Set the password requirements.
l Password Length: Set a range for the password allowable length from three to 255 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six.
l First Character Type: Choose one of the following:
l All: Alphabetical, numeric, or symbols
l Alphanumeric: Alphabetical or numeric
l Alphabetic: Only alphabetical characters
l Last Character Type: Choose one of the following:
l All: Alphabetical, numeric, or symbols
l Alphanumeric: Alphabetical or numeric
l Alphabetic: Only alphabetical characters
l Repeated Characters: Choose one of the following:
l Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
l No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
l No repeated characters: All letters, numbers, or symbols can only be used once in the password.
l Alpha Character:
l Allow Uppercase: Select to allow uppercase (capital) letters.
l Minimum of [enter a number] Required Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
419
�box to limit the number of consecutively repeated uppercase letters. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any uppercase characters you want to exclude from the password. This field is casesensitive.
l Allow Lowercase: Select to allow lowercase (small) letters.
l Minimum of [enter a number] Required Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
l Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Max Allowed.
For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.
l Numeric Character:
l Allow Numeric (0-9): Select to allow numeric characters in the password.
l Minimum of [enter a number] Required Numbers: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Numeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated numbers. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any numbers (0 though 9) you want to exclude from the password.
l Alphanumeric Characters
l Limit Consecutively Repeated Alphanumeric Characters: If you allowed repeated characters earlier, select the check box to limit the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
420
�number of consecutively repeated alphanumeric characters. You must enter a Max Allowed value of one or more.
l Symbols:
l Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @#$%^&*()_-+={}[]\|:;"'<>,.?/
l Minimum of [enter number] Required Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Max Allowed value of one or more.
l Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
l Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
7. Click Test Rule to check the rules set.
8. When the rules are complete, click OK.
Change Password
Change password settings are the rules Safeguard for Privileged Passwords uses to reset account passwords.
Navigate to Administrative Tools | Settings | Profile | Change Password.
The Change Password pane displays the following about the listed change password setting rules.
Table 171: Change Password: Properties
Property
Description
Name
The name of the rule.
Partition
The partition that uses the rule.
Description
Information about the rule.
Schedule
Displays the selected rule's schedule.
Use these toolbar buttons to manage the change password setting rules.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
421
�Table 172: Change Password: Toolbar
Option
Description
Add Change Password Setting
Add a change password rule. For more information, see Adding change password settings on page 422.
Delete Selected Remove the selected rule.
Refresh
Update the list of change password rules.
Edit
Modify the selected rule.
Copy
Clone the selected rule.
Adding change password settings
It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules Safeguard for Privileged Passwords uses to reset account passwords.
IMPORTANT: Passwords for accounts associated with a password sync group are managed based on the profile change schedule and processed via the sync group. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue. For more information, see Password sync groups on page 427.
To add a password reset schedule
1. Navigate to Administrative Tools | Settings | Profile | Change Password. 2. Click Add Change Password Setting to open the Change Password
Settings dialog. 3. Browse to select a partition. 4. Enter a Name of up to 50 characters for the rule. 5. Enter a Description of up to 255 characters for the rule. 6. Optionally, select Change Passwords Manually.
For more information, see How do I manage accounts on unsupported platforms on page 569. 7. Click the Schedule button and choose an interval. 8. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
l Configure the following:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
422
�To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time. You
can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
423
�l Time Zone: Select the time zone.
9. Optionally, complete any of these settings:
l Change the Password Even if a Release is Active: Select this option to allow a password change even when a password release is active.
l Require Current Password: Select this option to require a current password.
l Update Service on Password Change (Windows Only): For dependent accounts that run system services, select this option to ensure that the password change is also applied to each service the account runs.
l Restart Service on Password Change (Windows Only): For dependent accounts that run system services, select this option to ensure that there is an automatic restart after the password is changed.
l Details: Click to see the Knowledge Base article to learn which systems and platform combinations are supported.
l Update IIS App Pools on Password Change (Windows Only): For dependent accounts that run IIS App pools, select this option to ensure that the password change is also applied to each IIS App pool the account runs.
l Update COM+ on Password Change (Windows Only): For dependent accounts that run COM+ applications, select this option to ensure that the password change is also applied to each COM+ application the account runs.
l Update Task on Password Change (Windows Only): For dependent accounts that run scheduled system tasks, select this option to ensure that the password change is also applied to each task the account runs.
l Suspend account when checked in (supported platforms): Select this option to automatically suspend managed accounts that are not in use. That is, the account on a managed asset is suspended until a request is made for it through Safeguard for Privileged Passwords, at which time Safeguard for Privileged Passwords restores the account. Once the request is checked in or closed, the account is again suspended.
Click the supported platforms link to display a list of platforms that support this feature.
NOTE: When managing passwords for Windows service accounts, do not select this option. Create a separate Profile with Change Password settings that do not have this option selected for managing Windows service accounts.
l Manage Password: Select this option to allow Safeguard for Privileged Passwords to rotate the password it uses to communicate with an asset configured to use SSH Key Authentication. For more information, see SSH Key on page 194.
l Manage SSH Key: Select this option to allow Safeguard for Privileged Passwords to rotate the SSH key it uses to communicate with an asset configured to use SSH Key Authentication. For more information, see SSH Key on page 194.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
424
�Check Password
Check password settings are the rules Safeguard for Privileged Passwords uses to verify account passwords.
Navigate to Administrative Tools | Settings | Profile | Check Password.
The Check Password pane displays the following about the listed check password setting rules.
Table 173: Check Password: Properties
Property
Description
Name
The name of the check password rule.
Partition
The partition that uses the rule.
Description
Information about the rule.
Schedule
Displays the selected rule's schedule.
Use these toolbar buttons to manage the check password setting rules.
Table 174: Check Password: Toolbar
Option
Description
Add Check Password Setting
Add a check password rule. For more information, see Adding check password settings on page 425.
Delete Selected Remove the selected rule.
Refresh
Update the list of check password rules.
Edit
Modify the selected rule.
Copy
Clone the selected rule.
Adding check password settings
It is the responsibility of the Asset Administrator or the partition's delegated administrator to define the rules Safeguard for Privileged Passwords uses to verify account passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
425
�To add a password validation schedule
1. Navigate to Administrative Tools | Settings | Profile | Check Password.
2. Click Add Check Password Setting to open the Check Password Settings dialog.
3. Browse to select a partition.
4. Enter a Name of up to 50 characters for the rule.
5. Enter a Description of up to 255 characters for the rule.
6. Click the Schedule button and choose an interval.
7. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
l Configure the following:
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
l Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
l Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
l Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days @ 11:59:00 PM runs the job every other evening just before midnight.
l Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
l Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
l Select Use Time Windows if you want to enter the Start and End time. You
can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
426
�Enter Every 10 Minutes and Use Time Windows:
l Start 10:00:00 PM and End 11:59:00 AM
l Start 12:00:00 AM and End 2:00:00 AM
An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
l Time Zone: Select the time zone.
8. Optionally, complete either of these settings:
l Change Password on Mismatch: Select this option to automatically change a password when Safeguard for Privileged Passwords detects the password in the appliance database differs from the password on the asset.
l Notify Delegated Owners on Mismatch: Select this option to trigger a notification when Safeguard for Privileged Passwords detects a password mismatch.
NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108. Set up an email template for the Password Check Mismatch event type.
Password sync groups
A password sync group is used to control password validation and reset across all associated accounts. The same password is used for one or more accounts associated with the same or different assets. For example, synchronized passwords can be used for accounts that support clusters or systems that sync between development, test, and production. An account can belong to only one password sync group. Multiple password sync groups can be added to a partition profile.
The profile change schedule is applied to the sync group. The sync group controls the tasks to change the passwords for the accounts in the sync group. Change tasks occur in the order of password sync group account priority. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue.
If an account is associated with a profile with a daily check schedule and also associated with a password sync group, a mismatch on the daily check will trigger a task to set the account password to the current sync group password.
For more information, see Creating a profile on page 294.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
427
�Password sync group account priority
When an account is added to a password sync group, the default priority is 0, which is the highest priority. Subsequent numbers are lower priority (for example, 0, 1, or 2, where 0 is the highest priority and 2 is the lowest). Priority determines the order in which account passwords are changed. If all accounts have the same priority, they are synchronized simultaneously. When different priorities are set, accounts at the highest priority (for example, 0) are synchronized first. If priority 0 is successful, accounts at the next priority are synchronized. If any account at a priority fails, the synchronization processing stops and the group is scheduled for synchronization retry. For example, a cluster of systems may have an admin account with the same password. If one master system is set at priority 0 and the subordinates are set at priority 1, the password change on the master must be successful before the passwords on the subordinates are changed. If the master password change fails, the subordinates are unaffected, the cluster continues to function, password change is rescheduled, and the error is logged.
Navigate to Administrative Tools | Settings | Profile | Password Sync Groups. The Password Sync Groups pane displays the following for each sync group.
Table 175: Sync Groups: Properties
Property
Description
Enable
If Enable is selected, the sync runs with the Partition Profile Change schedule.
Status
The Status displays if all account passwords are in sync with
the password sync group. The Status is if any password for any account within the sync group does not match the common password.
Name
The name of the password sync group.
Partition
The partition that uses the rule.
Profile
The profile that uses the rule.
Accounts
The number of accounts to synchronize with a common password.
Next Sync Date
The date the sync group password will be synchronized across all accounts.
Description
Information about the rule.
Use the following toolbar buttons to manage password sync groups.
NOTE: Changes made from the Password Sync Groups pane are reflected in the password sync groups in the partition profile. See Creating a profile.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
428
�Table 176: Sync Groups: Toolbar
Option
Description
Add
Add a password sync group. For more information, see Adding a password sync group on page 429.
Delete Selected Permanently remove the selected password sync group.
Refresh
Update the list of password sync groups.
Edit
Modify the selected password sync group rule. For more information, see Modifying a password sync group on page 430.
Change Sync Group Password
Change the password for the selected sync group. All accounts in the password sync group synchronize with the new password.
Adding a password sync group
The Asset Administrator or a partition's delegated administrator defines the password sync group. An account can belong to only one password sync group. To assign sync groups and related accounts when adding the profile to a partition, see Creating a profile.
To create a password sync group
1. Navigate to Administrative Tools | Settings | Profile | Password Sync Groups.
2. Click Add to open the Password Sync Group dialog.
3. Click Browse to select a Profile. The Profile name displays.
NOTE: Multiple password sync groups can be added to a profile. The profile change schedule is applied to the sync group. The sync group controls the tasks to change the passwords for the accounts in the sync group. Change tasks occur in the order of password sync group account priority . For more information, see Password sync group account priority on page 428.
4. Enter a Name of up to 100 characters.
5. Enter a Description of up to 255 characters.
6. Click Add and select one or more Accounts to be synchronized.
The Accounts list displays with the following information about the account: Name,
Parent, Service Account, Needs a Password ( if yes or Description. Click any columns to sort the accounts.
7. Click OK. The following values display:
if no), and
l Status: Displayed as if the password is not the same as the sync group,
if the password is the same, or should not be in the sync group.
if the account is ignored and possibly
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
429
�l Priority: The default is priority 0 (the highest). To change the priority, doubleclick the Priority value, enter the new priority, and click OK. For more information, see Password sync group account priority on page 428.
l System Name: Name of the system (asset) assigned that is associated with the account.
l Account Name: Name of the account.
l Last Sync Time: The date and time of the last sync.
8. Click OK.
Modifying a password sync group
You can make modifications to the account priority within a password sync group, the accounts assigned to a password sync group, or sync the selected account password.
To modify the account priority of a password sync group or perform other modifications
1. Navigate to Administrative Tools | Settings | Profile | Password Sync Groups.
2. In the Password Sync Group dialog, select the password sync group, then
click Edit. 3. Modify the Name or Description, if desired. 4. Click any column in the account list to sort the accounts.
5. To modify an account priority, select the account then click Edit. 6. Enter the Priority, then click OK. For more information, see Password sync group
account priority on page 428. 7. Perform any of the following account modifications:
l Click Add to add an account to the password sync group.
l Click Remove Selected to remove the selected account from the password sync group. This does not delete the account from Safeguard for Privileged Passwords.
l Click Refresh to update the account list.
l Click Sync Now to sync the selected account password to match the sync group password. The Status follow:
l
displays when the account password is in sync with the password
sync group.
l
displays if the password is not in sync.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
430
�Safeguard Access settings
Safeguard for Privileged Passwords allows you to configure these settings related to accessing Safeguard for Privileged Passwords. Navigate to Administrative Tools | Settings | Safeguard Access.
Table 177: Safeguard for Privileged Passwords Access settings
Setting
Description
Login Control
Where you configure the user login control settings
Password Rule
Where you configure user password complexity rules
Time Zone
Where you can set the time zone
Login Control
It is the responsibility of the Appliance Administrator to initially set up user login controls such as the number of failed sign-in attempts before locking out an account.
To configure the login controls
1. Navigate to Administrative Tools | Settings | Safeguard Access | Login Control.
2. Provide the following information:
Token Lifetime Web Client Inactivity Timeout
Lockout Duration
Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.
Range: 10 minutes to 28,800 minutes (20 days)
Default: 1,440 minutes (one day)
Set the maximum time to allow from the user's last request to the server before the user is automatically logged out. The default is 15 minutes. The minimum value is five minutes and the maximum value is 2,880 minutes (two days) if the Token Lifetime is increased to match the value. If the Token Lifetime is not increased, the token will expire before the Web Client Inactivity Timeout.
When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes.
Set the number of minutes a locked out account remains locked.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
431
�Lockout Threshold
Lockout Window Disable After
Inform User of Disabled Account
Range: One to 9,999 minutes; A setting of 9,999 requires an administrator to manually unlock the account.
Default: 15 minutes
Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.
If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.
Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user's account will never be locked due to failed log ins.
Default: Five consecutive failures
TIP: Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.
Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.
Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.
Default: 10 minutes
Set the number of days to wait before automatically disabling an inactive user account.
If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.
NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.
Range: 14 to 365 days
Default: 365 days
Select this option to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.
NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
432
�login and authentication problems.
A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user on page 461.
Default: Not set
Inform User of Locked Account
Select this option to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.
NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.
A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account on page 466.
Default: Not set
Minimum Password Set the number of days a user must wait before changing his
Age
or her password.
Range: 0 to 14 days
Default: Zero
Maximum Password Age
Set the number of days users can use their current password before they must change it.
Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.
Default: 42 days
Password Age Reminder
Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.
Range: 0 to 30 days
Default: 14 days
Password History
Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in, first-out basis.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
433
�NOTE: Administrators are not restricted by the password history setting. Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords. Default: Five stored passwords
Password Rule
Navigate to Administrative Tools | Settings | Safeguard Access| Password Rule . Password rules define the complexity requirements for user authentication to Safeguard for Privileged Passwords. You can create rules governing the type of password a user can create, such as:
l Set the allowable password length in a range from 3 to 225 characters. l Set first characters type and last character type. l Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols
along with the minimum amounts of each. l Identify excluded uppercase letters, lowercase letters, numbers, and symbols. l Identify if consecutive letters, numbers, and/or symbols can be repeated
sequentially and, if allowed, set the maximum repetitions allowed. NOTE: These rules only apply to local users; they do not affect users accessing Safeguard for Privileged Passwords from an external provider such as Microsoft Active Directory. The password rules are listed in the Set password dialog. For more information, see Setting a local user's password on page 465.
Related Topics
Account Password Rules
Modifying user password requirements
It is the responsibility of the Authorizer Administrator to configure the user password rules.
To configure user password rules 1. Navigate to Administrative Tools | Settings | Safeguard Access | Password Rules. 2. Set the Password Length from 3 to 255 characters. Default: 8 to 64 characters NOTE: The maximum length must be equal to or greater than the sum of minimum
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
434
�characters described in the next step.
3. Set the character Requirements:
l Password Length: Set a range for the password allowable length from three to 255 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six.
l First Character Type: Choose one of the following:
l All: Alphabetical, numeric, or symbols
l Alphanumeric: Alphabetical or numeric
l Alphabetic: Only alphabetical characters
l Last Character Type: Choose one of the following:
l All: Alphabetical, numeric, or symbols
l Alphanumeric: Alphabetical or numeric
l Alphabetic: Only alphabetical characters
l Repeated Characters: Choose one of the following:
l Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
l No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
l No repeated characters: All letters, numbers, or symbols can only be used once in the password.
l Alpha Character:
l Allow Uppercase: Select to allow uppercase (capital) letters.
l Minimum of [enter a number] Required Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any uppercase characters you want to exclude from the password. This field is casesensitive.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
435
�l Allow Lowercase: Select to allow lowercase (small) letters.
l Minimum of [enter a number] Required Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
l Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Max Allowed.
For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.
l Numeric Character:
l Allow Numeric (0-9): Select to allow numeric characters in the password.
l Minimum of [enter a number] Required Numbers: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Numeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated numbers. You must enter a Max Allowed value of one or more.
l Excluded Characters: Enter any numbers (0 though 9) you want to exclude from the password.
l Alphanumeric Characters
l Limit Consecutively Repeated Alphanumeric Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated alphanumeric characters. You must enter a Max Allowed value of one or more.
l Symbols:
l Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @#$%^&*()_-+={}[]\|:;"'<>,.?/
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
436
�l Minimum of [enter number] Required Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
l Click Advanced to set the following:
l Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Max Allowed value of one or more.
l Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
l Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
4. Click Test Rule to check the rules set.
5. When the rules are complete, click OK.
Time Zone
Safeguard for Privileged Passwords sets a default time zone based on the location of the person performing the set up. The time zone is expressed as UTC + or hours:minutes and is used for timed access (for example, access from 9 a.m. to 5 p.m.). It is recommended that the Bootstrap Administrator set the desired time zone on set-up. An Authorizer Administrator can also change the time zone.
To configure the time zone 1. Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone. 2. Select the time zone in the Default User Time Zone drop-down menu.
Session settings
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. The embedded sessions module in Safeguard for Privileged Passwords allows you to issue privileged access to users for a specific period or session and gives you the ability to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
437
�record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements.
It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged PasswordsPrivileged Sessions settings.
Navigate to Administrative Tools | Settings | Sessions.
Table 178: Sessions settings
Setting
Description
Session Recordings Storage Management
Where you assign an archive server to an appliance for storing session recordings produced by that appliance.
Embedded sessions module
Where you can view the current status of the sessions module, enable debug logging, and reset the sessions module if the module is not responding and users cannot connect to their target systems.
SSH Banner
Where you define the banner text shown to session users notifying them that they are being recorded.
SSH Host Key
Where you specify the SSH key to be used for authentication to an SSH session.
Session Recordings Storage Management
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
You can immediately archive session recordings from a specific Safeguard for Privileged Passwords Appliance to a specified archive target. When an archive server is configured, session recordings for that appliance are removed from the Safeguard for Privileged Passwords Appliance and stored on the archive server. Use the Session Recordings Storage Management pane to assign archive servers to your Safeguard for Privileged Passwords Appliances.
IMPORTANT: When storing session recordings locally, once the local storage reaches capacity, the oldest recordings will be deleted. When storing session recordings to an archive server, the session recording is archived to the designated server immediately upon completion. As soon as the recording is copied to the archive server, it is removed from the appliance storage.
Safeguard for Privileged Passwords allows you to play back a recording that is stored locally or on the archive server. However, if you are playing back a recording that is stored on an archive server you will need to download it before you can play it. For more information, see Replaying a session on page 133.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
438
�Navigate to Administrative Tools | Settings | Sessions | Sessions Recordings Storage Management.
Table 179: Session Recordings Storage Management: Properties
Property
Description
Appliance ID
The ID assigned to an appliance.
Archive Server Name The name of the designated archive server.
Use these toolbar buttons to manage archive server configurations for session recordings.
Table 180: Session Recordings Storage Management: Toolbar
Option
Description
Refresh
Update the list of designated archive servers being used to archive session recordings.
Assign Archive Server to Appliance
Specify the archive server to be associated with the selected appliance. Clicking this button displays the Archive Servers dialog allowing you to select the archive server where session recordings are to be stored for the selected appliance. For more information, see Assigning an archive server to an appliance on page 439.
Unassign Archive Server from Appliance
Unassign the specified archive server from the selected appliance.
Assigning an archive server to an appliance
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session.
It is recommended that you assign an archive server to each appliance in your Safeguard for Privileged Passwords deployment to store that appliance's session recordings. This best practice will prevent you from filling up the appliance's local disk space.
IMPORTANT:Clustered environment: It is highly recommended that you assign an archive server to at least the primary appliance in a clustered environment. You may also want to consider assigning an archive server to each individual appliance in the cluster.
If a replica in the cluster does not have an archive server assigned to it for its session recordings, the primary appliance will act as a proxy for archiving any recordings for that replica. If the primary appliance does not have an archive server assigned for session recordings, the following will happen:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
439
�l Any recorded session produced by the primary appliance will remain on the primary appliance.
l All recorded sessions produced by any replica in the cluster without an assigned archive server will also remain on the primary appliance.
l Each of these recordings will be replicated to every cluster member and therefore consume a lot of disk space throughout the cluster.
Therefore, in order to avoid filling up the appliances' disk space, not only on the primary appliance but also on the replica appliances, is to ensure that at least the primary appliance has an archive server assigned for storing session recordings.
To assign an archive server to an appliance NOTE:Clustered environment: Log in to the primary appliance to assign archive servers to your primary appliance and replica appliances.
1. In Administrative Tools | Settings | Backup and Retention | Archive Servers to configure your archive servers. For more information, see Adding an archive server on page 337.
2. In Administrative Tools | Settings | Sessions | Session Recordings Storage Management to assign an archive server to the appliance. a. Select the appliance from the grid. b. Click the Assign Archive Server to Appliance toolbar button. The name of the target archive server will appear in the Archive Server Name column.
Embedded sessions module
Safeguard for Privileged Passwords has an embedded sessions module. NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Navigate to Administrative Tools | Settings | Sessions | Sessions Module. From the Sessions Module pane, an Appliance Administrator can view the current status of the Safeguard for Privileged PasswordsPrivileged Sessions module and reset the embedded sessions module.
Table 181: Sessions Module controls
Control Description
Click to retrieve and update the session module's status. Refresh
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
440
�Control Description
Health Check
Click to run and display the results of the health check run against the sessions module.
An additional pane appears, displaying results for the following:
l HTTP: Checks whether Safeguard for Privileged Passwords can communicate with the sessions module via the internal web interface.
l SSH: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the internal SSH channel.
l SNMP: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the SNMP channel. It also checks whether the sessions module can report significant events back to Safeguard for Privileged Passwords via SNMP.
l Keys: Checks whether the proper keys are in place in order for the embedded sessions module to communicate back to Safeguard for Privileged Passwords.
l Internal: Checks whether the embedded sessions module can interact with Safeguard for Privileged Passwords once a session request has been made.
NOTE: The background of the Session Module Health pane changes colors indicating the current health of the embedded sessions module:
l Green: All components of the embedded sessions module are healthy (OK).
l Red: An error was encountered with at least one of the components. The error message is displayed.
Click X in the upper right corner to close the Session Module Health pane.
Module Status
Displays the current status of the Privileged Sessions module.
Reset Sessions Module
When the Privileged Sessions module is not responding and users cannot connect to their target systems, click the Reset Sessions Module button to reboot the embedded sessions module. Click Reset Now in the Reset Sessions Module confirmation dialog.
NOTE: Resetting the embedded sessions module will terminate all active sessions.
SSH Banner
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
441
�Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. It is the responsibility of the Appliance Administrator to define the banner text shown to session users when they initiate a privileged session. The SSH banner notifies session users that Safeguard for Privileged Passwords will record the current session.
To define the SSH banner text
1. Navigate to Administrative Tools | Settings | Sessions | SSH Banner. 2. In the Banner Text box, enter the text to be displayed to session users. 3. Click OK to save the message.
SSH Host Key
NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session. See the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
The SSH Host Key pane allows the Appliance Administrator to verify or specify the SSH host key is presented to the user's SSH client whenever an SSH session is started.
Navigate to Administrative Tools | Settings | Sessions | SSH Host Key.
Table 182: SSH Host Key settings
Setting
Description
Fingerprint
Displays the SSH key fingerprint identifying the host to which you are currently connected.
Set New Key
Click Set New Key to set a new SSH private key for authenticating to an SSH session.
Generate New Key Pair
If you do not have an SSH key, click Generate New Key Pair to generate a new SSH key to use for authentication to an SSH session.
Download Click Download Public Key to download a public SSH key for Public Key authenticating to an SSH session.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Settings
442
�19
Users
A user is a person who can log in to Safeguard for Privileged Passwords. You can add both local users and directory users. Directory users are users from an external identity store such as Microsoft Active Directory. For more information, see Users and user groups on page 26.
Your administrator permissions determine what you can view in Users. Users displayed in a faded color are disabled. The following table shows you the tabs that are available to each type of administrator.
l Authorizer Administrator: General, History
l User Administrator: General, User Groups (directory users only), History
l Help Desk Administrator: General, History
l Auditor: General, User Groups , Partitions, Entitlements, Linked Accounts, History
l Asset Administrator: General, Partitions
l Security Policy Administrator: General, User Groups , Entitlements, Linked Accounts, History
The Authorizer Administrator typically controls the Enabled/Disabled state. For more information, see Enabling or disabling a user on page 461.
The Users view displays the following information about a selected user:
l General tab (user): Displays the authentication, contact information, location, and permissions for the selected user.
l User Groups tab (user): Displays the user groups in which the selected user is a member.
l Partitions tab (user): Displays the partitions over which the selected user is a delegated partition administrator.
l Entitlements tab (user): Displays the entitlements in which the selected user is a member; that is, an entitlement "user".
l Linked Accounts tab (user): Displays the directory accounts linked to the selected user.
l History (user): Displays the details of each operation that has affected the selected user.
Use these toolbar buttons to manage users:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
443
�l
Add User: Add users to Safeguard for Privileged Passwords. For more
information, see Adding a user on page 451.
l
Delete Selected: Remove the selected user. For more information, see
Deleting a user on page 462.
l
Refresh: Update the list of users.
l
Import Users: Add users to Safeguard for Privileged Passwords. For more
information, see Importing objects on page 462.
l
User Security: Menu options include: Set Password and Unlock accounts. For
more information about these options, refer to Setting a local user's password and
Unlocking a user's account.
l
Permissions: Display the Permissions dialog showing what administrative
permissions apply to the selected user.
l
Search: You can search by a character string or by a selected attribute with
conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
General tab (user)
The General tab lists information about the selected user. Large tiles at the top of the tab display the number of User Groups, Partitions, Entitlements, and Linked Accounts associated with the selected user, based on the user's permissions. Clicking a tile heading opens the corresponding tab. The tiles visible depend on your administrator permissions:
l All tiles are visible to the Auditor. l Partitions tile is visible to Asset Administrator. l User Groups, Entitlements, and Linked Accounts tiles are visible to Security
Policy Administrator.
Table 183: Users General tab: Authentication properties
Property
Description
Identity
Identity Provider
The source from which the user's personal information comes from and is synchronized with.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
444
�Property Username First Name
Description A user's display name. The user's first name.
Last Name
The user's last name.
Work Phone
The user's work telephone number.
Mobile Phone
The user's mobile telephone number.
Email Address
The user's email address.
Authentication
Authentication Provider
How the user authenticates with Safeguard for Privileged Passwords:
l Certificate: with a certificate l Local: with a user name and password l Directory name: with directory credentials
Login name
The identifier the user logs in with.
Domain Name
If the primary Authentication Provider is a directory, this indicates the directory's domain name.
Distinguished Name The distinguished name for authentication.
Secondary Authentic- If you set up a user to require secondary authentication, this
ation
indicates the name of this user's secondary authentication service
provider.
Secondary Authentic- The name of the user account on the secondary authentication
ation Username
service provider required at log in.
Location
Time Zone
The user's geographic location.
Permissions
Permissions
Lists the user's administrator permissions or "Standard User" if user does not have administrative permissions.
Description
Description
The description text entered the user information was added or updated. This may be entered on the User dialog, Identity tab in the Description text box.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
445
�Related Topics
Modifying a user
User Groups tab (user)
The User Groups tab displays the user groups in which the selected user is a member.
The User Groups tab is available to a user with Auditor or Security Policy Administrator permissions and to the User Administrator for directory users (not for local users).
Table 184: Users: Users Groups tab properties
Property
Description
Name
The user group name
Type
The type of group: User Group or Directory Group
Distinguished Name The distinguished name of the group
Description
Information about the selected user group
Use the following buttons on the details toolbar to manage the user groups associated with the selected user.
Table 185: Users: User Groups toolbar
Option
Description
Add User Group
Add the user to one or more user groups to the user. For more information, see Adding a user to user groups on page 459.
Remove Selected
Remove the selected user group from the selected user.
Refresh
Retrieve and display an updated list of user groups associated with the selected user.
Search
To locate a specific user group in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Partitions tab (user)
The Partitions tab displays the partitions over which the selected user is a delegated partition administrator. The Partitions tab is available to a user with Auditor or Asset
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
446
�Administrator permissions.
Table 186: Users: Partitions tab properties
Property
Description
Name
The partition name
Description
Information about the selected partition.
Use the following buttons on the details toolbar to manage the partitions associated with the selected user.
Table 187: Users: Partitions toolbar
Option
Description
Assign Partition(s)
Delegate the selected user as an administrator to one or more partitions. For more information, see Assigning a user to partitions on page 459.
Remove Selected
Remove the selected partition from the selected user.
Refresh
Retrieve and display an updated list of partitions associated with the selected user.
Search
To locate a specific partition in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Assigning a user to partitions
Entitlements tab (user)
The Entitlements tab displays the entitlements in which the selected user is a member. The Entitlements tab is only available to a user with Auditor or Security Policy Administrator permissions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
447
�Table 188: Users: Entitlements tab properties
Property
Description
Name
The name of the entitlements in which the selected user is assigned as a user.
Access Request Policies
The number of unique access request policies in the entitlement.
Accounts
The number of unique accounts in the selected entitlement.
Users
The number of unique users in the entitlement.
User Groups
The names of the user groups that associate the selected user to the entitlement.
NOTE: If the selected user is associated with the entitlement explicitly and not through user group membership, then this column is blank and the Direct Member column is True.
Direct Member
Indicates True if the selected user was explicitly added to the entitlement as a user. For more information, see Adding users or user groups to an entitlement on page 280.
Use the following buttons on the details toolbar to manage the entitlements associated with the selected user.
Table 189: Users: Entitlements tab toolbar
Option
Description
Add Entitlement
Add the selected user as a user of one or more entitlements. For more information, see Adding a user to entitlements on page 459.
Remove Selected
Remove the user from the selected entitlement.
Refresh
Update the list of entitlements.
Details
View additional details about the selected entitlement in a pop-up window.
Search
To locate a specific entitlement or set of entitlements in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Linked Accounts tab (user)
The Linked Accounts tab displays the directory accounts linked to the selected user that can be used in session request policies to access the assets or accounts defined within the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
448
�scope of the policy. Accounts can be:
l Manually: Click Add Linked Account from the details toolbar. l Automatically: See Adding a directory user group and the check box labeled
Automatically link Managed Directory Accounts.
Table 190: Users: Linked Accounts tab properties
Property Description
Name
The account name.
Domain Name
The name of the domain where the linked account resides.
Service Account
A check in this column indicates that the account is a service account.
Password A check in this column indicates that password release requests are enabled Request for the account.
Session Request
A check in this column indicates that session access requests are enabled for the account.
Needs a Displays if a password is not set for the account. For more information, Password see Checking, changing, or setting an account password on page 156.
Description Information about the selected account.
Use the following buttons on the details toolbar to manage the linked accounts associated with the selected user.
Table 191: Users: Linked Accounts tab toolbar
Option
Description
Add Linked Account
Link the user to one or more accounts. For more information, see Linking a directory account to a user on page 460.
Remove Selected
Remove the selected linked account from the selected user.
Refresh
Update the list of linked accounts.
Search
To locate a specific entitlement or set of entitlements in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
449
�History (user)
On the History tab, administrators can view or Export the details of each operation that has affected the selected use on the History tab (except for Asset Administrators). The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Table 192: Users: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected user.
Event
The type of operation made to the selected user:
l Create l Delete l Update l Add Membership l Remove Membership
NOTE:A membership operation indicates a "relationship" change with a related or parent object such as the selected user was added or removed from the membership of a user group or entitlement.
Related Object
The name of the related object.
Related Object Type The type of the related object.
Parent
The name of the object to which the selected user is a child.
Parent Object Type The parent object type.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
450
�Select an event to display this additional information for some types of events (for example, create and update events).
Table 193: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing users
Use the controls and tabbed pages on the Users page to perform the following tasks to manage Safeguard for Privileged Passwords users:
l Adding a user l Requiring secondary authentication log in l Adding a user to user groups l Assigning a user to partitions l Adding a user to entitlements l Linking a directory account to a user l Modifying a user l Deleting a user l Importing objects l Setting a local user's password l Unlocking a user's account l Enabling or disabling a user
Adding a user
It is the responsibility of either the Authorizer Administrator or the User Administrator to add Safeguard for Privileged Passwords users.
To add a user 1. Navigate to Administrative Tools | Users. 2. In Users, click Add User from the toolbar.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
451
�3. In the User dialog, provide information in each of the tabs: l Identity tab (add user): Where you define the identity provider and the user's contact information. l Authentication tab (add user): Where you define the authentication provider, login name and password, if necessary. l Location tab (add user): Where you set the user's time zone. l Permissions tab (add user): Where you set the user's administrator permissions.
Related Topics
Adding users or user groups to an entitlement Adding users to a user group
Identity tab (add user)
On the Identity tab, choose an identity provider from the list of available providers. When adding a user from an external identity provider such as Microsoft Active Directory, Safeguard for Privileged Passwords imports read-only contact information from the source, however, you can change the user photo.
Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication on page 394.
Table 194: User: Identity tab properties
Property
Description
Identity Provider
The source of the user's identity. Safeguard for Privileged Passwords comes with a built-in identity provider called Local that will allow you to manually enter user information that is stored directly in Safeguard for Privileged Passwords. Or you can select an Active Directory or LDAP server that you have previously configured and then browse for a user. Safeguard for Privileged Passwords will periodically synchronize with the directory to keep the information up to date.
Indicate how the user's identity is managed by Safeguard for Privileged Passwords:
l Local l Active Directory l LDAP
Browse (Active Directory or
If the identity provider is Active Directory or LDAP, click the Browse button to choose a username. The remaining fields are auto-populated.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
452
�Property LDAP) First Name (Local provider) Last Name (Local provider) Work Phone (Local provider) Mobile Phone (Local provider)
Email Address (Local provider)
Description (Local provider)
Description
Enter the user's first name. Limit: 30 characters; no double quotes. Enter the user's last name. Limit: 30 characters; no double quotes Enter the user's work telephone number. Limit: 30 characters Enter the user's mobile telephone number. Limit: 30 characters
NOTE: A valid mobile phone number in E.164 format is required for approvers using the Approval Anywhere feature and for twofactor authentication using Starling. However, you can use the Use alternate mobile phone number option on the Authentication tab to specify a valid mobile phone number, instead of adding it here. E.164 format: +<country code><area code><phone number> Enter the user's email address. Limit: 255 characters NOTE: Required for approvers using the Approval Anywhere feature and for two-factor authentication using Starling. Enter information about this user. Limit: 255 characters.
Authentication tab (add user)
On the Authentication tab, specify the authentication settings for the user. An authentication provider can be the same or different as the user's identity provider.
Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication on page 394.
Table 195: User: Authentication tab properties
Property
Description
Authentication Provider
Indicates how this user is to authenticate to Safeguard for Privileged Passwords. The options are:
l Certificate: With a certificate
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
453
�Property
Description
NOTE:Safeguard for Privileged Passwords allows you to map a public-key certificate to a user account. You can then use the certificate to make authenticated requests to the appliance by means of the API. For more information, see How do I access the API on page 561.
l Local: With a user name and password (default)
l <Directory name>: With directory account credentials (only available if one or more directories have been added to Safeguard for Privileged Passwords, such as Active Directory or LDAP, and the identity provider of the user is also that directory).
l <External Federation service provider name>: With the credentials required by the External Federation or Radius server (only available if one or more of those authentication providers have been configured in Safeguard for Privileged Passwords).
Login name
(Local or Radius as Primary)
If using Local or Radius as Primary for authentication, enter the user's login name.
If using directory authentication, the login name is autopopulated.
Set Password
(editing an existing Local provider)
If you are editing an existing user for a Local provider, you may click Set Password to change a user's password. This button is not available when creating a new user or editing a user account from an external identity provider like Microsoft Active Directory.
Password
(adding a Local provider)
If adding a Local user, enter a password for the user. You must comply with the password requirements specified in the dialog. For more information, see Password Rule on page 434.
Certificate Thumbprint (SHA-1)
(Certificate user)
If adding a Certificate user, enter the unique hash value (40 hexadecimal characters) of the certificate. You can copy and paste the Thumbprint value directly from the certificate, including the spaces.
Email Address or Name Claim
(external federation)
If adding an external federation user account, enter the email address or name claim that will be returned from the STS of an authenticated user. A case-insensitive comparison will be performed on the value when the user is logging in.
NOTE: You must configure or ensure that the STS includes either the email address claim or name claim. Safeguard for Privileged Passwords will first look for the email address claim in the claims token. If that claim does not exist, it will use the name claim. You must create the user account in Safeguard for
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
454
�Property
Description
Privileged Passwords according to what claim is returned by your STS, with precedence given to the email address claim.
Require Certificate Authentication
(Active Directory provider)
Select this check box to require that the user logs into Safeguard for Privileged Passwords using their domain issued user certificate or SmartCard.
NOTE: This option is only available when the Authentication Provider is a Microsoft Active Directory.
Password Never Expires
Select this check box to set a password that does not expire.
Require Secondary Authentication
Select this check box to require that this user logs in to Safeguard for Privileged Passwords with two-factor authentication. For more information, see Requiring secondary authentication log in on page 457.
Then choose the Secondary Authentication Provider for this user. Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication on page 394.
Login Name
(for secondary authentication; not used for FIDO2)
l When a directory is selected for secondary authentication, Browse to select the account on the secondary authentication provider this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication.
l If Radius as a secondary authentication provider is selected, this value is pre-populated with the log in identifier. For more information, see Radius settings on page 404.
A best practice is to have the users log in to validate the correct user is set up.
Use alternate mobile phone number
(if Starling TwoFactor Authentication)
When Starling Two-Factor Authentication is selected, this option is available to enter an alternate Mobile phone number. The Number on file is the mobile phone number specified on the user's Identity tab.
NOTE: The Approval Anywhere and one-touch approval features require a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.
Location tab (add user)
On the Location tab, specify the user's time zone.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
455
�Table 196: User: Location tab properties
Property
Description
Time Zone
Select the user's time zone.
NOTE:Because Microsoft Active Directory does not have a Time Zone attribute, when you add a directory group, Safeguard for Privileged Passwords sets the default time zone for all imported accounts to (UTC) Coordinated Universal Time. To reset the time zone, open each imported account in Users and modify the Time Zone on the Location tab.
Permissions tab (add user)
On the Permissions tab, select the user's Administrator permissions, if applicable. For details on the rights for the permissions, see Administrator permissions.
Users permissions across multiple directory user groups
Users have permissions based on the directory user groups to which they are assigned. If a user is removed from a directory user group, the permissions related to that group are removed but the permissions for all other groups the user is assigned to remain in place.
User permissions on import
When a directory user group is imported, newly created Safeguard users are assigned the selected permissions. If the user exists in Safeguard, the selected permissions are added to the existing user permissions.For more information, see Adding a directory user group on page 473.
To assign permissions
When assigning permissions to a user, select the appropriate access controls. You can Select all or Select none at the bottom of the dialog.
l Authorizer: Allow the user to grant permissions to other users. This permission allows the user to change their own permissions.
l User: Allow the user to create new users, unlock and reset passwords for nonadministrative users.
l Help Desk: Allow the user to unlock and set passwords for non-administrative users. l Appliance: Allow the user to edit and update the appliance and to configure
external integration settings, such as email, SNMP, Syslog, Ticketing, and Approval Anywhere. l Operations: Allow the user to reboot and monitor the appliance. l Auditor: Allow the user read-only access. l Asset: Allow the user to add, edit, and delete partitions, assets, and accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
456
�l Security Policy: Allow the user to add, edit, and delete entitlements and polices that control access to accounts and assets.
Requiring secondary authentication log in
You can require a user to log in using two-factor authentication by enabling the Require Secondary Authentication option in the user record.
To require a user to log in using secondary authentication
1. Setup a secondary authentication provider in Settings | External Integration | Identity and Authentication. For more information, see Adding identity and authentication providers on page 398. Or, you may use Starling 2FA. For more information, see Starling on page 408.
2. Configure the Safeguard for Privileged Passwords user to Require Secondary Authentication. For more information, see Authentication tab (add user) on page 453.
a. On the Authentication tab of a user's properties, select the Require Secondary Authentication check box.
b. Choose the Authentication Provider.
c. Depending on the type of authentication provider selected, specify the additional information this user must use when logging into Safeguard for Privileged Passwords with two-factor authentication.
3. Log in with secondary authentication.
When you log in to Safeguard for Privileged Passwords as a user which requires secondary authentication, you log in as usual, using the password that is set for the Safeguard for Privileged Passwords user account. Safeguard for Privileged Passwords then displays one or more additional login screens. Depending on how the system administrator has configured the secondary authentication provider, you must enter additional credentials for your secondary authentication service provider account, such as a secure password, security token code, or both.
NOTE:The type and configuration of the secondary authentication provider (for example, RSA SecureID, FIDO2, One Identity Starling Two-Factor Authentication, and so on) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log in to Safeguard for Privileged Passwords with secondary authentication.
For more information, see To manage your FIDO2 keys on page 82.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
457
�Configuring user for Starling Two-Factor Authentication when logging in to Safeguard
It is the responsibility of the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging in to Safeguard for Privileged Passwords.
TIP: If you want to use one-touch approvals, download and install the Starling 2FA app onto your mobile device.
To configure users to use Starling Two-Factor Authentication when logging in to Safeguard for Privileged Passwords
1. Log in to Safeguard for Privileged Passwords as an Authorizer Administrator or User Administrator.
2. Navigate to Administrative Tools | Users.
3. Add or edit users, ensuring the following settings are configured:
a. Authentication tab:
l Require Secondary Authentication: Select this check box.
l Authentication Provider: Select the Starling 2FA service provider.
NOTE: If the Starling 2FA service provider is not listed, you must first join Safeguard for Privileged Passwords to Starling. For more information, see Starling on page 408.
l Use alternate mobile phone number: Optionally, select this check box and enter an alternate mobile number to be used for two-factor authentication notifications.
NOTE: If you want to use one-touch approvals, this feature requires a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.
b. Contact Information tab:
l Mobile Phone: Enter a valid mobile phone number in E.164 format.
l Email Address: Enter a valid email address.
Now whenever any of these users attempt to log in to Safeguard for Privileged Passwords, after entering their password, a message appears on the login screen informing them that an additional authentication step is required.
NOTE: If the Safeguard for Privileged Passwords user is required to use Starling TwoFactor Authentication and has the Starling 2FA mobile app installed, Safeguard for Privileged Passwords sends a push notification to their mobile device where they can complete the login by pressing a button in the app. If the user does not have the Starling 2FA app, they have the option to receive a one-time password via SMS or a phone call.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
458
�Adding a user to user groups
It is the responsibility of the Security Policy Administrator to add users to user groups to assign to password policies.
To add a user to a user group 1. Navigate to Administrative Tools | Users. 2. In Users, select a user from the object list and open the User Groups tab. 3. Click Add User Groups from the details toolbar. 4. Select one or more groups from the list in the User Groups dialog and click OK.
If you do not see the user group you are looking for and are a Security Policy Administrator, you can click Create New in the User Groups selection dialog and add the user group. For more information about creating user groups, see Adding a user group.
Assigning a user to partitions
It is the responsibility of the Asset Administrator to select one or more users to manage the assets and accounts in a partition. Assigning a user to a partition makes that user the delegated owner of that partition, giving that person authorization to manage the assets and accounts in that partition. A delegated partition owner has a subset of the permissions that an Asset Administrator has. For more information, see Administrator permissions on page 507.
To assign a user to partitions 1. Navigate to Administrative Tools | Users. 2. In Users, select a user from the object list and open the Partitions tab. 3. Click Assign Partition(s) from the details toolbar. 4. Select one or more partitions from the list in the Partitions selection dialog and click OK.
If you do not see the partition you are looking for and are an Asset Administrator, you can click Create New in the Partitions dialog. For more information about creating partitions, see Adding a partition.
Adding a user to entitlements
It is the responsibility of the Security Policy Administrator to add users to entitlements. When you add users to an entitlement, you are specifying which people can request access governed by the entitlement's policies.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
459
�To add a user to entitlements 1. Navigate to Administrative Tools | Users. 2. In Users, select a user from the object list and open the Entitlements tab. 3. Click Add Entitlement from the details toolbar. 4. Select one or more entitlements from the list in the Entitlements selection dialog and click OK.
If you do not see the entitlement you are looking for and are a Security Policy Administrator, you can click Create New in the Entitlements dialog. For more information about creating entitlements, see Adding an entitlement.
Linking a directory account to a user
It is the responsibility of the Security Policy Administrator to link directory accounts to a user. Once linked, these linked accounts can be used to access assets and accounts within the scope of an access request policy.
To link a directory account to a user 1. Navigate to Administrative Tools | Users. 2. In Users, select a user from the object list and open the Linked Accounts tab. 3. Click Add Linked Account from the details toolbar. The Directory Account dialog displays, listing the directory accounts available in Safeguard for Privileged Passwords. This dialog includes the following details about each directory account listed: l Name: Displays the name of the directory account. l Domain Name: Displays the name of the domain where this account resides. l Service Account: A check mark indicates the account is a service account. l Password Request: A check mark indicates password release requests are allowed. l Session Request: A check mark indicates the account is enabled for session requests. l Needs a Password: Indicates whether the account needs a password. l Description: Displays descriptive text about the directory account. 4. Select one or more accounts from the list in the Directory Account selection dialog and click OK.
Related Topic
Adding an account
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
460
�Modifying a user
The Authorizer Administrator can modify the General information for a user. The User Administrator can modify the General information for a Help Desk User. Other administrators can view information for users. You cannot modify a directory user's contact information that is managed in the directory, such as Active Directory. If you need to add a valid mobile phone number, use the alternate mobile phone number option on the Authentication tab instead.
TIP:As a best practice, if you change a user's administrative permissions, ensure the user closes all connections to the appliance (or reboot the appliance) to prevent users from gaining access to information.
To modify a user
1. Navigate to Administrative Tools | Users. 2. In Users, select a user. Perform the following, as needed.
l On the General tab, click the Edit icon next to Identity, Authentication, Location, and Permissions or double-click the user's name to open the User dialog and update the information on the tabs.
l On the User Group tab, the Security Policy Administrator can modify a user's group membership. You can multi-select user groups to add or remove more than one user on a user's group membership.
l On the Partitions tab, the Asset Administrator can delegate partition ownership to a user.
l On the Entitlements tab, the Security Policy Administrator can add the selected user to an entitlement.
l On the Linked Accounts tab, the Security Policy Administrator can add (or remove) linked accounts associated with the user to link the user to an entitlement.
l Right-click the user and select Permissions to change permissions. l The Authorizer Administrator and the User Administrator can view or Export the
details of each operation that has affected the selected use on the History tab. For more information, see History (user) on page 450.
Enabling or disabling a user
Typically, it is the responsibility of the Authorizer Administrator to enable or disable administrator users and the User Administrator to enable or disable non-administrator users. You can modify a disabled user's information. If a directory user is disabled in the directory asset, the user cannot be enabled in Safeguard. Disabling a user prevents from logging in to Safeguard for Privileged Passwords; however, if you disable a directory user, that does not prevent that user from logging in to the directory.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
461
�When re-enabling a disabled account, the Authorizer Administrator must reset the user's password. Simply enabling the account does not permit the user to log in with the previous password.
You configure the number of days you want Safeguard for Privileged Passwords to wait before automatically disabling an inactive user account in the Disable After Login Control Setting. For more information, see Login Control on page 431.
To enable or disable a user
1. Navigate to Administrative Tools | Users.
2. In Users, select a user from the object list.
3. In the upper-right corner of the window, click Enabled (
(
toggle off) to toggle to the setting.
toggle on) or Disabled
Deleting a user
Typically, it is the responsibility of the Authorizer Administrator to delete administrator users and the User Administrator to delete non-administrator users.
IMPORTANT: When you delete a local user, Safeguard for Privileged Passwords deletes the user permanently. If you delete a directory user that is part of a directory user group, the next time it synchronizes its database with the directory, Safeguard for Privileged Passwords will add it back in. As a best practice, disable the directory user instead of deleting the account. For more information, see Enabling or disabling a user on page 461.
To delete a user
1. Navigate to Administrative Tools | Users. 2. In Users, select a user from the object list. 3. Click Delete Selected. 4. Confirm your request.
Importing objects
Safeguard for Privileged Passwords allows you to import a .csv file containing a set of accounts, assets, or users. A .csv template for import can be downloaded when you click Import from the toolbar. For more information, see Creating an import file on page 155. Once an import is completed, you can navigate to the Tasks pane in the Toolbox for details about the import process and invalid data messages. For more information, see Viewing task status on page 136.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
462
�To import objects
1. In Administrative Tools, click Assets, Accounts, or Users based on what data you are importing.
2. Click Import from the toolbar.
3. In the Import dialog, Browse to select an existing .csv file containing a list of objects to import.
4. When importing assets, the Discover SSH Host Keys option is selected by default indicating that Safeguard will retrieve the required SSH host key for the assets specified in the .csv file.
5. Click OK.
Safeguard for Privileged Passwords imports the objects into its database.
NOTE:Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:
l Assets PlatformDisplayName property:
1. If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
2. If it does not find a partial match, it supplies the Other platform type.
l Users TimeZoneId property:
1. If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone.
NOTE: Do not enter numbers or abbreviations for the TimeZoneId.
l Users Password property:
1. Safeguard for Privileged Passwords adds a user without validating the password you provide.
Details for importing directory assets, service accounts, users, and user groups
You can use the steps like those above to import your existing directory infrastructure (such as Microsoft Active Directory). Additional information specific to directory import follows.
1. Import the directory (and service account) via Administrative Tools | Assets |
Import Asset and browse to select the .csv file. Safeguard for Privileged Passwords imports the directory as an asset.
The directory's service account is automatically added to the list of accounts you can viewed via the Assets | Accounts tab.
l By default, the service account password is automatically managed according to the check and change settings in the profile that governs the partition. For more information, see Creating a profile on page 294. If you do not want
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
463
�Safeguard for Privileged Passwords to manage the service account password, assign the account to a profile that is set to never change passwords. For more information, see Assigning assets or accounts to a partition profile on page 297.
l The service account is added to the asset's Accounts tab and is disabled for password request and session request. For more information, see Accounts tab (asset) on page 178.
l To change either setting, navigate to Administrative Tools | Accounts and double-click the account. Then select the following check boxes, as desired: Enable Password Request and Enable Session Request. For more information, see General tab (account) on page 139.
2. Import users and user groups.
a. Import directory users via Administrative Tools | Users | Import Users and browse to select the .csv file.
b. Assign to user groups via Administrative Tools | Users Groups | Users (select one or multiple users).
c. Automatic synchronization: Once you import directory users and directory groups, Safeguard for Privileged Passwords automatically synchronizes the objects in its database with the directory schema attributes. User and group membership changes in the directory are reflected in Safeguard for Privileged Passwords. Directory users authenticate to Safeguard for Privileged Passwords with their directory credentials.
Active Directory and LDAP synchronization
Active Directory and LDAP data is automatically synchronized by asset or identity and authentication providers schema as shown in the following lists.
Asset schema list
l Users
l Username
l Password (modifiable in LDAP and not modifiable in Active Directory)
l Description
l Groups
l Name
l Member
l Computer
l Name
l Network Address
l Operating System
l Operating System Version
l Description
Identity and Authentication Providers schema list
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
464
�l Users l Username l First Name l Last Name l Work Phone l Mobile Phone l Email l Description l External Federation Authentication l Radius Authentication l Managed Objects
l Groups l Name l Members l Description
Setting a local user's password
It is primarily the responsibility of the Authorizer Administrator to set passwords for administrators. The User Administrator and Help Desk Administrator set passwords for non-administrator local users. These administrators can only set passwords for local users. Directory user passwords are maintained in an external provider, such as Microsoft Active Directory.
To set a local user's password 1. Navigate to Administrative Tools | Users. 2. Select a local user from the object list and perform one of the following: l Right-click, and select Set Password from the context menu. l Click User Security and select Set Password.
l On the General tab next to Authentication, click Set Password.
Edit and click
3. In the Set Password dialog, enter the new password and click OK. You must comply with the password requirements specified in the dialog. For more information, see Password Rule on page 434.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
465
�Unlocking a user's account
If you are unable to log in, your account may have become "locked" and is therefore disabled. For example, if you enter a wrong password for the maximum number of times specified by the account Lockout Threshold settings, Safeguard for Privileged Passwords locks your account. For more information, see Login Control on page 431.
Typically, it is the responsibility of the Authorizer Administrator to unlock administrator accounts, and the User Administrator and Help Desk Administrator to unlock nonadministrator local users.
To unlock a user's account There are two ways to unlock a user account:
l In Users, select a "locked" user, right-click, and select context menu.
l Click User Security and select Unlock.
Unlock from the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Users
466
�20
User Groups
Safeguard for Privileged Passwords allows you to add both local user groups (a set of local users) and directory groups (a set of directory accounts) to User Groups. The Security Policy Administrator can add a group of users to an entitlement to authorize them to request access to the accounts and assets governed by the entitlement's access request policies. User Groups is available to the Authorizer Administrator, User Administrator, Security Policy Administrator, and the Auditor. However, it is only available to the Authorizer Administrator and User Administrator if a directory has been added to Safeguard for Privileged Passwords. The User Groups view displays the following information about the selected user or directory group.
l General tab (user groups): Displays general information about the selected user group.
l Users tab (user groups): Displays the members of the selected group. l Entitlements tab (user groups): Displays the entitlements to which the users
associated with the selected user group are users. l History (user): Displays the details of each operation that has affected the
selected group.
Use these toolbar buttons to manage users.
Add User Groups: Add user groups to Safeguard for Privileged Passwords. For more information, see Adding a user group on page 472.
Add Directory Group: Add a directory user group to Safeguard for Privileged Passwords. For more information, see Adding a directory user group on page 473.
Delete Selected: Remove the selected user group. For more information, see Deleting a user group on page 478.
Refresh: Update the list of user groups.
Search: You can search by a character string or by a selected attribute with conditions you enter. To search by a selected attribute click Search and select an attribute to search. For more information, see Search box on page 63.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
467
�Related Topics
Modifying a user group Adding users or user groups to an entitlement
General tab (user groups)
The General tab lists information about the selected user group.
Large tiles at the top of the tab display the number of Users in the selected group and, when applicable, the number of Entitlements to which the selected group is an entitlement member or user. Clicking a tile heading opens the corresponding tab.
NOTE: The Entitlements tile is only visible to the Auditor and Security Policy Administrator.
Navigate to Administrative Tools | User Groups | General.
Table 197: User Groups General tab: General properties
Property
Description
Name
The group name.
Distinguished Name (directory user group)
The distinguished name of the group.
Primary Authentication Provider (directory user group)
The name of the authentication provider (for example, the name of an external provider such as a Microsoft Active Directory domain name).
Permissions (directory user group)
Lists the user's administrator permissions or "Standard User" if user does not have administrative permissions.
Related Topics
Modifying a user group
Users tab (user groups)
The Users tab displays the members of the selected group. Click Add User from the details toolbar to add one or more users to the selected local user group.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
468
�NOTE: For directory groups, group membership is read-only. That is, you cannot add or remove users from a directory group using the Users tab.
Navigate to Administrative Tools | User Groups | Users.
Table 198: User Groups: Users tab properties
Property
Description
User Name
The user's display name.
Name
The user's first and last name, if the information exists in the user's properties; otherwise, the user's display name.
Provider
The name of the authentication provider: Local, Certificate, or the name of an external provider such as a Microsoft Active Directory domain name.
Distinguished Name The distinguished name of the user.
Use these buttons on the details toolbar to manage the users in your user groups.
Table 199: User Groups: Users tab toolbar
Option
Description
Add User
Add one or more users to the selected user group. For more information, see Adding users to a user group on page 476.
Remove Selected
Remove the selected user from the user group.
Refresh
Update the list of users in the user groups.
Details
View additional details about the selected user.
Search
To locate a specific user or set of users in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding users to a user group Modifying a user group
Entitlements tab (user groups)
The Entitlements tab displays the entitlements to which the users associated with the selected user group are users.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
469
�NOTE: The Entitlements tab is only available to a user with Auditor or Security Policy Administrator permissions.
Click Add Entitlement to add the selected user group as a user of one or more entitlements.
Navigate to Administrative Tools | User Groups | Entitlements.
Table 200: User Groups: Entitlements tab properties
Property
Description
Name
The name assigned to the entitlement.
Accounts
The number of unique accounts in this entitlement.
Users
The number of unique users and user groups in this entitlement.
Access Request Policies
The number of unique policies in this entitlement.
Use these buttons on the details toolbar to manage the entitlements associated with the selected user group.
Table 201: User Groups: Entitlements tab toolbar
Option
Description
Add Entitlement
Add the selected user group to one or more entitlements. For more information, see Adding a user group to an entitlement on page 477.
Remove Selected
Remove the user group from the selected entitlement.
Refresh
Update the list of entitlements.
Details
View additional details about the selected entitlement.
Search
To locate a specific entitlement or set of entitlements in this list, enter the character string to be used to search for a match. For more information, see Search box on page 63.
Related Topics
Adding a user group to an entitlement Modifying a user group
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
470
�History tab (user groups)
The History tab allows you to view or export the details of each operation that has affected the selected group. The top of the History tab contains the following information:
l Items: Total number of entries in the history log.
l
Refresh: Update the list displayed.
l
Export: Export the data to a .csv file.
l Search: For more information, see Search box on page 63.
l Time Frame: By default, the history details are displayed for the last 24 hours. Click one of the time intervals at the top of the grid to display history details for a different time frame. If the display does not refresh after selecting a different time interval, click Refresh.
Navigate to Administrative Tools | User Groups | History.
Table 202: User Groups: History tab properties
Property
Description
Date/Time
The date and time of the event
User
The display name of the user that triggered the event
Source IP
The network DNS name or IP address of the managed system that triggered the event
Object Name
The name of the selected group
Event
The type of operation made to the selected user group:
l Create l Delete l Update l Add Membership l Remove Membership l Directory Group Sync Complete
NOTE: A membership operation indicates a relationship change with a related or parent object such as a user was added or removed from the membership of the selected user group or the selected group was added or removed from an entitlement.
Related Object
The name of the related object
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
471
�Property
Description
Related Object Type The type of the related object
Parent
The name of the object to which the selected user group is a child
Parent Object Type The parent object type
Select an event to display this additional information for some types of events (for example, create and update events).
Table 203: Additional History tab properties
Property
Description
Property
The property that was updated
Old Value
The value of the property before it was updated
New Value
The new value of the property
Managing user groups
Use the controls and tabbed pages on the User Groups page to perform the following tasks to manage Safeguard for Privileged Passwords user groups:
l Adding a user group l Adding a directory user group l Adding users to a user group l Adding a user group to an entitlement l Modifying a user group l Deleting a user group
Adding a user group
It is the responsibility of the Security Policy Administrator to add groups of local users to Safeguard for Privileged Passwords.
NOTE: It is the responsibility of the Authorizer Administrator or the User Administrator to add directory groups. For more information, see Adding a directory user group on page 473.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
472
�To add a user group 1. Navigate to Administrative Tools | User Groups. 2. Click Add User Groups from the toolbar. 3. In the User Groups dialog, enter the following information: a. Name: Enter a unique name for the user group. Limit: 50 characters b. Description: (Optional) Enter information about this user group. Limit: 255 characters
Related Topics
Adding users to a user group
Adding a directory user group
An Asset Administrator (or delegate) must: 1. Add a directory asset. 2. Add the domain as an identity provider via Settings | External Integration | Identity and Authentication. For more information, see Identity and Authentication on page 394.
Next, the Authorizer Administrator or the User Administrator can add directory user groups. The Security Policy Administrator can add local user groups. For more information, see Adding a user group on page 472.
Import consideration
All users who are part of a directory import user group must have complete and valid attributes. If the attributes for a user are not complete and valid, the user is not imported and the import continues. For example, if you set the directory user group authentication properties to require secondary authentication and use the Starling 2FA provider, each user's email address and mobile phone number attributes must have values to be included during the import.
Port
The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
473
�Time
Because Microsoft Active Directory does not have a Time Zone attribute, when you add a directory user group, Safeguard for Privileged Passwords sets the default time zone for all imported accounts to (UTC) Coordinated Universal Time. To reset the time zone, open each imported account in Users and modify the Time Zone on the Location tab.
To add a directory user group
1. Navigate to Administrative Tools | User Groups.
2. Click Add Directory Group from the toolbar.
3. In the Directory Group tab:
a. Select a directory.
b. In the Contains field, enter a full or partial directory group name and click Search.
To search for a directory group, you must enter text into the search box. The text search is not case-sensitive and does not allow wild cards. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad" in the search box, it will find any directory group that contains "ad."
c. Browse to select a container within the directory as the Filter Search Location.
d. The Include objects from sub containers check box is selected by default indicating that child objects will be included in your search. Clear this check box to exclude child objects from your search.
e. Select a group name from the results displayed in the Select the group to add grid.
f. At the bottom of the Directory Group dialog, select the Automatically link Managed Directory Accounts check box to have existing managed directory accounts set as linked accounts on the imported user. For details on linked accounts, see Linked Accounts tab (user).
Based on the setting of the directory asset's Managed Objects attribute, the attribute values are used to match up with existing managed directory accounts in Safeguard. The Safeguard user's set of linked accounts will periodically synchronize with the directory and be overwritten with the values from the directory. Any changes to the linked accounts made manually to the user are lost at the next directory synchronization (see Sync additions every under Management tab (add asset)).
4. In the Authentication tab, set the primary and secondary authentication. If you are importing users, Safeguard sets the primary and secondary authentication providers for new users. If a directory user group member already exists as a user in Safeguard, their authentication properties are not changed. To change authentication settings on existing Safeguard users that are members of the group, you must manually invoke the /UserGroups/{id}/SynchronizeAndUpdateProviders API method. Directory groups require the forest root domain to be visible and available for
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
474
�identity and authentication set on Administrative Tools | Settings | External Integration | Identity and Authentication. For more information, see Available Domains for Identity and Authentication (for Active Directory) on page 400.
a. The Authentication Provider field defaults to the directory (or the forest root name for Active Directory) from which the group came.
All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. If a user is a member of a group, but their domain is not marked as Available for Identity and Authentication, the user will not be imported. For more information, see Adding identity and authentication providers on page 398.
You can use either an External Federation or Radius server as each user's primary authentication provider. During an import process, the directory attribute that was specified for External Federation Authentication or Radius Authentication will be used to set the user's Email Address or Name Claim (for External Federation) or Login name (for Radius) property. See the External Federation settings attribute and Radius settings attribute for more information.
b. Select the Require Certificate Authentication check box to require that the user logs in to Safeguard using their domain issued user certificate or SmartCard. This option is only available when the directory user group comes from Microsoft Active Directory and the Authentication Provider is also set as that directory.
c. You can require the user to log in with two-factor authentication. Users being imported must have their contact information complete in order to successfully create a user in Safeguard. For example, their mobile phone attribute must contain a valid phone number in E.164 format when using Starling 2FA as the secondary authentication provider.
i. Select the Require Secondary Authentication check box. For more information, see Requiring secondary authentication log in on page 457.
ii. Choose the secondary Authentication Provider for all users of the directory user group. Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication on page 394.
5. On the Permissions tab, select any administration permissions to be assigned to each member of the user group. Newly created Safeguard users are assigned the selected permissions. If the user exists in Safeguard, the selected permissions are added to the existing user permissions. A user's permissions include all permissions for every directory user group to which they are assigned. For more information, see the Permissions tab (add user) under Managing Users.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
475
�When rerunning a directory user group import or during the periodic directory synchronization, a Safeguard user may be identified as no longer a member of a directory user group that was imported. In this case, the administrator permissions assigned to the group are removed from the user, regardless of whether they were added to the user during the group import process or if they were manually added to the user. If the user is a member of another directory user group, any overlapping administrator permissions will remain assigned to the user.
IMPORTANT: Any user imported through a directory group will not have Directory permissions. You will need to manually assign the user to a partition. For more information, see Partitions tab (user) on page 446. 6. Click Add Group. On an import, the directory user group is created and the assigned users appear when the import process is complete. 7. After adding the information, you can edit the following directory group settings and the directory synchronization process will be triggered in the background.
l Directory Group tab: Select or clear the Automatically link Managed Directory Accounts check box.
l Authentication tab: Change the authentication providers. NOTE: Changing the authentication providers will only effect newly imported users. Existing users will not have their authentication providers updated. To change authentication settings on existing Safeguard users that are members of the group, you must manually invoke the /UserGroups/ {id}/SynchronizeAndUpdateProviders API method.
l Permissions tab: Change the permissions.
Adding users to a user group
It is the responsibility of the Security Policy Administrator to associate both local or directory users to user groups. User groups belong to the identity group. You can not add or remove users to or from a directory user group. This has to be done in Active Directory on the Directory Group object represented.
Table Section Outside Table: NOTE: Directory group membership is still maintained in the directory, such as Active Directory.
To add users to a user group
1. Navigate to Administrative Tools | User Groups. 2. In User Groups, select a user group from the object list and open the Users tab. 3. Click Add User from the details toolbar. 4. Select one or more users from the list in the Users selection dialog and click OK.
IMPORTANT: You cannot add a group to a user group's membership; group
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
476
�membership cannot be nested. If you do not see the user you are looking for and you have Authorizer Administrator or User Administrator permissions, you can click Create New to create users. For more information, see Adding a user.
Adding a user group to an entitlement
When you add user groups to an entitlement, you are specifying which people can request access to the accounts and assets governed by an entitlement's policies. It is the responsibility of the Security Policy Administrator to add user groups to entitlements.
To add a user group to entitlements 1. Navigate to Administrative Tools | User Groups. 2. In User Groups, select a user group from the object list and open the Entitlements tab. 3. Click Add Entitlement from the details toolbar. 4. Select one or more entitlements from the Entitlements selection dialog and click OK.
If you do not see the entitlement you are looking for and you have Security Policy Administrator permissions, you can click Create New and add the entitlement. For more information about creating entitlements, see Adding an entitlement.
Modifying a user group
Only the Security Policy Administrator can modify user groups.
To modify a user group 1. Navigate to Administrative Tools | User Groups. 2. In User Groups, select a user group. 3. Select the view of the user group's information you want to modify (General, Users, or Entitlements). For example: l To change a local user group's name or description, double-click the General information box on the General tab or click the Edit icon. NOTE: You can double-click a user group name to open the General settings edit window.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
477
�l To add (or remove) users to the selected local user group, click the Users tab. You can multi-select members to add or remove more than one from a user group.
l To add (or remove) the selected user group to an entitlement, click the Entitlements tab.
4. To view or export the details of each operation that has affected the selected user group, switch to the History tab. For more information, see History tab (user groups) on page 471.
Deleting a user group
It is the responsibility of the Security Policy Administrator to delete groups of local users from Safeguard for Privileged Passwords. It is the responsibility of the Authorizer Administrator or the User Administrator to delete directory groups. When you delete a user group, Safeguard for Privileged Passwords does not delete the users associated with it.
To delete a user group 1. Navigate to Administrative Tools | User Groups. 2. In User Groups, select a user group from the object list. 3. Click Delete Selected. 4. Confirm your request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide User Groups
478
�21
Disaster recovery and clusters
Safeguard for Privileged Passwords Appliances can be clustered to ensure high availability. Clustering enables the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. This reduces down time and data loss.
Another benefit of clustering is load distribution. Clustering in a managed network ensures the load is distributed to ensure minimal cluster traffic and to ensure appliances that are closest to the target asset are used to perform the task. The Appliance Administrator defines managed networks (network segments) to effectively manage assets, account, and service access requests in a clustered environment to distribute the task load.
Primary and replica appliances
A Safeguard for Privileged Passwords cluster consists of three or five appliances. An appliance can only belong to a single cluster. One appliance in the cluster is designated as the primary. Non-primary appliances are referred to as replicas. All vital data stored on the primary appliance is also stored on the replicas. In the event of a disaster, where the primary appliance is no longer functioning, you can promote a replica to be the new primary appliance. Network configuration is done on each unique appliance, whether it is the primary or a replica.
The replicas provide a read-only view of the security policy configuration. You cannot add, delete, or modify the objects or security policy configuration on a replica appliance. You can perform password change and check operations and make password release and session access requests. Users can log in to replicas to request access, generate reports, or audit the data. Also, passwords and sessions can be requested from any appliance in a Safeguard cluster.
Supported cluster configurations
Current supported cluster configurations follow.
l 3 Node Cluster (1 Primary, 2 Replicas): Consensus is achieved when two of the three appliances are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states on page 502.
l 5 Node Cluster (1 Primary, 4 Replicas): Consensus is achieved when three of the five appliances are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states on page 502.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
479
�Consensus and quorum failure
Some maintenance tasks require that the cluster has consensus (quorum). Consensus means that the majority of the members (primary or replica appliances) are online and able to communicate. Valid states are: Online or ReplicaWithQuorum. For more information, see Appliance states on page 502. Supported clusters have an odd number of appliances so the cluster has a consensus equal to or greater than 50% of the appliances are online and able to communicate. If a cluster loses consensus (also known as a quorum failure), the following automatically happens:
l The primary appliance goes into Read-only mode. l Password check and change is disabled.
When connectivity is restored between a majority of members in a cluster, consensus is automatically regained. If the consensus members include the primary appliance, it automatically converts to read-write mode and enables password check and change.
Health checks and diagnostics
The following tools are available to perform health checks and diagnose the cluster and appliances.
l Perform a health check to monitor cluster health and appliance states. For more information, see Maintaining and diagnosing cluster members on page 485.
l Diagnose the cluster and appliance. You can view appliance information, run diagnostic tests, view and edit network settings, and generate a support bundle. For more information, see Diagnosing a cluster member on page 492.
Shut down and restart an appliance
You can shut down and restart an appliance.
l Shut down an appliance. For more information, see Shutting down the appliance on page 309.
l Restart an appliance. For more information, see Restarting the appliance on page 310.
Run access request workflow on an isolated appliance in Offline Workflow Mode
You can enable Offline Workflow Mode either automatically or manually to force an appliance that no longer has quorum to process access requests using cached policy data in isolation from the remainder of the cluster. The appliance will be in Offline Workflow Mode.
l For general information on Offline Workflow Mode, see About Offline Workflow Mode. l To manually enable offline workflow or manually resume online workflow, see
Manually control Offline Workflow Mode.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
480
�l To configure automatic Offline Workflow Mode and, optionally, automatically Resume Online Workflow, see Offline Workflow (automatic). When automation is turned on, you can still also manually control Offline Workflow Mode.
Primary appliance failure: failover and backup restore
If a primary is not communicating, perform a manual failover. If that is not possible, you can use a backup to restore an appliance.
l Failover: If the primary is not communicating, you can perform a manual failover if there is a quorum (the majority has consensus). For more information, see Failing over to a replica by promoting it to be the new primary on page 491.
l Backup restore: Perform a backup restore if no appliance can be restored using failover. For more information, see Using a backup to restore a clustered appliance on page 495.
Unjoin and activate
If the cluster appliances are able to communicate, you can unjoin the replica, then activate the primary so replicas can be joined.
l You can unjoin a replica in any state and place it in Standalone Read-only mode (StandaloneReadOnly state). For more information, see Unjoining replicas from a cluster on page 483.
l You can activate an appliance that has been been unjoined and placed in Standalone Read-only mode (StandaloneReadOnly state) if the appliance is not managed in anther Safeguard cluster. For more information, see Activating a read-only appliance on page 492.
Cluster reset
If the appliance is offline or the cluster members are unable to communicate, you must use Cluster Reset to rebuild the cluster. If there are appliances that must be removed from the cluster but there is no quorum to safely unjoin, a cluster reset force-removes nodes from the cluster. For more information, see Resetting a cluster that has lost consensus on page 497.
Factory reset
Perform a factory reset to recover from major problems or to clear the data and configuration settings on a hardware appliance. All data and audit history is lost and the hardware appliance goes into maintenance mode. You can perform a factory reset from:
l The desktop client. For more information, see Performing a factory reset on page 498.
l The Recovery Kiosk. For more information, see Factory reset from the Recovery Kiosk on page 553.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
481
�l The virtual appliance Support Kiosk. For more information, see Support Kiosk on page 49.
Enrolling replicas into a cluster
Prior to the Appliance Administrator enrolling cluster members into a Safeguard for Privileged Passwords cluster, review the enrollment considerations that follow.
Considerations to enroll cluster members
l If there is an appliance in Offline Workflow Mode, resume online operations before adding another replica. For more information, see About Offline Workflow Mode on page 486.
l Update all appliances to the same appliance build (patch) prior to building your cluster. During the cluster patch operation, access request workflow is available so authorized users can request password releases and session access.
l To enroll an appliance into a cluster, the appliance must communicate over port 655 UDP/TCP and port 443 TCP, and must have IPv4 or IPv6 network addresses (not mixed).For more information, see Safeguard ports on page 587.
l You can only enroll replica appliances to a cluster when logged in to the primary appliance (using an account with Appliance Administrator permissions).
l You can only add one appliance at a time. The maintenance operation must be complete before adding additional replicas.
l Enrolling a replica can take as little as five minutes or as long as 24 hours depending on the amount of data to be replicated and your network.
l During an enroll replica operation, the replica appliance goes into Maintenance mode. The existing members of the cluster can still process access requests as long as the member has quorum. On the primary appliance, you will see an enrolling notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. This cluster lock prevents you from doing additional maintenance activities. Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords. TIP: The Activity Center contains events for the start and the completion of the enrollment process.
l The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. Any objects (such as users, assets, and so on) or security policy configuration defined on the replica will be removed during enroll.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
482
�Existing configuration data from the primary will be replicated to the replica during the enroll. Future configuration changes on the primary are replicated to all replicas.
To enroll a replica
1. It is recommended that you make a backup of your primary appliance before enrolling replicas to a cluster.
2. Log in to the primary appliance as an Appliance Administrator. 3. In Administrative Tools, navigate to Settings | Cluster | Cluster
Management. 4. Click Add Replica to join a Safeguard for Privileged Passwords Appliance
to a cluster. 5. In the Add Replica dialog, enter a network DNS name or the IP address of the
replica appliance into the Network Address field, and click Connect. 6. Safeguard for Privileged Passwords connects to the replica and displays the login
screen for the replica appliance. a. Enter a valid account with Appliance Administrator permissions. b. In the Add Replica confirmation dialog, enter the words Add Replica and click OK to proceed with the operation.
Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is enrolling and puts the replica appliance in Maintenance mode while it is enrolling into the cluster. On all of the appliances in the cluster, you will see an "enrolling" banner at the top of the cluster view, indicating that a cluster-wide operation is in progress and all appliances in the cluster are locked down. Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again make access requests. 7. Log in to the replica appliance as the Appliance Administrator. Notice that the appliance has a state of Replica (meaning it is in a Read-Only mode) and contains the objects and security policy configuration defined on the primary appliance.
Unjoining replicas from a cluster
Safeguard for Privileged Passwords allows the Appliance Administrator to unjoin replica appliances from a cluster. Prior to unjoining a replica from a Safeguard for Privileged Passwords cluster, review the unjoin considerations that follow.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
483
�Considerations to unjoin cluster members
l You can only unjoin replica appliances from a cluster.
l To promote a replica to be the new primary and then unjoin the 'old' primary appliance, you can use the Failover option if the cluster has consensus (the majority of the appliances are online and able to communicate). For more information, see Failing over to a replica by promoting it to be the new primary on page 491. If the cluster does not have consensus, use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus on page 497.
l To perform an unjoin operation, the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus (online and able to communicate).
l You can unjoin a replica appliance when logged in to any appliance in the cluster that is online, using an account with Appliance Administrator permissions.
l When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-only mode with the functionality identified in Read-only mode functionality. You can activate an appliance in Read-only mode so you can add, delete and modify data, apply access request workflow, and so on. For more information, see Activating a read-only appliance on page 492.
To unjoin a replica from a cluster
1. Log in to an appliance in the cluster, as an Appliance Administrator.
2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
3. In the cluster view (left pane), select the replica node to be unjoined from the cluster.
4. In the details view (right pane), click Unjoin.
5. In the Unjoin confirmation dialog, enter the word Unjoin and click OK to proceed.
Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is unjoining and puts the replica appliance in Maintenance mode while it is unjoining from the cluster.
Once the operation has completed, the replica appliance no longer appears in the cluster view (left pane).
NOTE: If you log in to the replica appliance using the desktop client while Safeguard for Privileged Passwords is processing an unjoin operation, you will see the Maintenance mode screen. At the end of the Maintenance mode, you will see a Restart Desktop Client button, indicating that the unjoin operation completed successfully.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
484
�Maintaining and diagnosing cluster members
When a node is selected in the Cluster view (left pane) of the Cluster settings page, the appliance details and cluster health view (right pane) displays details about the selected appliance. From this pane you can run the following maintenance and diagnostic tasks against the selected appliance.
l Unjoin: Click Unjoin to remove a replica from the cluster. For more information, see Unjoining replicas from a cluster on page 483.
l Failover: Click Failover to promote a replica to the primary appliance. For more information, see Failing over to a replica by promoting it to be the new primary on page 491.
l Activate: Click Activate to activate a read-only appliance so it can add, modify and delete data. For more information, see Activating a read-only appliance on page 492.
CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.
l Diagnose: Click Diagnose to open the Diagnostics pane where you can perform the following: l View appliance information. For more information, see Appliance Information on page 307. l Run diagnostic tests against the appliance. For more information, see Network Diagnostics on page 314. l Perform a factory reset. For more information, see Factory Reset from the desktop client on page 311. l View or edit networking settings. For more information, see Networking on page 318. l Generate a support bundle. For more information, see Support bundle on page 321. l View or edit time settings. For more information, see Time on page 321.
l Check Health: Click Check Health to capture and display the current state of the selected appliance.
l Restart: Click Restart to restart the selected appliance. Confirm your intentions by entering a Reason and clicking Restart.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
485
�To fix more serious issues with a cluster, you can perform additional operations depending on the state of the cluster members. Some such operations include:
l Patching cluster members l Using a backup to restore a clustered appliance l Performing a factory reset l Resetting a cluster that has lost consensus l About Offline Workflow Mode
About Offline Workflow Mode
To ensure password consistency and individual accountability for privileged accounts, when an appliance loses consensus in the cluster, access requests are disabled. In the event of an extended network partition, the Appliance Administrator can either automatically or manually place an appliance in Offline Workflow Mode to run access request workflow on that appliance in isolation from the rest of the cluster. When the network issues are resolved and connectivity is reestablished, the Appliance Administrator can either automatically or manually resume online operations to merge audit logs, drop any in-flight access requests, and return the appliance to full participation in the cluster.
Offline workflow considerations
l In Offline Workflow Mode, an appliance functions apart from the other members of the cluster. Users can request passwords and sessions.
l Settings for Offline Workflow are set on an individual appliance.
Passwords in Offline Workflow Mode
l In Offline Workflow Mode, the appliance is enabled to request, approve, and release passwords and sessions without a quorum, using cached policy data.
l In Offline Workflow Mode, when policy requires change after check-in, the requirement is bypassed to allow for subsequent check out. In this case, the Access Request Password Reset By-passed Event is generated, stating: An access request subsequent check out is available as password reset was by-passed.
l Password changes will be rescheduled and will possibly complete when network connectivity is restored even while the appliance is in Offline Workflow Mode.
l Users may still request a password from the primary or another replica on the cluster with consensus; password check and changes works as usual. The result is that passwords may get out of sync on the appliance running Offline Workflow Mode. This is expected behavior and the password will remain out of sync until the partition is healed.
l On a network partition where one or more appliances are in Offline Workflow Mode, it is possible for two individuals to have the same password at the same time. Tying
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
486
�actions back to a single responsible individual is not possible. It will still be possible to identify each person that had access to the password at the time.
Policies in Offline Workflow Mode
l Policy will be enforced as it existed at the time the appliance, now in Offline Workflow Mode, lost network connectivity to the rest of the cluster.
l Policy requiring a password change after check-in is bypassed and subsequent checkout from the appliance in Offline Workflow Mode is allowed.
l Policy is Read-only. Therefore, update and delete configuration operations are not allowed on the appliance in Offline Workflow Mode.
l Policy changes are only allowed if directed at an online primary within the cluster. Policy changes on the online primary do not affect the appliance in Offline Workflow Mode. Once the offline workflow appliance has resumed online operations the policy changes will be distributed.
Work flow in Offline Workflow Mode
l Regular work flow approval rules apply.
l Time-based constraints and emergency access apply.
l For the few minutes the appliance is switching to or from Offline Workflow Mode, Application to Application and any command line password-fetching operations will be suspended.
l Platform tasks (including Suspend and Restore Accounts) are disabled in Offline Workflow Mode.
User experience: Enable Offline Workflow Mode
Users that are requesting a password in Safeguard are returned to the Home page. Password requests prior to the switch to Offline Workflow Mode are not displayed.
l When the switch to Offline Workflow Mode starts, this message displays: Safeguard is switching to Offline Workflow Mode. Please wait until this process is complete before proceeding with any current work. The bottom of the Home page
displays this information: (Switching to Offline Workflow Mode...) and
Disconnected. If the user clicks Refresh, the banner is replaced with: is unavailable.
The service
l When the switch to Offline Workflow Mode is complete, a banner with this
information is displayed: Safeguard is currently in Offline Workflow Mode. Previous access requests are temporarily unavailable. You may submit new requests to continue working in Offline Workflow Mode. The bottom of the Home page displays these messages: (Offline Workflow Mode) and the connection status:
Connecting then Connected.
Administrators can view the workflow status on the Cluster View pane where a message like this displays: Offline Workflow Enabled (This appliance is running access workflow in isolation from the cluster.) For more information, see Cluster view pane on page 363.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
487
�User experience: Resume Online Operations
When the switch to Resume Online Operations has begun, this message displays: Safeguard is returning to normal operations. Please wait until this process is complete before proceeding with any current work. The bottom of the Home page displays this information: (Returning to normal operations) and Disconnected. Once online operations are restored, the bottom of the Home page displays this
information: Connected. Notifications
l The Appliance Administrator is notified when an appliance has lost consensus (quorum) via the ApplianceStateChangedEvent. l A primary will change from Online to PrimaryNoQuorum. l A replica will change from Online to one of the following: l ReplicaNoQuorum (connected to primary, does not have quorum) l ReplicaDisconnected (disconnected from primary, does not have quorum) l ReplicaWithQuorum (disconnected from primary, has quorum) For more information, see Appliance states on page 502.
l The following events can be configured for email notifications and are written to the audit log: l ClusterPrimaryQuorumLostEvent l ClusterPrimaryQuorumRestoredEvent l ClusterReplicaQuorumLostEvent l ClusterReplicaQuorumRestoredEvent
l All access request notifications are still generated. l The Notification service identifies whether access workflow is available on an
appliance via the IsPasswordRequestAvailable and IsSessionsRequestAvailable properties. The following API endpoint can be used to make this determination: https://<hostname or IP>/service/notification/v2/Status/Availability
Audit logs in Offline Workflow Mode
l Prior to network connectivity being restored, everything that happens on the appliance running in Offline Workflow Mode is only audited on that appliance.
l The audit logs merge when network connectivity is restored between the offline member and any other member in the cluster, even while in Offline Workflow Mode.
l The audit data on any cluster member operating in Offline Workflow Mode will be lost unless the appliance is returned to the cluster using the resume online operations steps.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
488
�l All cluster members that were capable of processing access and session requests must have network connectivity restored to the remainder of the cluster to ensure the cluster wide audit history is maintained.
Avoid modifications to the cluster configuration
l It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow Mode. The online operations must be automatically or manually resumed before adding or removing other nodes to ensure the appliance can seamlessly reintegrate with the cluster. The Appliance Administrator is advised to resume the online operations as soon as possible for individual password accountability, policy adherence, and audit integrity.
Cluster patching is not allowed During a cluster patch, Offline Workflow Mode cannot be triggered manually or automatically on any of the clustered appliances. Considerations to resume online operations
l The network partition must be corrected before resuming online operations with full functionality.
l You can resume online operations of an appliance in Offline Workflow Mode without a quorum. To resume online operations, it is highly recommended that network connectivity is restored between a majority of the cluster members, including the member in Offline Workflow Mode.
l When resuming online operations, any access requests that are in flight on the appliance that is running in Offline Workflow Mode will be dropped.
l While it is possible to resume online operations if the appliance is not connected, making access requests will no longer be available.
Automatic versus manual workflow
l You can configure automatic triggering of Offline Workflow Mode and automatic resumption of online workflow. For more information, see Offline Workflow (automatic) on page 370.
l You can manually enable Offline Workflow Mode and manually resume online workflow. Manually control Offline Workflow Mode.
Manually control Offline Workflow Mode
The Appliance Administrator can manually control Offline Workflow Mode using the following steps. Manual intervention is possible when automatic Offline Workflow Mode is enabled. For more information, see Offline Workflow (automatic) on page 370.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
489
�To manually enable Offline Workflow Mode
1. Navigate to Administrative Tools | Settings | Cluster | Cluster Management.
2. In the cluster view (left pane) of the offline appliance, click the member of the cluster that is offline.
3. In the appliance details and cluster health pane (right pane), review the errors and warnings to verify the appliance has lost consensus.
4. On the offline appliance, click Enable Offline Workflow. (This option is only available when the appliance has lost consensus with the cluster.)
A message like the following displays:
This appliance will run access workflow in isolation from the cluster to work around loss of consensus with the cluster. Users will be able to request, approve and release passwords and sessions via this appliance using cached data. When connectivity is restored, you should resume online operations to reintegrate this appliance with the cluster and merge audit logs.
Type 'Enable Offline Workflow' in the box below to confirm.
See KB263580 for more information. 5. In the dialog, type Enable Offline Workflow and click Enter. The appliance is in
Offline Workflow Mode and enters maintenance. In the Activity Center, the Event for the appliance goes from Enable Offline Workflow Started to Enable Offline Workflow Completed.
6. You can verify that new requests are enabled and view the following health checks on the Cluster Management window:
l If there is communication to the other members in the cluster, while connected to the member in Offline Worflow mode, a message like this displays at the top of the messages: Cluster connectivity detected. When communication is reestablished, you can manually resume online operations to the appliance.
l A warning icon displays next to an appliance in Offline Workflow Mode. An
error icon is displayed if viewed from any other member in the cluster if the member is unable to communicate with the member in Offline Workflow Mode. At any time, you can click Check Health to update the information.
l A warning message like the following will display: Request Workflow: Access workflow on this appliance is operating in offline isolation from the cluster. This warning will persist until online operations are resumed by an Appliance Administrator.
To manually resume online operations
Before resuming online operations, see Considerations to resume online operations.
1. Navigate to Administrative Tools | Settings | Cluster | Cluster Management.
2. In the cluster view (left pane), click the member of the cluster that is offline.
3. On the appliance in Offline Workflow Mode, click Resume Online Operations.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
490
�(This operation is only available when the appliance is in Offline Workflow Mode.) A message like the following displays: The appliance will be reconfigured for online operations. The appliance will attempt to reintegrate with the cluster and merge audit logs. Refer to the to the Admin Guide for more information. Type 'Resume Online Operations' in the box below to confirm. 4. In the dialog, type in Resume Online Operations and click Enter. 5. When maintenance is complete, click Restart Desktop Client. The appliance is returned to Maintenance mode.
6. You can verify health checks on the Cluster Management window. If a warning icon still displays next to the appliance, select the appliance and click Check Health to rerun the cluster health check and display the most up-to-date health information.
Failing over to a replica by promoting it to be the new primary
Safeguard for Privileged Passwords allows you to failover to a replica appliance by promoting it to be the new primary.
NOTE: You can promote a replica to be the new primary anytime the cluster has consensus (that is, the majority of the cluster nodes are online and able to communicate). If you have a quorum failure (that is, the majority of the cluster members do not achieve consensus), you must perform a cluster reset instead. For more information, see Resetting a cluster that has lost consensus on page 497.
To promote a replica to be the new primary in a cluster
1. log in to a healthy cluster member as an Appliance Administrator. 2. In Administrative Tools, select Settings | Cluster | Cluster Management. 3. In the cluster view (left pane), select the replica node that is to become the
new primary. 4. In the details view (right pane), click Failover. 5. In the Failover confirmation dialog, enter the word Failover and click OK to
proceed. During the failover operation, all of the appliances in the cluster are placed in Maintenance mode. Once the failover operation completes, the selected replica appliance appears as the primary with a state of online. All other appliances (including the "old" primary) in the cluster appear as replicas with a state of online.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
491
�Activating a read-only appliance
Appliances that have been unjoined from a Safeguard for Privileged Passwords cluster or restored from a backup are placed in a Read-only mode. You can activate an appliance in Read-only mode so you can add, delete, and modify data, apply access request workflow, and so on. The appliance in Read-only mode must be online in order to use the Activate task. If it is offline or the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus on page 497.
CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.
To activate a read-only appliance
1. Log in to the read-only appliance as an Appliance Administrator. 2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
The cluster view (left pane) displays one primary appliance with a yellow warning icon indicating the appliance is in a Read-only mode. 3. In the cluster view (left pane), select the read-only node to be activated. 4. In the details view (right pane), click Activate. 5. In the Activate confirmation dialog, enter the word Activate and click OK to proceed. The appliance's node in the cluster view (left pane) no longer displays the yellow warning icon and the state is now Online.
Diagnosing a cluster member
The diagnostic tools are available to an Appliance Administrator or Operations Administrator for the currently connected appliance and any other appliances (replicas) in the cluster.
To run diagnostics on a clustered appliance
1. In Settings, select Cluster | Cluster Management. 2. From the cluster view (left pane), select the appliance to be diagnosed. 3. In the details pane (right pane), click Diagnose.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
492
�The Appliance Information view displays. 4. Select Diagnostics and choose the type of test to be performed.
l Ping: To verify your network connectivity and response time. l NS Lookup: To obtain your domain name or IP address. l Trace Route: To obtain your router information; trace route determines the
paths packets take from one IP address to another. l Telnet: To access remote computers over TCP/IP networks like the internet. l Show Routes: To retrieve routing table information. 5. Enter the requested information in the test dialog that displays.
Patching cluster members
When an appliance update is released, apply the patch so all appliances in the cluster are on the same version. See About cluster patching for more information on how Safeguard for Privileged Passwords handles access requests and system failures during the cluster patching process.
Prior to installing an update patch to a cluster
l Ensure all appliances in the cluster are online and healthy. Any warnings or problems should be addressed before cluster patching. The patch install process will fail if any of the cluster members are unhealthy or cannot be contacted. IMPORTANT: The primary appliance orchestrates the cluster upgrade; therefore, the primary appliance must stay online and have a solid network connection with all of the replica appliances in the cluster. If this cannot be reasonably assured, you should unjoin the replica appliances from the cluster, individually upgrade them, and then re-enroll them into cluster.
l It is highly recommended to take a backup of your primary appliance before applying a patch.
l You may want to unjoin a replica from the cluster to serve as a backup appliance. In case of a catastrophic failure, you can activate the unjoined replica to be the primary. If the cluster patching process is successful, upgrade the unjoined replica, and then re-enroll it back into the cluster.
To patch appliances in a cluster IMPORTANT: The following procedure applies to Safeguard for Privileged Passwords Appliances running version 2.1.x and later. If you need to patch appliances running an earlier version, you will need to unjoin replica appliances, install the patch on each appliance, and then enroll the replica appliances to rebuild your cluster. For more information, see Patching cluster members in the Safeguard for Privileged Passwords 2.0 Administration Guide.
1. Log in to the primary appliance, as an Appliance Administrator. 2. In Administrative Tools, select Settings | Appliance | Updates.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
493
�3. Click Upload a File and browse to select an update file.
The patch will be uploaded and distributed to all of the appliances in the cluster.
NOTE: If you make changes to the cluster, such as adding a new replica, while a patch is staged, the update file must be distributed to the new cluster member before the patch install process can begin. Safeguard for Privileged Passwords will not allow the patch install process to begin until all of the cluster members report that they have the update file stored locally.
NOTE: Clicking the Cancel button during the distribution process stops the distribution of the update file to the replicas. At this point, you can click one of the following buttons:
l Remove to remove the update file from all of the appliances in the cluster
l Distribute to Cluster to continue distributing the update file to each replica in the cluster
4. Once the file has been successfully distributed to all of the replicas in the cluster, click the Install Now button.
The primary appliance will go into Maintenance mode to begin the update operation. Once the primary appliance is successfully updated, Safeguard for Privileged Passwords will perform the update operation on each replica, one at a time. During an update operation, the cluster will be locked so that no other cluster operations can interfere with the update operation. Once the update operation is completed on all cluster members, the cluster will automatically unlock so normal operations can resume.
The Cluster view (Settings | Cluster | Cluster Management) shows that an update operation is in progress and the cluster members that are locked, awaiting to install the update file.
In addition, the Updates view (Settings | Appliance | Updates) shows the cluster members involved in the update operation and the progress as cluster members are successfully updated.
About cluster patching
The following information provides insight into how Safeguard for Privileged Passwords processes access requests during the cluster patching process. It also describes what happens if a cluster member loses power or network connectivity during the patching process.
Service guarantees
During a cluster upgrade, the cluster is split logically into the current version (side A) and the upgrade version (side B). Access request workflow is only enabled on one side at a time. Audit logs run on both sides and merge when the cluster patch completes. Initially, access request workflow is only enabled on side A, and replicas in PatchPending state can perform access requests. As appliances upgrade and move to side B, the access workflow migrates to side B when side B has a majority of the appliances. At this point in the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
494
�upgrade process, replicas in PatchPending state can no longer perform access requests; however, all of the upgraded cluster members can perform access requests. There is a small window where access request workflow is unavailable as the data migrates from one side to the other.
Failure scenarios
If the primary appliance loses power or loses network connectivity during the upgrade process, it will try to resume the upgrade on restart. If a replica is disconnected or loses power during an upgrade process, the replica will most likely go into quarantine mode. The primary appliance will skip that appliance and remove it from the cluster. This replica will need to be reset, upgraded, and then re-enrolled into the cluster manually to recover. Configuration for password checkout
The policy may be configured such that a password reset is required before the password can be checked out again. If that is the case, the following can be temporarily configured prior to cluster patching and access request to allow for password checkout when a password has not been reset.
l The policy can be set to allow multiple accesses. l The policy can be set to not require a password change at check in. l Emergency requests can be allowed so the user does not have to wait for the
password to be reset.
Using a backup to restore a clustered appliance
NOTE:When a backup is created, the state of the sessions module is saved. The session module can be either the joined sessions module (SPS) or the embedded sessions module (SPP). Restoring a backup restores the sessions module to the state when the backup was taken regardless of the state when the restore was started. In a clustered environment, the objective of a cluster backup is to preserve and allow the restoration of all operational data, including access request workflow, users/accounts, audit logs, and so on. All appliances in a cluster (primary and replicas) can be backed up. However, a backup should only be restored to an appliance in the worst-case scenario where no appliance can be restored using the failover operation. When a backup is restored to an appliance, the restore on the primary clears the primary's cluster configuration but does not change the replicas' cluster configuration. To avoid issues:
1. If possible, unjoin the replicas from the cluster prior to a backup restore. 2. Restore the backup on the appliance that will be the primary.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
495
�3. If you did not unjoin the replicas prior to the backup restore, perform a cluster reset on each replica so they become standalones then join the replicas back into the cluster.
The appliance is restored as a stand-alone primary appliance in Read-only mode with no replicas. However, all the access request workflow, user/account, and audit log data that existed when the backup was taken is retained. This primary appliance can then be activated and replicas can be joined to recreate a cluster.
To take a backup of a physical appliance
1. log in to the appliance as an Appliance Administrator.
2. In Administrative Tools, select Settings | Backup and Restore.
3. Click Run Now to create a copy of the data currently on the primary appliance.
For more information, see Run Now on page 343.
Or you can click Backup Settings, in the upper-right corner of the Backups page, to configure an automatic backup schedule.
For more information, see Backup settings on page 343.
To restore a physical appliance from a backup
An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 2.2.0.6958. Only the data is restored; the running version is not changed.
If the administrator attempts to restore a version earlier than 2.2.0.6958, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '2.2.0.6958' for restore. You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version]. The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.
NOTE: If you want to use a backup file taken on a different appliance, that backup file must first be downloaded on the appliance where the backup was taken. The downloaded backup file will then need to be uploaded to the appliance that wants to use it before you can use the Restore option.
1. Log in to the appliance to be restored as an Appliance Administrator.
2. In Administrative Tools, select Settings | Backup and Restore.
3. Select the backup to be used and click Restore.
4. When the Restore dialog displays, enter the word Restore and click OK.
For more information, see Restore on page 345.
The appliance is restored as a stand-alone primary appliance in Read-only mode with no replicas.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
496
�To rebuild a cluster 1. Log in to the primary appliance as an Appliance Administrator. 2. Activate the Read-only primary appliance. a. In Administrative Tools, navigate to Settings | Cluster | Cluster Management. b. Select the node to be activated from the cluster view (left pane). c. Click Activate. d. Confirm the activate operation. For more information, see Activating a read-only appliance on page 492. 3. One at a time, enroll the replica appliances to rebuild your cluster. a. In Administrative Tools, select Settings | Cluster. b. Click Add Replica to join a replica appliance to the cluster. Once the enroll operation completes, repeat to add your appliances back into the cluster as replicas. NOTE: Enrolling a replica can take up to 24 hours depending on the amount of data to be replicated and your network. For more information, see Enrolling replicas into a cluster on page 482.
Backup and restore
Resetting a cluster that has lost consensus
Resetting the cluster configuration allows you to recover a cluster that has lost consensus. If the cluster regains consensus after connectivity is restored, the primary will return to Read-Write mode and password check and change will be reenabled. However, if it does not regain consensus, the Appliance Administrator must perform a cluster reset to forceremove nodes from the cluster. If you are concerned about network issues, reset the cluster with only the new primary appliance. Once the cluster reset operation is complete, enroll appliances one by one to create a new cluster.
CAUTION: Resetting a cluster should be your last resort. It is recommended that you restore from a backup rather than reset a cluster.
Cautions
To avoid issues, consider the following cautions. l Only reset the cluster if you are certain that consensus has been lost; otherwise, you could introduce a split-brain scenario. (Split-brain scenario is where a cluster gets
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
497
�divided into smaller clusters. Each of these smaller clusters believes it is the only active cluster and may then access the same data which could lead to data corruption.) l Ensure that no cluster member has Offline Workflow Mode enabled. For more information, see Offline Workflow (automatic) on page 370.
To reset a cluster
1. Navigate to Administrative Tools | Settings and select Cluster. 2. Click the Reset Cluster button.
The Reset Cluster dialog displays, listing the appliances (primary and replicas) in the cluster. 3. In the Reset Cluster dialog, select the nodes to be included in the reset operation and use the Set Primary button to designate the primary appliance in the cluster.
NOTE: Nodes must have an appliance state of Online or Online Read-only and be able to communicate to be included in the reset operation. If you select a node that is not online or not available, you will get an error and the reset operation will fail. 4. Click Reset Cluster. 5. In the confirmation dialog, enter the words Reset Cluster and click OK. When connected to the new primary appliance, the Configuring Safeguard for Privileged Passwords Appliance progress page displays, showing the steps being performed as part of the maintenance task to reset the cluster. 6. Once the maintenance tasks have completed, click Restart Desktop Client. 7. If an appliance is cluster reset as a standalone appliance, it will be placed in StandaloneReadonly mode (not online) and will require activation to avoid a split-brain scenario. For more information, see Activating a read-only appliance on page 492.
Once reset, the cluster only contains the appliances that were included in the reset operation.
Performing a factory reset
As an Appliance Administrator, you can use the Factory Reset feature to reset a Safeguard for Privileged Passwords Appliance to recover from major problems or to clear the data and configuration settings on the appliance. A factory reset of a physical appliance may be initiated from the Appliance Information settings page in the desktop client, from the Recovery Kiosk, from the virtual appliance Support Kiosk, or using the API. A Safeguard for Privileged Passwords virtual appliance is reset by the recovery steps to redeploy and not a factory reset. For more information, see Virtual appliance backup and recovery on page 56.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
498
�CAUTION: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58.
In addition, performing a factory reset may change the default SSL certificate and default SSH host key.
Factory reset on a clustered appliance
Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58.
To perform a factory reset from the desktop client
1. Navigate to Administrative Tools | Settings | Appliance | Factory Reset.
2. Click Factory Reset.
3. In the Factory Reset confirmation dialog, enter the words Factory Reset and click OK.
The appliance will go into Maintenance mode to revert the appliance. Once completed, you will be prompted to restart the desktop client. If the appliance was in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, when you log in to the appliance, you will be prompted to add your Safeguard for Privileged Passwords licenses.
To perform a factory reset from the Recovery Kiosk
1. To perform a hardware factory reset, go to the Recovery Kiosk. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
2. Select Factory Reset.
3. Press the right arrow.
4. At id, enter your email or name and press the Tab key (or down arrow).
5. At Get Challenge, press the Enter key. Safeguard for Privileged Passwords produces a challenge.
6. Copy and paste the challenge and send it to One Identity Support.
l A challenge response is only good for 48 hours.
l Do not navigate away from the page or refresh during a challenge response operation. Doing so will invalidate the challenge response.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
499
�7. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Factory Reset.
To perform a factory reset from the Support Kiosk
1. To perform a hardware factory reset, gon the web management console, click Support Kiosk. For more information, see Support Kiosk on page 49.
2. Select Factory Reset. (This option is not available if you are attached to the console of a virtual machine. The options is only available for hardware.)
3. Complete the challenge/response process: a. In Full Name or Email, enter your name or email to receive the challenge question. b. Click Get Challenge. c. To get the challenge response, perform one of the following (see the illustration that follows). l Click Copy Challenge. The challenge is copied to the clipboard. Send that challenge to Safeguard support. Support will send back a challenge response that is good for 48 hours. Do not refresh your screen. l Screenshot the QR code and send it to Support. Support will send back a challenge response that is good for 48 hours. Do not refresh your screen. l Use a QR code reader on your phone to get the challenge response.
4. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Factory Reset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
500
�Unlocking a locked cluster
In order to maintain consistency and stability, only one cluster operation can run at a time. To ensure this, Safeguard for Privileged Passwords locks the cluster while a cluster operation is running, such as enroll, unjoin, failover, patch, reset, and routine maintenance. The Cluster view shows that the cluster is locked and that any changes to the cluster configuration are not allowed until the operation completes. The banner that appears at the top of the screen explains the operation in progress and a red lock icon ( ) next to an appliance indicates that the appliance is locking the cluster.
To unlock a locked cluster
1. Click the lock icon in the upper right corner of the warning banner. 2. In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.
This will release the cluster lock that was placed on all of the appliances in the cluster and terminate the operation.
IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance, requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster. Most often, it will eventually time out and unlock on its own.
Troubleshooting tips
If there is a problem with a Safeguard for Privileged Passwords cluster, follow these guidelines:
1. Ensure that the hardware is powered on and online. 2. Check for networking problems. For more information, see Diagnosing a cluster
member on page 492. 3. Check the events in the Activity Center as all cluster operations are logged. Errors
and warnings may resolve on their own. If an error persists for more than 15 minutes, it probably won't resolve itself. Try restarting the appliance to see if the error or warning clears. 4. Contact One Identity Support:
l If an appliance goes into quarantine mode, connect to the Recovery Kiosk and contact support. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
l Generate and collect support bundles for each appliance in the cluster and contact support. For more information, see Support bundle on page 321.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
501
�Appliance states
The following table lists the appliance states and what actions are available when the appliance is in a particular state.
Table 204: Appliance states
Appliance state and description
Actions available
EnrollingReplica (only applies to replica appliances in a cluster)
A transitional state where a replica appliance is being added to a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the enroll operation.
Wait for operation to complete before logging in to appliance.
Initial Setup Required
A virtual appliance has been deployed but cannot be used until it is in the Online state.
The Appliance Administrator must run Initial Setup for the virtual appliance to move to the Online state. For more information, see Setting up the virtual appliance on page 45.
Initializing
A transitional state where the appliance is initializing to start, but is not yet available for access.
Wait for operation to complete before logging in to appliance.
Maintenance
Appliance is performing maintenance tasks and is not available for access.
Wait for maintenance tasks to complete before logging in to appliance.
LeavingCluster (only applies to replica appliances in a cluster)
A transitional state where a replica appliance is being unjoined from a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the unjoin operation.
Wait for operation to complete before logging in to appliance.
Offline Appliance is not available for access.
Wait for appliance to come back online before logging in.
Offline Workflow The appliance is not communicating
Enable Offline Workflow Mode. Once online operations are resumed, the appliance is
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
502
�Appliance state and description
with the cluster but has been either automatically or manually placed in Offline Workflow Mode to run access request workflow.
Actions available
returned to Maintenance mode. For more information, see About Offline Workflow Mode on page 486.
Online
The appliance is a primary and has consensus. Or the appliance is a replica and has both consensus and connectivity to the primary.
Log in to appliance.
In this state, access request workflow is available from all clustered appliances that are online and able to communicate.
PatchPending (only applies to replica appliances in a cluster)
Upon cluster patch, the primary appliance instructs all replicas to enter PatchPending state. The primary appliance then patches and upon completion, instructs the PatchPending replicas to install the patch one at a time.
You can log in to a replica with a PatchPending state.
You can initially perform access request workflow on a replica in PatchPending state; however, during the cluster upgrade, when the majority of the cluster members have upgraded, access request worklfow migrates from the PatchPending side of the cluster to the upgraded side of the cluster. During this time, access request workflow is unavailable on any appliance still in the PatchPending state.
PrimaryNoQuorum (only applies to the primary appliance in a cluster)
The primary appliance is in a Readonly mode while attempting to get the lease, but can't because the cluster does not have consensus. The appliance continues to attempt getting the lease and when it does, the appliance state goes back to Online.
If the appliance is powered on, you can log in to an appliance with a PrimaryNoQuorum state; however, it will be in a Read-only mode.
In this state, access request workflow is not available from the primary appliance, but may be available from other appliances in the cluster.
For example, if the primary cannot communicate with the rest of the nodes in the cluster, but the rest of the nodes can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from these replica appliances even though it is not available from the primary appliance.
Quarantine
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
503
�Appliance state and description
Actions available
Appliance is broken or in an unknown state.
Requires manual intervention to recover.
Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
ReplicaDisconnected (applies to replica appliances in a cluster)
A replica appliance is available for access; however, both of the following conditions apply:
l The replica appliance cannot communicate with the primary appliance in the cluster.
l The remaining nodes in the cluster that the replica appliance can communicate with do not have consensus.
You can log in to a replica with a ReplicaDisconnected state, but access request workflow is disabled.
If the replica appliance cannot communicate with the other nodes in the cluster, but the remaining nodes can communicate with each other, then access request workflow will be available from those appliances even though it is not available from the appliance that cannot communicate with them.
ReplicaNoQuorum (applies to replica appliances in a cluster)
A replica appliance can communicate with the primary appliance; however, the remaining nodes in the cluster do not reach consensus. Once the cluster regains consensus, the replica appliance will go into the Online state.
You can log in to a replica with a ReplicaNoQuorum state, but access request workflow is disabled.
In this state, access request workflow is not available from the primary appliance, but may be available from other replicas.
For example, in a cluster of five appliances, if the primary and a single replica cannot communicate with the remaining replicas in the cluster, but the other three replicas in the cluster can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from the replicas that are online and communicating even though it is not available from the primary and replica that cannot communicate.
ReplicaWithQuorum (applies to replica appliances in a cluster)
A replica appliance cannot communicate with the primary appliance; however, the remaining nodes in the cluster have reached
You can log in to a replica with a ReplicaWithQuorum state. In this state, access request workflow is available from any clustered appliance that is online and able to communicate. Passwords can be requested and checked in. Scheduled tasks
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
504
�Appliance state and description consensus.
Actions available
will not occur until after the cluster patching is complete. Manual check and change is not available.
The policy may be configured such that a password reset is required before the password can be checked out again. If that is the case, the following can be temporarily configured prior to cluster patching and access request to allow for password checkout when a password has not been reset.
l The policy can be set to allow multiple accesses.
l The policy can be set to not require a password change at check in.
l Emergency requests can be allowed so the user does not have to wait for the password to be reset.
TransitioningToPrimary (only applies to replica appliances in a cluster)
A transitional state where a replica appliance is being promoted to be the new primary and is not available for access.
Wait for operation to complete before logging in to appliance.
TransitioningToReplica (only applies to the primary appliance in a cluster.)
A transitional state where a primary appliance is being demoted to a replica and is not available for access.
Wait for operation to complete before logging in to appliance.
ShuttingDown
A transitional state where an appliance is shutting down and is not available for access.
Wait for appliance to come back online before logging in.
StandaloneReadOnly
State used for replicas unjoined from a cluster or a primary appliance restored from a backup. The
Log in to appliance.
See Activating a read-only appliance for how to activate a Read-only appliance so
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
505
�Appliance state and description
Actions available
appliance can be activated.
you can add, delete and modify data, apply access request workflow, and so on.
Unknown
Appliance is broken or in an unknown state.
Requires manual intervention to recover.
Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Disaster recovery and clusters
506
�22
Administrator permissions
To secure control of your IT department's assets (that is, managed systems), Safeguard for Privileged Passwords uses a role-based access control hierarchy. Safeguard for Privileged Passwords's various permission sets restrict the amount of control each type of user has.
NOTE: It is the responsibility of a user with Authorizer Administrator permissions to grant administrator permissions to other Safeguard for Privileged Passwords users; however, the User Administrator can grant Help Desk Administrator permissions to nonadministrative users. Administrator permissions include:
l Appliance Administrator permissions l Asset Administrator permissions l Auditor permissions l Authorizer Administrator permissions l Help Desk Administrator permissions l Operations Administrator permissions l Security Policy Administrator permissions l User Administrator permissions
Appliance Administrator permissions
The Appliance Administrator is responsible for configuring and maintaining the appliance, including the following tasks:
l Racks and stacks the appliance. l Configures the appliance. l (Optional) Sets up and uses the virtual appliance for initial setup, maintenance,
backup, and recovery. For more information, see Using the virtual appliance and web management console on page 44. l Troubleshoots performance, hardware, and networking.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
507
�l Creates and monitors the status of a clustered environment. l Manages licenses, certificates, backups, and sessions settings. l Enables and disables access request and password management services.
Table 205: Appliance Administrator: Permissions
Navigation
Permissions
Activity Center
View and export appliance activity events.
Administrative Tools | Toolbox Access to the Tasks pane.
Administrative Tools | Settings:
l Access Request | Enable Enable or disable the access request and password
or Disable Services
management services.
l Appliance
Monitor the status of the appliance. Shut down or restart the appliance. Run diagnostics on the appliance. Enable or disable Lights Out Management (BMC). Configure networking settings. Perform a factory reset to recover from major problems or clear the data and configuration settings on the appliance. Generate a support bundle to assist technical support. Manage appliance time. Install update files (patches).
l Appliance | Enable or Disable Services
Enable or disable the Application to Application (A2A) service.
Enable or disable SPP audit data to be sent to SPS for auditing the Safeguard privileged management software suite.
l Backup and Retention
Configure backup and retention settings, define archive servers, and manage backups.
l Certificates
Manage the certificates used by Safeguard.
l Cluster
Create and manage a clustered environment. Monitor the status of the clustered environment. Diagnose cluster members.
l External Integration
Configure Approval Anywhere service for access request approvals.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
508
�Navigation
l Messaging l Safeguard Access l Sessions
Permissions
Configures email to send event notifications to external systems. Configure identity providers and authentication providers. Configures the sending of SNMP traps to the SNMP console. Join Safeguard for Privileged Passwords to Starling. Configure Safeguard for Privileged Passwords to send event notifications to a syslog server. Configure the integration with an external ticketing system or generic tickets not tied to an external ticketing system.
Configure login notifications. Set message of the day.
Configure the user login control settings, inactivity timeout, password rules, and sets the time zone.
If a Sessions appliance is joined, view, remove, or modify the configuration. If the sessions module is used:
l Configure session recording storage management.
l Configure the sessions module settings. l Reset the sessions module. l Generate or download an SSH host key.
Asset Administrator permissions
An Asset Administrator manages all partitions, assets, and accounts: l Creates (or imports) assets and accounts. l Creates partitions and partition profiles. l Delegates partition ownership to users. NOTE: A delegated partition owner has a subset of permissions that an Asset Administrator has. That is, the delegated partition owner is authorized to manage a specific partition and the assets and accounts assigned to that partition.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
509
�l Assigns assets to partitions. l Manages account password rules. NOTE: Asset Administrators can only view the user object history for their own account.
Table 206: Asset Administrator: Permissions
Navigation
Permissions
Dashboard | Account Automation
Full control for accounts related to all Safeguard for Privileged Passwords assets.
NOTE: Delegated partition owners have control for accounts related to the assets managed through delegated partition profile.
Activity Center
View and export asset activity events.
Administrative Tools | Toolbox Access to the Accounts, Assets, Partitions and Users view.
Access to the Tasks pane.
Administrative Tools | Accounts
Add, modify, delete, and import accounts. Check, change, and set account passwords. Access password archive. Enable or disable the access request services for an account.
Administrative Tools | Assets
Add, modify, delete, and import assets. Configure and manage Asset Discovery jobs. Download SSH Key.
Administrative Tools | Discovery
Create and run discovery jobs to find assets, accounts, and services in your network environment.
Administrative Tools | Partitions
Add, modify, and delete partitions and partition profiles.
Set partition as default.
Add assets to the scope of a partition profile.
Administrative Tools | Settings:
l Asset Management | Custom Platforms
Add a custom platform that includes uploading the custom platform script.
l Asset Management | Tags
Create and manage dynamic tags for assets and asset accounts.
l Messaging | Message of Login notification: View only. the Day
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
510
�Navigation
Permissions
Set message of the day.
l Profile | Account Password Rules
Add, modify, and delete account password complexity rules.
l Profile | Change Password
Add, modify, and delete change password settings.
l Profile | Check Password Add, modify, and delete check password settings.
l Profile | Password Sync Add, modify, and delete password sync groups. Groups
Administrative Tools | Users Delegate partition ownership to users.
Auditor permissions
The Auditor administrator has read-only access to all features, giving him the ability to review all access request activity:
l Monitors appliance information. l Reviews everything. l Exports object history. l Runs entitlement reports.
Table 207: Auditor administrator: Permissions
Navigation
Permissions
Dashboard
View only.
Activity Center
View and export activity events. Audit access request workflow.
Reports
View and export entitlement reports.
Administrative Tools | Toolbox Access to all Administrative Tools views and the Tasks pane.
Administrative Tools | Accounts
View only.
Administrative Tools | Account View only. Groups
Administrative Tools | Assets View Asset Discovery jobs.
Administrative Tools | Asset View only.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
511
�Navigation Groups Administrative Tools | Entitlements Administrative Tools | Partitions Administrative Tools | Settings:
l Access Request l Appliance
l Asset Management l Backup and Retention l Certificates l Cluster l External Integration l Messaging
l Profile l Safeguard Access l Sessions Administrative Tools | Users Administrative Tools | User Groups
Permissions
View only.
View only.
View only. View Appliance Information. Run diagnostics on appliance. View licensing information. View Lights Out Management (BMC) settings. View Networking settings. View Time settings. View update history. View only. View only. View only. View only. View only. Login notification: View only. Set message of the day. View only. View only. View only. View only. View only.
Authorizer Administrator permissions
The Authorizer Administrator is the permissions administrator and performs the following:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
512
�l Creates (or imports) Safeguard for Privileged Passwords users. l Grants administrator permissions to users. l Sets passwords, unlocks, and enables or disables both local and directory user
accounts. l Creates and maintains the Password Rule.
NOTE: Also has User Administrator and Help Desk Administrator permissions. IMPORTANT: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Table 208: Authorizer Administrator: Permissions
Navigation
Permissions
Activity Center
View and export user activity events, including authentication events.
Administrative Tools | Toolbox Access to the Users and User Groups view. Access to Tasks pane.
Administrative Tools | Settings
l External Integration | Identity and Authentication
View only of directories used for identity and authentication. External Federation and Radius providers can be configured for authentication use.
l Messaging | Message of the Day
Login notification: View only. Set message of the day.
l Safeguard Access | Login View only. Control
l Safeguard Access | Password Rules
Configure user password rules.
l Safeguard Access | Time Set default time zone. Zone
Administrative Tools | Users
Add, modify, delete, and import users. Set administrator permissions. Set passwords and unlock administrator accounts. Delete administrator users. Enable or disable administrator users.
Administration Tools | User Groups
Add or delete directory groups, if a directory has been added to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
513
�Help Desk Administrator permissions
A Help Desk Administrator:
l Sets passwords for non-administrative user accounts. l Unlocks accounts for all user accounts.
NOTE: Help Desk Administrators can only view the user object history for their own account.
Table 209: Help Desk Administrator: Permissions
Navigation
Permissions
Activity Center
View and export user activity events.
Administrative Tools | Toolbox Access to the Users view and the Tasks pane.
Administrative Tools | Settings:
l Messaging | Message of the Day
Login notification: View only. Set message of the day.
l Safeguard Access | Login View only. Control
l Safeguard Access | Password Rules
View only.
l Safeguard Access | Time View only. Zone
Administrative Tools | Users
Set passwords and unlock accounts for nonadministrator users.
A Help Desk Administrator can unlock another Help Desk user but cannot set that user's passwrod.
Operations Administrator permissions
The Operations Administrator monitors the status of the appliance and can reboot the appliance.
NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
514
�Table 210: Operations Administrator: Permissions
Navigation
Permissions
Activity Center
View and export appliance activity events.
Administrative Tools | Toolbox Access to the Tasks pane.
Administrative Tools | Settings:
l Access Request | Enable View only. or Disable Services
l Appliance
Monitor status of the appliance. Shutdown or restart the appliance. Run diagnostics on the appliance. Generate a support bundle to assist technical support. View licensing information. View Networking settings. View Time settings. View update history.
l Backup and Retention
Configure backup and retention settings, define archive servers, and manage backups.
l Certificates
View only.
l Cluster
View only. Monitor the status of the clustered environment.
l External Integration
View only.
l Messaging
Login notification: View only. Set message of the day.
l Safeguard Access
View only.
l Sessions
View only.
Security Policy Administrator permissions
The Security Policy administrator configures the security policies that govern the access rights to accounts and assets, including the requirements for checking out passwords, such as the maximum duration, if password reasons are required, if emergency access is allowed, and so on. This user may not know any details about the assets.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
515
�This user configures time restrictions for entitlements and who can request, approve and review access requests.
l Creates account groups, asset groups, and user groups. l Creates entitlements. l Configures access request policies. l Adds users or user groups to entitlements to authorize those accounts to
request passwords. l Can assign linked accounts to users for entitlement access policy governance.
Table 211: Security Policy administrator: Permissions
Navigation
Permissions
Dashboard | Access Requests Full control to manage access requests.
Activity Center
View and export security-related activity events, including access request events.
Audit access request workflow.
Reports
View and export entitlement reports.
Administrative Tools | Toolbox Access to the Account Groups, Asset Groups, Entitlements, Users, and User Groups view.
Access to the Tasks pane.
Administrative Tools | Account Add, modify, or delete account groups.
Groups
Add accounts to account groups.
Assign policies to account groups.
Administrative Tools | Asset Groups
Add, modify, or delete asset groups. Add assets to asset groups. Assign policies to asset groups.
Administrative Tools | Entitlements
Add, modify, or delete entitlements. Add users or user groups to entitlements. Define and maintain access request policies. Assign policies to entitlements.
Administrative Tools | Settings:
l Access Request | Reasons
Add, modify, or delete reason codes.
l Cluster | Session Appliances
If Safeguard for Privileged Passwords (SPP) is joined to Safeguard for Privileged Sessions (SPS), view the appliance information for the join.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
516
�Navigation l External Integration | Application to Application l External Integration | Approval Anywhere l External Integration | Starling l External Integration | Ticket Systems
l Messaging | Message of the Day
Administrative Tools | Users
Administrative Tools | User Groups
Permissions Add, modify, or delete application registrations.
Configure Approval Anywhere service for access request approvals. If Safeguard for Privileged Passwords is joined to Starling, view the Starling join information. If Safeguard for Privileged Passwords is configured to use tickets (generic tickets or with an external ticketing sytem), view the ticket information. Login notification: View only. Set message of the day. Add users to user groups. Add users to entitlements. Link directory accounts to a user. View and export the history of users. Add, modify, or delete local user groups. Add local or directory users to user groups. Assign entitlements to user groups.
User Administrator permissions
The User Administrator:
l Creates (or imports) Safeguard for Privileged Passwords users. l Grants Help Desk Administrator permissions to users. l Sets passwords, unlocks users, and enables or disables non-administrator user
accounts. l Also has Help Desk Administrator permissions.
NOTE: User Administrators cannot modify administrator passwords, including their own. IMPORTANT: User Administrators can change the permissions for their own account, which may affect their ability to grant Help Desk Administrator permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
517
�Table 212: User Administrator: Permissions
Navigation
Permissions
Activity Center
View and export user activity events.
Administrative Tools | Toolbox Access to the Users and User Groups view. Access to Tasks pane.
Administrative Tools | Settings:
l External Integration | Identity and Authentication
View only.
l Messaging | Message of Login notification: View only. Set message of the
the Day
day.
l Safeguard Access | Login View only. Control
l Safeguard Access | Password Rules
View only.
l Safeguard Access | Time View only. Zone
Administrative Tools | Users
Add, modify, delete or import local and directory users.
Set passwords and unlock accounts for nonadministrator users. A Help Desk Administrator can unlock another Help Desk user but cannot set that user's passwrod.
Enable or disable non-administrative users.
Set Help Desk Administrator permissions.
Administrative Tools | User Groups
Add or delete directory groups, if a directory has been added to Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Administrator permissions
518
�23
Preparing systems for management
Before you add systems to Safeguard for Privileged Passwords (Adding an asset on page 185), you must ensure they are properly configured. Generally, to prepare an asset for Safeguard for Privileged Passwords:
1. Create a functional account (called a "service" account in Safeguard for Privileged Passwords) on the asset and assign it a password. NOTE: To add an asset to Safeguard for Privileged Passwords, it must have a service account. For more information, see About service accounts on page 193.
2. Grant the service account sufficient permissions. 3. Test the service account connectivity. 4. Configure the security protocol. 5. For platforms that support SSL server certificate validation, add the server's signing
authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords. For more information, see Trusted Certificates on page 360.
The following topics can help you prepare your hosts for management by Safeguard for Privileged Passwords:
Preparing ACF - Mainframe systems Preparing Amazon Web Services platforms Preparing Cisco devices Preparing Dell iDRAC devices Preparing VMware ESXi hosts Preparing Facebook hosts Preparing Fortinet FortiOS devices Preparing F5 Big-IP devices Preparing HP iLO servers Preparing HP iLO MP (Management Processors) Preparing IBM i (AS/400) systems Preparing JunOS Juniper Networks systems Preparing MongoDB
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
519
�Preparing MySQL servers Preparing Oracle databases Preparing PAN-OS (Palo Alto) networks Preparing PostgreSQL Preparing RACF mainframe systems Preparing SAP HANA Preparing SAP Netweaver Application Servers Preparing Sybase (Adaptive Server Enterprise) servers Preparing SonicOS devices Preparing SonicWALL SMA or CMS appliances Preparing SQL Servers Preparing Top Secret mainframe systems Preparing Unix-based systems Preparing Windows systems Preparing Windows SSH systems Safeguard for Privileged Passwords supports a variety of platforms. For more information, see Supported platforms on page 37.
Preparing ACF - Mainframe systems
This applies to both ACF2 - Mainframe and ACF2 - Mainframe LDAP platforms.
To prepare IBM ACF-mainframe systems for Safeguard for Privileged Passwords
1. Create a service account on the asset and assign it a password. The service account must have the SECURITY attribute enabled for ACF2 ChangePassword to work properly.
2. Grant the service account the privileges required to use the ALTERUSER command on other profiles.
3. If not already installed, install a telnet server on the z/OS system. If required, secure telnet with SSL. NOTE: Please refer to your IBM z/OS system documentation for details on installing and configuring the telnet server (and SSL).
4. Test the telnet server using a Windows-based 3270 emulator or on Linux, use the telnet-ssl or x3270 programs to test SSL and non-SSL connections to an z/OS system.
5. In Safeguard for Privileged Passwords, create the asset and accounts for the z/OS system using password authentication.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
520
�About certificate support for the telnet protocol
Safeguard for Privileged Passwords automatically accepts any server certificate that the connection offers and does not verify the trust chain on the telnet certificate. In addition, Safeguard for Privileged Passwords does not support client certificate selection, so if telnet requires that the client present a certificate that is signed by a recognized authority, Safeguard for Privileged Passwords cannot support that configuration.
Preparing Amazon Web Services platforms
Safeguard for Privileged Passwords supports Amazon Web Services (AWS), a secure cloud services platform. When adding an Amazon Web Services asset, the Network Address must contain the AWS Account ID or Alias.
To prepare Amazon Web Services platforms for Safeguard for Privileged Passwords
1. In Safeguard for Privileged Passwords: a. Add Amazon's certificate and AWS certificate's root certificate authority (CA) to the Trusted Certificates store in Safeguard for Privileged Passwords. b. Configure an Identity and Access Management (IAM) user to use as a service account. c. Assign the IAM service account to the AdministratorAccess security policy.
2. In Amazon: a. Create an access key for the IAM service account. Amazon creates a pair of data items called a Secret Key and a public Access Key ID. Take a note of both the Access Key ID and Secret Key. You will need them when you add the Amazon Web Services asset to Safeguard for Privileged Passwords.
Preparing Cisco devices
Safeguard for Privileged Passwords supports both Cisco Private Internet eXchange (PIX) firewall security appliances and PIX Internetwork Operating System (IOS) routers and switches. Cisco PIX and Cisco IOS use the SSH protocol to connect to the Safeguard for Privileged Passwords Appliance. Safeguard for Privileged Passwords supports both SSH version 1 and version 2.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
521
�To prepare a Cicso device for Safeguard for Privileged Passwords 1. Create a service account on the asset and assign it a password. 2. Enable and configure the SSH server to allow the service account to log in remotely. 3. Configure the Privilege Level Password (that is, the system enable password). This password is required when adding the asset to Safeguard for Privileged Passwords. NOTE: Safeguard for Privileged Passwords manages accounts found in the startup configuration file, not in the running configuration file. 4. Add the Cisco device to Safeguard for Privileged Passwords using password authentication.
Preparing Dell iDRAC devices
Safeguard for Privileged Passwords supports the Dell Remote Access Controller that is integrated with Dell PowerEdge servers. Safeguard for Privileged Passwords uses the SSH protocol to connect to iDRAC devices.
To prepare an iDRAC device for Safeguard for Privileged Passwords 1. Use iDRAC to create a service account with administrator privileges and assign it a password. The service account must have login privileges and must be able to configure users. 2. Verify that SSH is enabled in the iDRAC Network settings. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the iDRAC device using password authentication.
Preparing VMware ESXi hosts
Safeguard for Privileged Passwords supports VMware ESXi hosts. IMPORTANT:Safeguard for Privileged Passwords can only manage local users on a VMware host.
To prepare a VMware ESXi host for Safeguard for Privileged Passwords 1. Use an existing account or create a new account as the service account on the asset and assign it a password. The default administrator account is suitable. 2. Grant the service account the privileges required to set user passwords using the web management API.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
522
�3. When adding a VMware ESXi host to Safeguard for Privileged Passwords: a. Specify the network address. b. Specify port 443 as the HTTPS port.
Preparing Facebook hosts
Facebook is deprecated. It is suggested you use the sample custom platform script. For more information, see Custom platforms on page 324. Safeguard for Privileged Passwords can manage Facebook account passwords. Verify that a login code for the account is not required by Facebook.
To prepare a Facebook account for Safeguard for Privileged Passwords 1. Log in to your Facebook account. 2. In the upper right corner of the page, click the down arrow to the right of the Quick Help question mark. 3. Click Settings. 4. In the upper left corner of the page, click Security and Login. 5. Scroll to Two-Factor Authentication, Authorized Logins. 6. Click View. Facebook displays the list of devices where you do not have to use a login code. Verify that login code is not required to access the account. If you have no registered devices, you will see the following message: You do not have any registered devices.
For details about adding a Facebook account to Safeguard for Privileged Passwords, see Adding a cloud platform account on page 148.
Preparing Fortinet FortiOS devices
Safeguard for Privileged Passwords supports Fortinet Internet appliances. Safeguard for Privileged Passwords uses the SSH protocol to connect to Fortinet devices.
To prepare a Fortinet FortiOS device for Safeguard for Privileged Passwords 1. Create the service account as a local user on the managed system and assign it a password. 2. Add the service account to the Fortinet Administrators group. This allows the service account to access the device with SSH to manage users. IMPORTANT:Safeguard for Privileged Passwords can only manage passwords for
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
523
�users that are members of the Fortinet Administrators group. 3. Enable and configure the SSH server to allow the service account to log in remotely. 4. Add the Fortinet device to Safeguard for Privileged Passwords using password
authentication.
Preparing F5 Big-IP devices
Safeguard for Privileged Passwords supports F5 Big-IP devices. Safeguard for Privileged Passwords uses the SSH protocol to connect to F5 Big-IP devices.
To prepare an F5 Big-IP device for Safeguard for Privileged Passwords 1. Create the service account as a local user on the F5 Big-IP managed system and assign it a password. Assign that service account the Administrator Role on all partitions. This allows the service account to manage users. 2. Enable console access by setting Terminal Access to either Advanced or tmsh, which will allow the service account to log in remotely via SSH. 3. Add the F5 Big-IP device to Safeguard for Privileged Passwords using password or SSH key authentication.
Preparing HP iLO servers
In Safeguard for Privileged Passwords, the HP iLO operating system is an HP Integrated Lights-Out (iLO) HP Proliant server. Safeguard for Privileged Passwords connects to HP iLO systems using SSH. Password check and change is supported. Account discovery is not supported.
To prepare an HP iLO server for Safeguard for Privileged Passwords 1. Create a service account with the Administrate User Accounts privilege and assign it a password. The service account must have login privileges and must be able to configure users. 2. Verify that SSH is enabled. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the HP iLO server using password authentication.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
524
�Preparing HP iLO MP (Management Processors)
In Safeguard for Privileged Passwords the HP iLO MP operating system is an HP Integrity Integrated Lights-Out (iLO) Management Processor. Safeguard for Privileged Passwords connects to HP iLO MP systems using SSH.
To prepare an HP iLO Management Processor for Safeguard for Privileged Passwords
1. Create a service account with the Administer User Accounts privilege and assign it a password.
2. Verify that SSH is enabled. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the HP iLO
MP asset type using password authentication.
Preparing IBM i (AS/400) systems
Safeguard for Privileged Passwords supports IBM i (AS/400) systems.
To prepare IBM i systems for Safeguard for Privileged Passwords 1. Create a service account on the asset and assign it a password. 2. Grant the service account the privileges required to use the chgusrprf command on other profiles. 3. If not already installed, install a telnet server on the IBM iSeries (AS/400) system. If required, secure telnet with SSL. NOTE: Please refer to your IBM iSeries (AS/400) system documentation for details on installing and configuring the telnet server (and SSL). 4. Test the telnet server using a Windows-based 3270 emulator or on Linux, use the telnet-ssl or x3270 programs to test SSL and non-SSL connections to an IBM iSeries system. 5. In Safeguard for Privileged Passwords, create the asset and accounts for the IBM iSeries (AS/400) system using password authentication.
About certificate support for the telnet protocol
Safeguard for Privileged Passwords automatically accepts any server certificate that the connection offers and does not verify the trust chain on the telnet certificate. In addition, Safeguard for Privileged Passwords does not support client certificate selection, so if telnet requires that the client present a certificate that is signed by a recognized authority, Safeguard for Privileged Passwords cannot support that configuration.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
525
�Preparing JunOS Juniper Networks systems
Safeguard for Privileged Passwords uses the Juniper Networks JunOS operating system to manage Juniper Networks routers and switches. Safeguard for Privileged Passwords connects to JunOS systems using SSH.
CAUTION: If you get the message: Shared configuration database modified, the global configuration is currently being edited. The edits must be committed or discarded so Safeguard can enter configure private mode. To resolve the problem, log in to the box interactively with SSH, run configure, and then run status to review the sessions currently editing the global configuration. Run rollback to discard any edits or commit to commit the changes.
To prepare a Juniper Networks JunOS system for Safeguard for Privileged Passwords
1. Create a service account that is a member of the super-user login class and assign it a password.
2. Verify that SSH is enabled. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the Juniper
Networks JunOS asset type using password authentication.
Preparing MongoDB
Safeguard for Privileged Passwords makes an SSL connection to MongoDB using a TCP port and Bind IP address defined in the mongodb.conf file. You must enter this port number when adding a MongoDB asset to Safeguard for Privileged Passwords.
To configure MongoDB for Safeguard for Privileged Passwords
1. Create a service account and assign it a password. NOTE: The service account must have permissions for remote connections and permissions to change passwords. Consult your MongoDB Security Guide for the appropriate settings for your organization.
2. Verify that you can log in with the service account. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the
MongoDB asset type using password authentication. You must specify the Database instance name and the Port used by the database instance.
NOTE: When you create an account of Dialog User or Communication Data type, Safeguard for Privileged Passwords allows you to set the account password or
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
526
�reset the password. Use the Reset Password option to reset the password for this account. If you use the Set Password option and enter the same password used in MongoDB, the password check in Safeguard for Privileged Passwords will fail.
Preparing MySQL servers
To prepare a MySQL server for Safeguard for Privileged Passwords, refer to the documentation for your MySQL server for information about how to setup and secure encryption. To enable SSL server certificate validation, add the server's signing authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords. For more information, see Trusted Certificates on page 360. For more information about how Safeguard for Privileged Passwords database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL on page 578.
SQL accounts supported
Safeguard can support MySQL accounts that have been created with the format <username> or <username>@< range of IP addresses>. The permitted range of IP addresses must include the IP address of the Safeguard appliance. The % character can be used as a wildcard. Examples:
l John : Permit John to log in from any host (default) l John@%: Permit John to log in from any host l John@10.1.%: Permit John to log in from any IP address in 10.1.xx
Preparing Oracle databases
To prepare an Oracle database for Safeguard for Privileged Passwords, refer to the documentation for your Oracle database for information about how to set up and secure encryption. To enable SSL server certificate validation, when configuring the SSL-enabled service on the Oracle server, ensure that the following security setting is configured:
SSL_SERVER_CERT_DN="CN=<address>", where <address> matches the Network Address of the asset in Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
527
�Preparing PAN-OS (Palo Alto) networks
In Safeguard for Privileged Passwords the PAN-OS operating system is used by Palo Alto Networks appliances. Safeguard for Privileged Passwords connects to PAN-OS systems using SSH.
To prepare a Palo Alto Networks system for Safeguard for Privileged Passwords
1. Create a service account that is a Device Administrator and assign it the Superuser role and a password.
2. Verify that SSH is enabled. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the Palo
Alto Networks asset type using password authentication.
Preparing PostgreSQL
Safeguard for Privileged Passwords makes an SSL connection to PostgreSQL using a TCP port defined in the postgresql.conf file. You must enter this port number when adding a PostgreSQL asset to Safeguard for Privileged Passwords.
To configure PostgreSQL for Safeguard for Privileged Passwords 1. Create a service account and assign it a password. NOTE: The service account must have permissions for remote connections and permissions to change passwords. Consult your PostgreSQL Security Guide for the appropriate settings for your organization. 2. Verify that you can log in with the service account. 3. In Safeguard for Privileged Passwords, create the asset and accounts for the PostgreSQL asset type using password authentication. You must specify the Database instance name and the Port used by the database instance. NOTE: When you create an account of Dialog User or Communication Data type, Safeguard for Privileged Passwords allows you to set the account password or reset the password. Use the Reset Password option to reset the password for this account. If you use the Set Password option and enter the same password used in PostgreSQL, the password check in Safeguard for Privileged Passwords will fail.
Preparing RACF mainframe systems
This applies to both RACF mainframe and RACF mainframe LDAP platforms.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
528
�To prepare IBM RACF mainframe systems for Safeguard for Privileged Passwords
1. Create a service account on the asset and assign it a password. 2. Grant the service account the privileges required to use the ALTERUSER command on
other profiles. 3. If not already installed, install a telnet server on the z/OS system. If required,
secure telnet with SSL. NOTE: Please refer to your IBM z/OS system documentation for details on installing and configuring the telnet server (and SSL).
4. Test the telnet server using a Windows-based 3270 emulator or on Linux, use the telnet-ssl or x3270 programs to test SSL and non-SSL connections to an z/OS system.
5. In Safeguard for Privileged Passwords, create the asset and accounts for the z/OS system using password authentication.
About certificate support for the telnet protocol
Safeguard for Privileged Passwords automatically accepts any server certificate that the connection offers and does not verify the trust chain on the telnet certificate. In addition, Safeguard for Privileged Passwords does not support client certificate selection, so if telnet requires that the client present a certificate that is signed by a recognized authority, Safeguard for Privileged Passwords cannot support that configuration.
Preparing SAP HANA
Safeguard for Privileged Passwords makes an SSL connection to SAP HANA using a TCP port between 30015 and 39915, depending on the SAP system number (also known as the "instance number"). For more information, see Safeguard ports on page 587.
To configure SAP HANA for Safeguard for Privileged Passwords
1. Create a service account and assign it a password. This service account must have permissions for remote connections and permissions to change passwords. Consult your SAP security guide for the appropriate settings for your organization.
2. Verify that you can log in with the service account. In SAP, when you create a new account of Dialog User or Communication Data type, you will be prompted to set a new password.
3. In Safeguard for Privileged Passwords, create the asset and accounts for the SAP asset type using password authentication. You must specify the SAP Client ID number as well as the Port used by the SAP instance. When you create an account of Dialog User or Communication Data type, Safeguard for Privileged Passwords allows you to set the account password or reset the
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
529
�password. Use the Reset Password option to reset the password for this account. If you use the Set Password option and enter the same password used in SAP, the password check in Safeguard for Privileged Passwords will fail.
Preparing SAP Netweaver Application Servers
Safeguard for Privileged Passwords makes an SSL connection to the SAP Application Server using a TCP port between 3300 and 3399, depending on the SAP system number (also known as the instance number). You can have multiple instances of SAP running on a server, each using a different network port in the range of 3300-3399. The last two digits of the port are called the system number (or instance number). For more information, see Safeguard ports on page 587. When you assign a password to the account, the account is not usable until you log in and change the password from the admin-assigned value. If a privileged user for the asset is of System or Communication User Type, assign RFC authorization for the RFCPING function module for that user. This allows the user to execute its functions remotely, such as changing the password.
To configure a SAP Netweaver Application Server for Safeguard for Privileged Passwords
1. Create a service account and assign it a password. This service account must have permissions for remote connections and permissions to change passwords. Settings may include: l Cross-application Authorization Objects set to Authorization Check for RCF Access l Basis: Administration set to User Master Maintenance: User Groups including Change and Lock The S_A.SYSTEM authorization profile will work, but may have more permissions than are necessary. Consult your SAP security guide for the appropriate settings for your organization.
2. Verify that you can log in with the service account. In SAP, when you create a new account of System or Communication User Type, you will be prompted to set a new password.
3. In Safeguard for Privileged Passwords, create the asset and accounts for the SAP asset type using password authentication. You must specify the SAP Client ID number as well as the Port used by the SAP instance. When you create an account of System or Communication User Type, Safeguard allows you to set the account password or reset the password. Use the Reset Password option to reset the password for this account. If you use the Set
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
530
�Password option and enter the same password used in SAP, the password check in Safeguard will fail.
Preparing Sybase (Adaptive Server Enterprise) servers
To prepare a Sybase ASE (Adaptive Server Enterprise) server for Safeguard for Privileged Passwords, refer to the documentation for your Sybase ASE server for information about how to setup and secure encryption. To enable SSL server certificate validation, add the server's signing authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords. For more information, see Trusted Certificates on page 360. For more information about how Safeguard for Privileged Passwords database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL on page 578.
Preparing SonicOS devices
Safeguard for Privileged Passwords supports SonicOS Internet appliances. Safeguard for Privileged Passwords uses the SSH protocol to connect to SonicOS devices.
To prepare a SonicOS device for Safeguard for Privileged Passwords 1. Create the service account as a local user on the managed system and assign it a password. 2. Add the service account to the SonicWALL Administrators group. This allows the service account to access the device with SSH to manage users. IMPORTANT:Safeguard for Privileged Passwords can only manage passwords for users that are members of the SonicWALL Administrators group. 3. Enable and configure the SSH server to allow the service account to log in remotely. 4. Add the SonicOS device to Safeguard for Privileged Passwords using password authentication.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
531
�Preparing SonicWALL SMA or CMS appliances
Here are some important notes about configuring a SonicWALL SMA or CMS appliance for Safeguard for Privileged Passwords:
1. Use the local admin account as the service account. 2. Safeguard for Privileged Passwords can only manage the admin account; it cannot
manage other local accounts or accounts from external providers.
Preparing SQL Servers
To prepare a MicrosoftSQL Server for Safeguard for Privileged Passwords, refer to the documentation for your SQL server for information about how to set up and secure encryption. To enable SSL server certificate validation, add the server's signing authority certificate to the Trusted Certificates store in Safeguard for Privileged Passwords. For more information, see Trusted Certificates on page 360. For more information about how Safeguard for Privileged Passwords database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL on page 578.
To configure a SQL Server for Safeguard for Privileged Passwords (with an authentication type of Local System Account)
NOTE: To manage a Microsoft SQL server asset with the authentication type of Local System Account, you need a local Windows account that is a Security Admin in SQL. In order to use this authentication type, you must add a Windows asset and an SQL Server asset to Safeguard for Privileged Passwords.
1. Log in to the Safeguard for Privileged Passwords desktop client as an Asset Administrator.
2. Navigate to Administrative Tools | Assets. 3. Add a Windows asset that matches the OS of the server that is hosting the
SQL database. a. On the Connection tab: l Authentication Type: Set to Password. l Service Account: Set to a local user that is a member of the Administrator's group. b. Add other accounts as needed.
Save the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
532
�4. Add an SQL Server asset. a. On the Connection tab: l Authentication Type: Set to Local System Account. l Service Account: Click Select Account and select a local system account from the list. The accounts available for selection are Windows accounts that are linked to the Windows asset you added in Step 3. l Run Test Connection and verify the connection works.
Save the asset.
To configure a SQL Server for Safeguard for Privileged Passwords (with an authentication type of Directory Account)
NOTE: To mange a Microsoft SQL asset with the authentication type of Directory Account, you need a domain account that is a Security Admin in SQL. In order to use this authentication type, you must add a directory and directory users to Safeguard for Privileged Passwords.
1. Add a directory and directory users. a. Log in as an Asset Administrator. b. Navigate to Administrative Tools | Assets to add a directory for your domain. c. Once added, select the domain and open the Accounts tab to add domain user accounts. For more information, see Adding an account to an asset on page 207.
2. Add an SQL Server asset and account information. a. Log in to the Safeguard for Privileged Passwords desktop client as an Asset Administrator. b. From Administrative Tools | Assets, add an SQL Server asset. c. On the Connection tab, complete the following: l Authentication Type: Set to Directory Account. l Service Account: Click Select Account and select a domain user account from the list. The accounts available for selection are domain user accounts that are linked to the directory you added in Step 1. l Run Test Connection and verify the connection works.
3. Save the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
533
�Preparing Top Secret mainframe systems
Safeguard for Privileged Passwords can manage authorized Top Secret users who have a valid accessor ID (ACID) with the facility TSO who can log on to the TSO interface. This applies to both Top Secret mainframe and Top Secret mainframe LDAP platforms.
To prepare CA Top Secret mainframe systems for Safeguard for Privileged Passwords
1. Create a service account on the asset, assign it a password, and grant it the `TSO' facility.
2. Grant the service account the following authority for ACIDs within its scope: a. Permission to list security record information for an ACID. b. MISC1(SUSPEND) authority, to remove the PSUSPEND attribute from ACIDs. c. Either ACID(MAINTAIN) or MISC8(PWMAINT) authority, to update the password of another ACID.
3. If not already installed, install a telnet server on the z/OS system. If required, secure telnet with SSL. NOTE: Please refer to your IBM z/OS system documentation for details on installing and configuring the telnet server (and SSL).
4. Test the telnet server using a Windows-based 3270 emulator or on Linux, use the telnet-ssl or x3270 programs to test SSL and non-SSL connections to an z/OS system.
5. In Safeguard for Privileged Passwords, create the asset and accounts for the z/OS system using password authentication.
About certificate support for the telnet protocol
Safeguard for Privileged Passwords automatically accepts any server certificate that the connection offers and does not verify the trust chain on the telnet certificate. In addition, Safeguard for Privileged Passwords does not support client certificate selection, so if telnet requires that the client present a certificate that is signed by a recognized authority, Safeguard for Privileged Passwords cannot support that configuration.
Preparing Unix-based systems
Safeguard for Privileged Passwords uses the SSH protocol to connect to Unix-based systems.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
534
�To prepare Unix-based systems (AIX, HP-UX, Linux, Macintosh OS X, Solaris, and FreeBSD platforms)
1. Create a service account on the asset with sufficient permissions. You need to at least configure a password for the service account. If you want to use an SSH key generated and configured by Safeguard for Privileged Passwords, then you also need to make sure the service account's home directory exists.
2. Ensure that the service account can run the following list of commands with root privileges non-interactively; that is, without prompting for a password. For example, on a Linux system add the following line in the sudoers file: <SerAcctName> ALL=(root) NOPASSWD: /usr/bin/passwd The commands a service account must run with root privileges non-interactively are: Linux and most Unix-based systems: l egrep l grep l passwd AIX: l sed l grep l passwd l pwdadm Mac OS X l dscl l passwd
3. Enable and configure the SSH server to allow the service account to log in remotely. For example, on a Mac, enable Remote Login for the service account. NOTE: Different versions of Linux and Unix may require slightly different parameters for SSH configuration. Consult a Linux/Unix system administrator or the system documentation for assistance.
Preparing Windows systems
Safeguard for Privileged Passwords supports Windows systems.
To prepare Windows systems for Safeguard for Privileged Passwords 1. Create a service account on the asset and assign it a password: l Directory Configuration If the Windows system is joined to a domain that will be managed in Safeguard
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
535
�for Privileged Passwords, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to Safeguard for Privileged Passwords, you can have the service account password auto-managed to keep it secure. -ORl Local Configuration If the Windows system is not joined to a domain, then use a local service account that has been granted sufficient permissions. 2. Grant the service account sufficient permissions to change account permissions to to allow changing account passwords. For more information, see Minimum required permissions for Windows assets on page 536. 3. Configure the system's firewall to allow the following predefined incoming rules: l Windows Management Instrumentation (DCOM-In) l Windows Management Instrumentation (WMI-In) l NetLogon Service (NP-In) These rules allow incoming traffic on TCP port 135 and TCP SMB 445, respectively. 4. Ensure the following ports are accessible: l Port 389 is LDAP for connections. LDAP port 389 connections are used for Active Directory Asset Discovery and Directory Account Discovery. l Port 445 SMB is used to perform password check and changes. l When possible, RPC ephemeral ports should also be accessible. For more information, see Service overview and network port requirements for Windows. 5. Change the local security policy: Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option. For more information, see Change password fails on page 540.
For additional information on ports, see Safeguard ports.
Minimum required permissions for Windows assets
The following minimum permissions are required for Windows assets to perform directory password management and sessions management tasks using Windows Management Instrumentation (WMI).
Asset password management
Using a local account or domain account:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
536
�l Test connection, Check connection, Password check, and Account discovery tasks require the following permissions: l Remote Enable permission on WMI's CIMV2 Namespace l Enable Account permission on WMI's CIMV2 Namespace l Remote Activation permission on computer via DCOM.
To set Remote Enable and Enable Account permissions 1. Open wmimgmt.msc. 2. Right-click WMI Control (Local) and select Properties. 3. Select the Security tab. 4. Expand the Root node. 5. Select the CIMV2 node. 6. Click the Security button. 7. Add user/group and select Remote Enable and Enable Account. 8. Click OK.
To set Remote Activation permissions 1. Open dcomcnfg. 2. Expand Component Services | Computers. 3. Right-click My Computer and select Properties. 4. Open the COM Security tab. 5. Under Launch and Activation Permissions, select Edit Limits. 6. Add user/group and select Allow for Remote Activation. 7. Click OK.
l Password change task requires the following permission: l Member of Local Administrators group
Domain password management
Using a Domain account: l Test connection, Check connection, Password check, and Account discovery tasks require the following permissions: l Member of Domain Users l Password change task requires that the Service account has the following delegated permissions: l LockoutTime (Read/Write) l Account Restrictions (Read/Write) l Reset Password
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
537
�Asset session access
Using a local account:
l Member of Remote Desktop Users group l Defined in the "Allow log on through Remote Desktop Services" policy (directly or via
group membership) l Not defined in the "Deny log on through Remote Desktop Services" policy (directly or
via group membership)
Using a Domain account:
l Defined in the Remote Desktop Users group or be a member of a domain security group by a group policy update to the Remote Desktop Users group for that asset
l Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
l Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)
Preparing Windows SSH systems
Safeguard for Privileged Passwords supports Windows SSH systems. Windows SSH uses port 22 on the platform.
To prepare Windows SSH systems for Safeguard for Privileged Passwords
1. Ensure the SSH server service is running. 2. Create a service account on the asset and assign it a password:
l Directory Configuration If the Windows SSH system is joined to a domain that will be managed in Safeguard for Privileged Passwords, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to Safeguard for Privileged Passwords, you can have the service account password auto-managed to keep it secure. -OR-
l Local Configuration If the Windows SSH system is not joined to a domain, then use a local service account that has been granted sufficient permissions.
3. Ensure the service account is added to the local Administrator's group to allow change password permissions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Preparing systems for management
538
�24
Troubleshooting
One Identity recommends the following resolutions to some of the common problems you may encounter as you deploy and use Safeguard for Privileged Passwords. For more information about how to troubleshoot Safeguard for Privileged Passwords, refer to the Appliance settings.
Anti-CSRF (cross-site request forgery) token error Connectivity failures Cannot connect to remote machine through SSH or RDP Cannot delete account Cannot play session message Domain user denied access to Safeguard for Privileged Passwords LCD status messages My Mac keychain password was lost Password fails for Unix host Password is pending a reset Profile did not run Recovery Kiosk (Serial Kiosk) Replica not adding System services did not update or restart after password change Test Connection failures Timeout errors causing operations to fail User locked out User not notified
Related Topics
Frequently asked questions
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
539
�Anti-CSRF (cross-site request forgery) token error
Cross-site request forgery (CSRF) occurs when unauthorized commands are transmitted from a user that the web application trusts. Anti-CSRF is a type of CSRF protection. It is a random string that is only known by the user's browser and the web application If you receive an Anti Cross-Site Request Forgery token error when attempting to log in to Safeguard for Privileged Passwords using Microsoft Internet Explorer 9 on Windows 7 SP1, this indicates that cookies are blocked.
To resolve this issue 1. In Internet Explorer, open Tools and choose Internet Options. 2. In the Privacy tab, click the Advanced button. 3. Select the Always allow session cookies option.
Connectivity failures
The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts. Always verify network connectivity and asset power before troubleshooting. The following topics explain some possible reasons that Check Password, Change Password, and Set Password may fail, and gives you some corrective steps you can take.
l Change password fails: Learn about a possible resolution if Change Password fails. l Incorrect authentication credentials: Learn how to resolve incorrect service account
credentials. l Missing or incorrect SSH host key: Learn how to resolve issues with SSH host keys. l No cipher supported error: Learn how to resolve cipher support issues. l Service account has insufficient privileges: Learn how to resolve service account
privilege issues.
Change password fails
A local account password change can fail when you are using a Windows asset that is configured with a service account with Administrative privileges, other than the built-in Administrator.
NOTE: Before Safeguard for Privileged Passwords can change local account passwords on
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
540
�Windows systems, using a member of an administrators group other than built-in Administrator, you must change the local security policy to disable User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option.
To configure Windows assets to change account passwords 1. Run secpol.msc from the Run dialog, -ORFrom the Windows Start menu, open Local Security Policy. 2. Navigate to Local Policies | Security Options. 3. Disable the User Account Control: Run all administrators in Admin Approval Mode option. 4. Restart your computer.
For more information, see Preparing Windows systems on page 535.
Incorrect authentication credentials
You must have the correct user name and password to authenticate to an asset.
To resolve incorrect service account credentials 1. Verify the service account credentials match the credentials in Safeguard for Privileged Passwords asset information (Administrative Tools | Assets | Connection). For more information, see About service accounts on page 193. 2. Perform Test Connection to verify connection. For more information, see About Test Connection on page 194. 3. Attempt to check, change, and set password again. For more information, see Checking, changing, or setting an account password on page 156.
Missing or incorrect SSH host key
If a Safeguard for Privileged Passwords asset requires an SSH host key and does not have one, Safeguard for Privileged Passwords will not be able to communicate with the asset. For more information, see Certificate issue on page 556.
To resolve missing SSH host keys To verify that an asset has an SSH host key, select the asset and look under Connection on the General view. If there is no SSH Host Key Fingerprint displayed, you need to add one.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
541
�To add an SSH host key 1. Open the asset's Connection tab. 2. Choose any authentication type (except None) and enter required information. NOTE: You must enter the service account password again. 3. Click Test Connection. Test Connection verifies that the appliance can communicate with the asset. 4. Confirm that you accept the SSH host key. NOTE: To bypass the SSH host key verification and automatically accept the key, click the Auto Accept SSH Host Key option. 5. Click OK to save asset.
To resolve incorrect SSH host keys Safeguard for Privileged Passwords uses the following host key algorithms for key exchange:
l DSA l ECDSA l RSA To correct a mismatched SSH host key, run Test Connection.
No cipher supported error
If you receive an error message that says: There is no cipher supported by both: client and server, refer to Cipher support on page 556.
Service account has insufficient privileges
If you are having service account issues, consider the following: l Is the service account properly authorized to access the system? In a common setup, sudo is used to elevate the service account's privileges on the system. l Has the service account been locked out or disabled? l Is the service account configured to allow remote logon?
A service account needs sufficient permissions to edit the passwords of other accounts. For more information, see About service accounts on page 193.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
542
�To resolve incorrect or insufficient service account privileges 1. Verify that the service account has sufficient permissions on the asset. 2. Perform Test Connection to verify connection. 3. Attempt to manually check, change, and set password again on the account that failed.
If the asset is running a Windows operating system, a local account password check, change, or set can fail when you are using an asset that is configured with a service account with Administrative privileges, other than the built-in Administrator. Before Safeguard for Privileged Passwords can change local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the Run all administrators in Admin Approval Mode option. For more information, see Change password fails on page 540.
Cannot connect to remote machine through SSH or RDP
If you are unable to connect to a remote machine either through SSH or RDP, log in to the Safeguard for Privileged Passwords desktop client as an Appliance Administrator and check the Activity Center and logs for additional information. If you are using the embedded sessions module, you may also check:
l Ensure that the Network Interface X1 is configured correctly (Administrative Tools | Settings | Appliance | Networking). If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
l Ensure that you have installed the Privileged Sessions module license. (Administrative Tools | Settings | Appliance | Licensing).
Cannot delete account
If you are unable to delete an account, review the considerations below.
Wrong account name:
As an Asset Administrator, you may receive this error if you attempt to delete an account : This entity has access requests which have not yet expired or have to be reviewed. It cannot be deleted now. This error could indicate that Safeguard for Privileged Passwords is trying to change the password on an account that does not exist on the asset. One reason for this error message is that the wrong account name was used when adding the account to Safeguard. So now when someone requests the password for this account,
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
543
�Safeguard displays the password that was manually set. However, when the requester attempts to log in to the asset using the bad account and password, it will fail. If the access request policy specified Change password after check-in, the above error message appears when the administrator tries to delete the account from Safeguard for Privileged Passwords. Workaround: To delete the account with the misspelled name, first manually set the password on the account. Once the account password is reset, Safeguard for Privileged Passwords will allow you to delete the account.
Cannot play session message
If you receive a message that says Cannot play session... The specified executable is not a valid application for this OS platform, you are most likely attempting to run the Desktop Player on a 32-bit platform, which is not supported.
Domain user denied access to Safeguard for Privileged Passwords
If you add a directory user who has the User must change password at next logon option enabled in Active Directory, Safeguard for Privileged Passwords prevents that user from logging in. There are two ways to allow the directory user to log in to Safeguard for Privileged Passwords successfully:
l Have the directory user use his domain account to log in to an asset joined to Active Directory. When prompted he can change his password. This fulfills the User must change password at next logon requirement. -OR-
l Have the domain administrator disable the option in Active Directory for the directory user.
LCD status messages
The Safeguard for Privileged Passwords 2000 Appliance has an LCD screen that displays the status of the appliance as it is starting and as it progress through certain operations. As it proceeds through its various stages, it displays the following LCD status messages. First boot setup refers to the initial configuration of Safeguard for Privileged Passwords, which normally happens at the factory when the appliance is deployed and after a factory reset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
544
�l Apply Update xx%: Shows the percentage completed as the appliance progresses through an update operation.
l Factory Reset xx%: Shows the percentage completed as the appliance progresses through a factory reset.
l First boot ... <version>: Displays after the first boot completes while it is waiting for Safeguard for Privileged Passwords to load.
l First Boot Setup xx%: Shows the percentage completed as the appliance is being configured for the first time.
l Preparing for first boot setup: Displays after a factory reset and before the appliance starts configured for the first time.
l Quarantine: Indicates the appliance in a Quarantine state. For more information, see What do I do when an appliance goes into quarantine on page 582.
l Starting core: Indicates that Safeguard for Privileged Passwords is being loaded.
l Starting database: Indicates that the Safeguard for Privileged Passwords database is being loaded.
l Starting reboot: Indicates the appliance is being rebooted.
l Starting services: Indicates that Safeguard for Privileged Passwords services are being loaded.
l Starting shut down: Indicates the appliance is being shut down.
l Starting web: Indicates that the web services are being loaded.
When the appliance is running, the LCD home screen displays: Safeguard for Privileged Passwords <version number>.
Appliance LCD and controls
The front panel of the Safeguard for Privileged Passwords 2000 Appliance contains the following controls for powering on, powering off, and scrolling through the LCD display.
l
Green check mark button: Use the Green check mark button to start the
appliance. Press the Green check mark button for NO more than one second to
power on the appliance.
CAUTION: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.
l Red X button: Use the Red X button to shut down the appliance. Press and hold the Red X button for four seconds until the LCD displays POWER OFF.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
545
�CAUTION: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.
l Down, up, left, and right arrow buttons: When the appliance is running, the LCD home screen displays: Safeguard for Privileged Passwords <version number>. Use the arrow buttons to scroll through the following details:
l Serial: <appliance serial number>
l X0: <appliance IP address>
l X1: <IP address of the sessions module interface>
If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
l MGMT: <management IP address>
l MGMT MAC: <media access control address>
l IPMI: <IP address for IPMI>
Table 213: Appliance LCD and controls
Control
Description
Green check mark button
Use the Green check mark button to start the appliance. Press the Green check mark button for NO MORE THAN one second to power on the appliance.
CAUTION: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.
Red X button
Use the Red X button to shut down the appliance. Press and hold the Red X button for four seconds until the LCD displays POWER OFF.
CAUTION: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.
Down, up, left, and right arrow buttons
When the appliance is running, the LCD home screen displays: l Safeguard for Privileged Passwords <version number>
Use the arrow buttons to scroll through the following details: l Serial: <appliance serial number> l X0: <appliance IP address>
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
546
�Control
Description
l X1: <IP address of the sessions module interface> If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
l MGMT: <management IP address> l MGMT MAC: <media access control address> l IPMI: <IP address for IPMI>
My Mac keychain password was lost
The keychain in Macintosh OS X is the Apple password management system. A keychain can store all your passwords for applications, servers, and web sites, or even sensitive information unrelated to your computer, such as credit card numbers or personal identification numbers (PINs) for bank accounts. If you have added a Mac OS X system to Safeguard for Privileged Passwords, you may receive a message that says, The system was unable to unlock your login keychain. That is because Safeguard for Privileged Passwords automatically updates the account passwords on all managed systems based on the policies your Security Policy Administrator has configured, but it does not update the keychain password.
Password fails for Unix host
Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136character password is stored in Safeguard for Privileged Passwords. This causes the following issues:
l Check Password for that account will fail. When Safeguard for Privileged Passwords compares the password on the Unix host with the password in Safeguard for Privileged Passwords, they never match because the Unix host truncated the password generated by Safeguard for Privileged Passwords.
l A user will not be able to log in to the Unix host account successfully with the password provided by Safeguard for Privileged Passwords unless they truncate the password to the allowable length imposed by the operating system.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
547
�Password is pending a reset
If a user receives a persistent message that states either of the following, the account password is stuck in a pending password change state:
l You cannot checkout the password for this account while another request is pending password reset
l This account has password requests which have not yet expired or have to be reviewed. It cannot be deleted now"
Possible solutions: l Ensure that the service account for the asset associated with this account is working. Then manually change the account password. For more information, see Checking, changing, or setting an account password on page 156. l Or, if the service account for the asset is working properly and the policy governing the account allows emergency access and has enabled multiple users simultaneous access, you can instruct the user to request the password using Emergency Access.
You can allow new access requests whether a prior request is approved or not approved. In other words, no requests will be blocked based on the approval status of a prior request. Setting the Pending reviews do not block access check box only pertains to future requests. For more information, see Reviewer tab on page 274.
Related Topics
Password is pending review
Profile did not run
The password management settings Settings | Access Request | Enable or Disable Services enable the automatic profile check and change schedules in partitions. Ensure the password management settings are enable for profiles to run on schedule:
l Check Password Management Enabled l Change Password Management Enabled For more information, see Enable or Disable Services (Access and management services) on page 301.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
548
�Recovery Kiosk (Serial Kiosk)
Safeguard for Privileged Passwords provides a Recovery Kiosk (Serial Kiosk) with the following options.
l Appliance information: Allows you to view basic appliance information. l Power options: These options allow you to remotely restart or shut down the
appliance. l Admin password reset: Allows you to reset the Bootstrap Administrator's password
to its initial value. l Factory reset from the Recovery Kiosk: Allows you to recover from major problems
or to clear the data and configuration settings on the appliance. Factory reset is not available for virtual appliances, like Azure. Virtual appliances are backed up and can be recovered. For more information, see Virtual appliance backup and recovery on page 56.
CAUTION: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, performing a factory reset may change the default SSL certificate and default SSH host key.
l Support bundle: Allows you to generate and send a support bundle to a Windows share.
To start the Recovery Kiosk On the terminal or laptop running the Recovery Kiosk, you must configure your serial port settings as follows:
1. Connect a serial cable from a laptop or terminal to the serial port on the back of the appliance marked with |0|0|.
2. On the laptop or terminal, configure the serial port settings as follows: l Speed: 115200 l Data bits: 8 l Parity: None l Stop bit: 1
3. These options display on the Recovery Kiosk screen: l Appliance Information l Power Options
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
549
�l Reboot l Shut Down l Admin Password Reset l Factory Reset (Not available for Azure.) l Support Bundle 4. Use the up-arrow and down-arrow to select one of these options. 5. Use the right-arrow to initiate the option. 6. Use the left-arrow to return to the option.
Kiosk keyboard shortcuts
Safeguard for Privileged Passwords provides these keyboard shortcuts. If you make the window too small to accommodate the kiosk elements, Safeguard for Privileged Passwords tells you how to readjust the window size.
l Ctrl + D: Resets the kiosk to its original state. Clears challenges and options.
CAUTION: When resetting the Bootstrap Administrator's password or performing a factory reset, if you reset the kiosk before you receive the response from One Identity Support, you must submit a new challenge.
l Ctrl + R: Re-draws the kiosk to fit a resized window. If you resize the window, press Ctrl + R to reorganize the kiosk elements to fit properly into the newlysized window.
Appliance information
Use the Appliance Information option on the Recovery Kiosk to view basic appliance information and edit the IP addresses. If you are using Azure, configure the SPP VM with a static IP address in Azure. If you need to change the IP address of the Safeguard appliance, or if it changes due to dynamic configuration in Azure, and the appliance is part of a cluster, the appliance will automatically reset to Standalone Read-only mode on the next boot (effectively leaving the cluster). The Administrator can join the appliance back to the cluster.
To view or edit the appliance information 1. From the Recovery Kiosk, select the Appliance Information option. 2. Right-arrow to see: l Appliance State: The appliance's current state. l Uptime: The amount of time (hours and minutes) the appliance has been running.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
550
�l MGMT (not used for Azure): The management host's network interface properties, including the MAC address and IPv4 (and optionally IPv6) properties.
l X0: The network interface properties for the primary interface that connects your appliance to the network, including the MAC address and IPv4 (and optionally IPv6) properties.
l X1 (not available of a Safeguard Sessions Applianc is joined): The network interface properties used for the embedded sessions module, including the MAC address and IPv4 (and optionally IPv6) properties.
3. To change the network properties for the primary interface (x0) or session interface (X1), if available, click Edit next to the appropriate heading. Clicking Edit displays the network interface properties which can be modified. If you are using Azure, the IP address cannot be changed.
4. After editing the network interface properties, click Submit. Once the updates are completed, a Network interface update request accepted message is displayed.
Power options
Use the power options in the Recovery Kiosk to remotely restart or shut down the physical appliance or Azure virtual deployment.
l You can use the Reboot option in the Recovery Kiosk to restart the appliance. Reboot from the Recovery Kiosk if you cannot access the Safeguard for Privileged PasswordsWindows desktop client, web client, or API to restart the appliance using the normal procedures. Reboot the Azure virtual deployment.
l You must use the Shut Down option in the Recovery Kiosk to shutdown the physical appliance or Azure virtual deployment.
Rebooting the appliance
Restarting the appliance from the Recovery Kiosk is available. If you cannot access the Safeguard for Privileged Passwords Windows desktop client, web client, or API to restart the appliance using the normal procedures, you can restart the appliance or Azure VM from the Recovery Kiosk.
To reboot the appliance
1. From the Recovery Kiosk, select the Power Options | Reboot option. 2. Press the right arrow. 3. When prompted, select Yes to start the reboot or No to return to the main
option screen.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
551
�Shutting down the appliance
Shutting down the appliance from the Recovery Kiosk is available. You must use the Recovery Kiosk to manually shutdown the Safeguard for Privileged Passwords 2000 Appliance. You can also shut down the Azure virtual machine deployment.
To shut down the appliance 1. From the Recovery Kiosk, select the Power Options | Shut Down option. 2. Press the right arrow. 3. When prompted, select Yes to shut down the appliance or No to return to the main option screen.
Admin password reset
If your Bootstrap Administrator's password is locked out when using the hardware appliance or Azure virtual deployment, you can reset it to the initial password.
NOTE: If a user has not logged onto Safeguard for Privileged Passwords for a set number of days, Safeguard for Privileged Passwords disables the user account. This is set using the Disable After setting in Administrative Tools | Settings | Safeguard for Privileged Passwords Access | Login Control.
To reset the Bootstrap Administrator's password 1. From the Recovery Kiosk, select the Admin Password Reset option. 2. Press the right arrow. 3. At id, enter your identification and press the Tab key (or down arrow). 4. At Get Challenge, press the Enter key. Safeguard for Privileged Passwords produces a challenge. 5. Copy and paste the challenge and send it to One Identity Support. 6. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Reset Password. l A challenge response is only good for 48 hours. l Do not navigate away from the page or refresh during a challenge response operation. Doing so will invalidate the challenge response.
One Identity Support resets the Bootstrap Administrator's password back to Admin123. NOTE:Best practice: To keep your appliance secure, change the default password for the Bootstrap Administrator's account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
552
�Factory reset from the Recovery Kiosk
There is a Factory Reset selection in the Recovery Kiosk. Factory Reset allows you to reset a Safeguard for Privileged Passwords hardware appliance to recover from major problems or to clear the data and configuration settings on the appliance. Factory reset is not an option for virtual appliances. You will need to redeploy the appliance.
CAUTION: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, performing a factory reset may change the default SSL certificate and default SSH host key.
Factory reset on a clustered appliance
Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58.
To perform a factory reset from the Recovery Kiosk
1. To perform a hardware factory reset, go to the Recovery Kiosk. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
2. Select Factory Reset. 3. Press the right arrow. 4. At id, enter your email or name and press the Tab key (or down arrow). 5. At Get Challenge, press the Enter key. Safeguard for Privileged Passwords
produces a challenge. 6. Copy and paste the challenge and send it to One Identity Support.
l A challenge response is only good for 48 hours. l Do not navigate away from the page or refresh during a challenge response
operation. Doing so will invalidate the challenge response. 7. When you get the response from One Identity Support, copy and paste the response
into the kiosk screen and select Factory Reset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
553
�Support bundle
Prior to using the Support Bundle function, set up a Windows share where the support bundle is to be sent.
To generate a support bundle 1. From the Recovery Kiosk, select the Support Bundle option. 2. Press the right arrow. 3. Select the type of support bundle to be generated: l Support Bundle l Quarantine Bundle 4. When prompted, enter the following information: l Address: Enter the address of the Windows share (<IP Address>\<ShareName>) where the support bundle is to be saved. l User: Enter the user name to be used to access the Windows share. l Password: Enter the password associated with the specified user account. NOTE: If you set up the Windows share to allow anonymous access, you will not be prompted to enter a user name or password. 5. Select Copy to Share. When completed, a message appears stating that a support bundle has been sent to the specified share.
Replica not adding
If you receive a persistent message that says, An internal request has timed out... when you attempt to add an appliance to a cluster, ensure that the appliance is at the same version of Safeguard for Privileged Passwords as the primary. All members of a cluster must be the same.
System services did not update or restart after password change
If the system services do not update or restart after an automatic password change, first check your audit logs in the Activity Center.
NOTE: You can also check the Support bundle logs.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
554
�If the audit logs do not adequately explain the problem, then check the options on the Change password tab of the profile that governs the service account. For more information, see Creating a profile on page 294. For service accounts that run system services or scheduled system tasks, verify the options on the profile's Change password tab that enable or disable automatic service update, or restart. You must update the Change Password Setting to change these options. For more information, see Change Password on page 421.
Test Connection failures
The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts.For more information, see Connectivity failures on page 540. Disabling User Account Control (UAC) Admin Approval Mode on a remote host can also resolve Test Connection failures. For more information, see Change password fails on page 540. The following topics explain some possible reasons that Test Connection could fail.
l Test Connection failures on archive server: Learn how to resolve Test Connection failures for archive servers.
l Certificate issue: Learn how to resolve Test Connection failures for assets that require SSL.
l Cipher support: Learn about Safeguard for Privileged Passwords's cipher support. l Domain controller issue: Learn how Safeguard for Privileged Passwords manages
passwords for accounts on domain controllers. l Networking issue: Learn how to resolve system connectivity issues. l Windows WMI connection: Learn how to enable Safeguard for Privileged Passwords
to manage Windows assets.
Test Connection failures on archive server
There could multiple reasons why you receive an Unexpected copying error... when attempting to run Test Connection on an existing archive server. When you run Test Connection, Safeguard for Privileged Passwords adds a file named Safeguard_Test_Connection.txt to the Storage Path location of the archive server owned by the Account Name you entered when you created the archive server. To run Test Connection on an existing archive server with a new account name, you must first delete the existing Safeguard_Test_Connection.txt file.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
555
�Certificate issue
If you are experiencing Test Connection failures for an asset that uses SSL, these are some possible causes:
l The asset's signing authority certificate has not been added to the Trusted Certificates store in Safeguard for Privileged Passwords.
l The signing authority's certificate has expired. l There is a name mismatch between the name given and the name on the
certificate of the asset. For more information, see Missing or incorrect SSH host key on page 541.
Cipher support
Both the Safeguard for Privileged Passwords client and the SSH server must support the same cipher. If you run Test Connection against an asset that uses SSH and there is no cipher supported by both the client and the server, Safeguard for Privileged Passwords displays an error message that says, Connecting to asset XXXXXXXXXXXXXXXXXX failed (There is no cipher supported by both: client and server). This means that during the setup of the asset connection, the Safeguard for Privileged Passwords client and the SSH server did not have matching ciphers for message encryption. In this case, you must modify the SSH server's configuration by adding at least one cipher supported by Safeguard for Privileged Passwords to the list of ciphers. Safeguard for Privileged Passwords supports these ciphers:
l 3des l 3des-ctr l aes128 l aes128-ctr l aes192 l aes192-ctr l aes256 l aes256-ctr l arcfour l arcfour128 l arcfour256 l blowfish l blowfish-ctr l cast128 l cast128-ctr
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
556
�l des l idea l idea-ctr l none l serpent128 l serpent128-ctr l serpent192 l serpent192-ctr l serpent256 l serpent256-ctr l twofish128 l twofish128-ctr l twofish192 l twofish192-ctr l twofish256 l twofish256-ctr For example, if using an OpenSSH server with a default list of ciphers, you must add one or more of these ciphers in the OpenSSH's sshd_config file, and then restart the SSH server. For more information about OpenSSH ciphers, see http://www.openbsd.org/cgibin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5.
Domain controller issue
Safeguard for Privileged Passwords does not manage passwords for accounts on domain controllers; Safeguard for Privileged Passwords manages passwords for accounts on a domain controller through a directory that hosts the domain controller. For more information, see Adding an account on page 147.
Networking issue
If you are having system connectivity issues, here are some things to consider: l Are there security rules on the network (such as firewalls or routers) that might be preventing this traffic? l Is traffic from Safeguard for Privileged Passwords routable to the network address of the managed system? l Are there any problems with cables, hubs, or switches, and so forth?
You could be experiencing network issues like these:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
557
�l Network outage l Router misconfiguration l Unplugged wire l Switch not working If Safeguard for Privileged Passwords suspends event notifications, try logging out and logging back in to re-subscribe to SignalR.
Windows WMI connection
To enable Safeguard for Privileged Passwords to manage Windows assets, you must configure your firewall to allow Windows Management Instrumentation (WMI).
Timeout errors causing operations to fail
If you experience any timeout errors, wait a few minutes and retry the operation. If you are performing clustering operations in the background, for example adding replicas to a cluster, wait for the cluser operations to complete before performing other operations in Safeguard for Privileged Passwords.
TIP: A timeout error can appear as a Request failed. A task was canceled. error message.
User locked out
If a user has not logged on to Safeguard for Privileged Passwords for a set number of days, Safeguard for Privileged Passwords disables the user account.
NOTE: This is set using the Disable After setting in Administrative Tools | Settings | Password Settings | Login Control. For more information, see Login Control on page 431.
Related Topics
Unlocking a user's account
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
558
�User not notified
If a user did not receive an email notification, first check to see if you have set everything up in Safeguard for Privileged Passwords correctly for the email notifications to work properly. For more information, see Enabling email notifications on page 393.
Notification lists
Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in escalation notification contact lists manually. For example, when you create a policy, you can indicate who to contact when emergency access has been used. If a user has changed an email address, the notification will not be received by that individual. Furthermore, if a user has been deleted from Safeguard for Privileged Passwords, the user will still receive the notification.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Troubleshooting
559
�25
Frequently asked questions
The following topics will help you find answers to some of your questions about managing Safeguard for Privileged Passwords:
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I set up telnet and TN3270/TN5250 session access requests How do I set the appliance system time How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for Safeguard for Privileged Passwords, embedded sessions module Verifying syslog server configuration When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request
Related Topics
Appliance settings Troubleshooting
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
560
�How do I access the API
Safeguard for Privileged Passwords (SPP) is built with an API-first design and uses a modernized API based on a REST architecture which allows other applications and systems. Every function is exposed through the API to enable quick and easy integration regardless of what want to do or which language your applications are written. There are even a few things that can only only be done via the Safeguard SPP API. The Safeguard for Privileged Passwords API tutorial is available on GitHub at: https://github.com/oneidentity/safeguard-api-tutorial.
Access the SPP API
Safeguard for Privileged Passwords has the following API categories:
l Core: Most product functionality is found here. All cluster-wide operations: access request workflow, asset management, policy management, and so on. https://<Appliance IP>/service/core/swagger/
l Appliance: RAppliance-specific operations, such as setting IP address, maintenance, backups, support bundles, appliance management. https://<Appliance IP>/service/appliance/swagger/
l Notification: Anonymous, unauthenticated operations. This service is available even when the appliance isn't fully online. https://<Appliance IP>/service/notification/swagger/
l Event: Specialized endpoint for connecting to SignalR for real-time events. https://<Appliance IP>/event/notification/swagger/
l a2a: Application integration specific operations. Fetching passwords, making access requests on behalf of users, and so on. https://<Appliance IP>/a2a/notification/swagger/
You must use a bearer token to access most resources in the API. When using the Swagger web UI (as referenced in the URLs above), click the Authorize button at the top of each page and log in using the web UI. The Swagger web UI adds the bearer token to each API request automatically. However, if you are manually making the API request or writing your own application/script, perform the following two steps to obtain a bearer token.
1. You must first authenticate using the OAuth 2.0 Resource Owner Password Credentials or Client Credentials grant types. An example of the former is: POST https://<ApplianceIP>/RSTS/oauth2/token Host: <ApplianceIP> Content-Type: application/json Accept: application/json
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
561
�{ "grant_type": "password", "username": "<Username>", "password": "<Password>", "scope": "rsts:sts:primaryproviderid:local"
} Where:
l grant_type is required and must be set to password. l username is required and set to the user account you want to log in as. l password is required and set to the password associated with the username. l scope is required and set to one of the available identity provider's scope ID.
The value shown in the example request, rsts:sts:primaryproviderid:local, is the default value available on all Safeguard for Privileged Passwords Appliances. User accounts that you create in Safeguard for Privileged Passwords directly (that is, not an Active Directory or LDAP account) will most likely have this scope value.
NOTE: The list of identity providers is dynamic and their associated scope ID can only be obtained by making a request to: https://<ApplianceIP>/service/core/v2/AuthenticationProviders and parsing the returned JSON for the RstsProviderScope property. If you wish to authenticate using a client certificate, you must use the OAuth 2.0 Client Credentials grant type in which your certificate is included as part of the SSL connection handshake and the Authorization HTTP header is ignored. Set the scope to rsts:sts:primaryproviderid:certificate or any other identity provider that supports client certificate authentication.
POST https://<ApplianceIP>/RSTS/oauth2/token Host: <ApplianceIP> Content-Type: application/json Accept: application/json
{ "grant_type": "client_credentials", "scope": "rsts:sts:primaryproviderid:certificate"
} 2. After successfully authenticating, your response will contain an access_token that
must be exchanged for a user token to access the API. POST https://<ApplianceIP>/service/core/v2/Token/LoginResponse
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
562
�Host: <ApplianceIP> Content-Type: application/json Accept: application/json
{ "StsAccessToken": "<access_token from previous response>"
} You should now have an authorization token to be used for all future API requests. The token is to be included in the HTTP Authorization header as a Bearer token like this:
Authorization: Bearer <UserToken value> For example:
GET https://<ApplianceIP>/service/core/v2/Users/-2 Host: <ApplianceIP> Accept: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni... NOTE: The token will expire in accordance to the Token Lifetime setting that is configured in Safeguard for Privileged Passwords (Settings | Safeguard Access | Login Control) at the time the token was issued.
How do I customize the response using API query parameters
You can use the following API query parameters to customize the response returned from the API.
The following output parameters allow you to define the property names to be included and the property names to be used for sorting.
Table 214: API query filtering: Output
Output Example
Description/Notes
fields GET /Users?fields=FirstName,LastName
List of property names to be included in the output.
orderby Get /AssetAccounts?orderby=-AssetName,Name List of property names to be used to sort the output.
Implies descending order.
The following paging parameters allow you to include an item count, the starting page, and the number of items per page.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
563
�Table 215: API query filtering: Paging Paging Example count GET /Assets?count=true
page & GET /DirectoryAccounts?page=3&limit=100 limit
Description/Notes
Indicates, True or False, whether to return a single integer value representing the total number of items that match the given criteria.
page defines which page (starting with 0) of data to return.
limit defines the size of the page data.
The following operators can be used to filter the results.
Table 216: API query filtering: filter parameter
Operator Example
Description/Notes
eq
GET /AssetAccounts?filter=Name eq
'George'
equal to
ne
GET /Users?filter=LastName ne 'Bailey' not equal to
gt
GET /Assets?filter=Id gt 10
greater than
ge
GET /Assets?filter=Id ge 10
greater than or equal to
lt
GET /Assets?filter=Id lt 10
less than
le
GET /Assets?filter=Id le 10
less than or equal to
and
GET /UserGroups?filter=(Id eq 1) and
both operands return true
(Name eq 'Angels')
or
GET /UserGroups?filter=(Id eq 1) or (Name at least one operand returns
eq 'Bedford')
true
not
GET /UserGroups?filter=(Id eq 1) and not narrows the search by excluding
(Name eq 'Potters')
the "not" value from the results
contains GET /Users?filter=Description contains 'greedy'
contains the word or phrase
q
GET /Users?q=bob
q can be used to search across text properties; means "contains" for all relevant properties.
in
GET /Users?filter=UserName in [ 'bob', property values in a predefined
'sally', 'frank']
set
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
564
�When using the filter parameter, you can use parenthesis () to group logical expressions. For example, GET/Users?filter=(FirstName eq 'Jane' and LastName eq 'Smith') and not Disabled When using the filter parameter, use the backward slash character (\) to escape quotes in strings. For example: Get/Users?filter=UserName contains '\''
How do I audit transaction activity
The appliance records all activities performed within Safeguard for Privileged Passwords. Any administrator has access to the audit log information; however, your administrator permission set determines what audit data you can access. For more information, see Administrator permissions on page 507. Safeguard for Privileged Passwords provides several ways to audit transaction activity:
l Password Archive: Where you access a previous password for an account for a specific date. For more information, see Viewing password archive on page 157.
l Check and Change Log: Where you view an account's password validation and reset history. Access the Check and Change Log from Accounts. For more information, see Accounts on page 138.
l History: Where you view the details of each operation that has affected the selected item.Each of the Administrative Tools has a History tab. For more information, see History tab (account) on page 145.
l Activity Center: Where you can search for and review any activity for a specific time frame. For more information, see Activity Center on page 90.
l Workflow: Where you can audit the transactions performed as part of the workflow process from request to approval to review for a specific access request. For more information, see Auditing request workflow on page 98.
l Reports: Where you can view and export entitlement reports that show you which assets and accounts a selected user is authorized to access. For more information, see Reports on page 100.
How do I configure external federation authentication
Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different Identity Provider STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
565
�Safeguard supports both Service Provider (SP) initiated and Identity Provider (IdP) initiated logins. For SP initiated, the user will first browse to Safeguard and choose External Federation as the authentication provider. After entering just their email address, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in. This works in both a web browser and the Safeguard desktop client application. For IdP initiated logins, a user will first go to their IdP STS and authenticate. Typically, the customer will have configured Safeguard as an application within their STS, allowing the user to just click on a link or icon and be redirected to Safeguard, automatically being logged in without having to enter any further credentials. Note, IdP initiated logins only work in the web browser, not the Safeguard desktop client application.
NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS. To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from: https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.
How do I add an external federation provider trust
It is the responsibility of the Appliance Administrator to configure the external federation service providers in Safeguard for Privileged Passwords.
To add an external federation service provider
1. In Settings, select External Integration | Identity and Authentication.
2. Click Add then select External Federation. 3. In the External Federation dialog, supply the following information:
a. Name: Enter a unique display name for the external federation service provider. The name is used for administrative purposes only and will not be seen by end users. Limit: 100 characters
b. Realm: Enter a unique realm value, typically a DNS suffix, like contoso.com, that matches the email addresses of users intended to use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery. Wildcards are not allowed. Limit: 255 characters
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
566
�c. Federation Metadata File: Choose or enter the file path to the STS federation metadata file that you previously downloaded.
d. Download Safeguard for Privileged Passwords Federation Metadata: If you have not done so before, click the link to download a copy of Safeguard for Privileged Passwords's federation metadata XML. You will need this file when creating the corresponding trust relationship on your STS server.
NOTE: The federation metadata XML files typically contain a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure that it has not been edited.
How do I create a relying party trust for the STS
The process for creating the relying party trust in your STS (Security Token Service) will differ between applications and services. However, as stated earlier, you can download a copy of Safeguard for Privileged Passwords's federation metadata by clicking the link when you entered the STS information in Safeguard for Privileged Passwords. You can also download the Safeguard for Privileged Passwords federation metadata at any time using one of the following methods:
l Click Settings | External Integration | Identity and Authentication. Click Download Safeguard Federation Metadata.
l Download the file from the following URL:
https://<Safeguard for Privileged Passwords server>/RSTS/Saml2FedMetadata If the STS does not support importing federation metadata, but instead requires you to manually input values, you will typically need an App ID and Login or Redirect URL. Both of these values can be copied from the Safeguard for Privileged Passwords federation metadata XML file you downloaded.
l The App ID for Safeguard for Privileged Passwords will come from the entityID attribute of the <EntityDescriptor> element in the XML file.
l The Login or Redirect URL will come from the Location attribute of the <AssertionConsumerService> element within the <SPSSODescriptor> element. NOTE: Only the HTTP-POST binding is supported for this end point.
You must then configure or ensure that the STS returns the authenticated user's email address as a SAML attribute claim. The email address must appear in either the standard SAML email address claim or name claim:
l http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress l http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
If the emailaddress and name attribute claims are not present in the SAML assertion, the SAML Subject NameID can be used.
NOTE: Any other attributes or claims will be ignored.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
567
�The SAML Response or Assertion must be signed, but not encrypted. When the signing certificate used by your STS expires, you must update the metadata in Safeguard for Privileged Passwords by uploading a new copy of your STS's metadata file. Safeguard for Privileged Passwords will not automatically attempt to refresh the metadata.
NOTE: Your STS's metadata can contain more than one signing certificate to allow for a grace period between an expiring certificate and a new one. For further details regarding specific STS servers, see the following knowledge base articles on the One Identity support site:
l Configuring Microsoft's AD FS Relying Party Trust for Safeguard for Privileged Passwords: KB Article 233669
l Configuring Microsoft's Azure AD for Safeguard for Privileged Passwords: KB Article 233671
How do I add an external federation user account
It is the responsibility of either the Authorizer Administrator or the User Administrator to add an associated external federation Safeguard for Privileged Passwords user.
NOTE: You must add external federation service providers to Safeguard for Privileged Passwords before you can add external federation users. NOTE: No user information, such as first name, last name, phone number, email address, is ever imported from the STS claims token. You must enter that information manually when creating the user in Safeguard for Privileged Passwords if you need it.
To add a user
1. Navigate to Administrative Tools | Users. 2. In Users, click Add User from the toolbar. 3. In the User dialog, provide information in each of the tabs:
l Identity tab (add user): Where you define the identity provider and the user's contact information.
l Authentication tab (add user): Where you define the authentication provider, login name and password, if necessary.
l Location tab (add user): Where you set the user's time zone. l Permissions tab (add user): Where you set the user's administrator
permissions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
568
�How do I manage accounts on unsupported platforms
Safeguard for Privileged Passwords makes it possible for you to manage passwords for accounts on unsupported platforms and not addressed by a Custom platforms.
You will use a profile with a manual change password setting. For example, you may have an asset that is not on the network. The manual change password setting allows you to comply with your company policies to change account passwords on a regular schedule without using the Safeguard for Privileged Passwords automatic change password settings. Safeguard for Privileged Passwords notifies you by email, toast notification, or both on a set schedule to change account passwords manually. You can then reset the password yourself, or allow Safeguard for Privileged Passwords to generate a random password according to the password rule selected in the profile.
IMPORTANT: After you change the password in Safeguard for Privileged Passwords you must remember to change the password on the account; Safeguard for Privileged Passwords does not do that automatically for you.
The following summarizes the general workflow for managing accounts on unsupported platforms.
To manage account passwords manually
1. Configure a profile with a manual change password setting and assign asset accounts to it. For more information, see Adding change password settings on page 422.
2. Ensure toast notifications or email notifications are properly configured. For more information, see Settings (desktop client) or Enabling email notifications.
3. When notified to change an account password, choose the Set Password option you prefer:
a. Generate Password - to have Safeguard for Privileged Passwords generate a new random password, that complies with the password rule that is set in the account's profile.
i. Click Generate Password to display the Password Change dialog.
ii. Click Show Password to reveal the new password.
iii. Click Copy to place the value into your copy buffer.
l log in to your device, using the old password, and change it to the password in your copy buffer.
iv. Click Success to change the password in the Safeguard for Privileged Passwords database.
b. Manual Password - to manually set the account password in the Safeguard for Privileged Passwords database.
i. Click Manual Password to display the Set Password dialog.
ii. Enter and save a new password.
OK updates the Safeguard for Privileged Passwords database.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
569
�iii. Set the account password on the physical device to synchronize it with Safeguard for Privileged Passwords.
How do I modify the appliance configuration settings
NOTE: This topic assumes you have already performed the initial appliance installation and configuration steps in the Safeguard for Privileged Passwords Appliance Setup Guide provided in the box with your hardware equipment.
(web client) To modify the appliance configuration settings 1. Log in to the Safeguard for Privileged Passwords web client using the Appliance
Administrator account.
2. Click Settings to go to the Settings: Appliance page.
3. Click Networking to configure the appliance. For more information, see Networking on page 318. a. On the Appliance Configuration page, configure the following: l Network (X0): Enter the DNS Server address information for your primary interface. l Sessions (X1): Configure the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords. b. Click Save.
4. Click Time to enable and view information about the Network Time Protocol (NTP): a. Select Enable NTP. b. Set the primary and secondary NTP servers, if desired. c. The Last Sync Time is displayed. To view or hide details, click Show Last Sync Details or Hide Last Sync Details. For more information, see Time on page 321. d. Click Save.
(desktop client) To modify the appliance configuration settings 1. Log in using the Appliance Administrator account. 2. Navigate to Administrative Tools | Settings | Appliance.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
570
�3. Expand the Time pane to enable NTP and set the primary and secondary NTP servers. Click OK. For more information, see Time on page 321.
4. Expand the Appliance Information pane to change the appliance name. 1. To change the appliance's name, click Edit next to the Appliance Name.
5. Expand the Networking pane to add or modify DSN suffixes and to configure the network interface for the embedded sessions module for Safeguard for Privileged Passwords. For more information, see Networking on page 318. a. To change the DNS suffixes for your primary interface, click Edit next to the Network Interface X0 heading. l Enter the DSN suffixes to be used. l Click OK. b. To configure the sessions interface, click Edit next to the Network Interface X1 heading. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords. l Enter the IP Address, netmask, and gateway information, and the DNS servers and suffixes. l Click OK.
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
When making an RDP connection, you may encounter two different certificate messages.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
571
�l Unsigned RDP file message
This message occurs when Remote Desktop Connection opens the RDP file that is downloaded when you click Play in the Safeguard for Privileged Passwords user interface. We are currently working on a solution that will allow Safeguard for Privileged Passwords to sign this RDP file to avoid this message. l Untrusted server certification message
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
572
�This message occurs when the workstation has not trusted the Safeguard for Privileged Passwords RDP Connection Signing Certificate.
NOTE: The IP address of the connecting server is that of the Safeguard appliance. To avoid this message, you must trust the RDP Connection Signing Certificate and certificates in its chain of trust or replace the current certificate with an enterprise certificate and chain of trust that is trusted. For more information on certificate chain of trust for Safeguard for Priviliged Passwords, see Certificate chain of trust on page 573. For more information on replacing the RDP Connection Signing Certificate, see Sessions Certificates on page 353. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide. One Identity recommends that you replace the entire configuration with your own trusted enterprise PKI. This would result in a structure such as:
l Your Root CA l Your Issuing CA l Your RDP Signing Certificate (from Safeguard CSR) l <Sessions module generated certificate>
The Root CA, Issuing CA, and RDP Signing Certificates can be distributed via Group Policy, Active Directory, or other distribution means.
Certificate chain of trust
The default certificate chain of trust configuration that ships with Safeguard for Privileged Passwords is generated from the SafeguardCluster root certificate.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
573
�Figure 4: Default certificate chain of trust
When setting up RDP Connection Signing, the certificate chain of trust also includes the certificate issued to Safeguard for Privileged Passwords for RDP, as illustrated below.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
574
�Figure 5: Default certificate chain of trust when setting up RDP Connection Signing
NOTES:
l The Safeguard for Privileged Passwords Cluster certificate must be added to the trusted root CA certificate store and the DefaultSessionRdpSigning certificate must be added to the intermediate CA certificate store of the workstations from which a session request is submitted.
l Once configured, RDP sessions from any cluster member will be trusted (thus avoiding the Untrusted server certification message) because the certificate for each Safeguard for Privileged Passwords cluster member is issued the DefaultSessionRdpSigning certificate.
l This also prevents receiving new messages should the IP address of the Safeguard for Privileged Passwords Appliance change.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
575
�How do I set up telnet and TN3270/TN5250 session access requests
Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording. Actions
l Security officers can record activities of administrators who maintain critical systems running on IBM iSeries and mainframe computers.
l Asset Administrators can: l Customize the TN3270/TN5250 login screen field detection to work for the Safeguard custom login setup. l Mark an asset as supporting telnet sessions and specify if the asset is available.
l Policy Administrators can create an entitlement with an access policy that includes session access using telnet and TN3270/TN5250 sessions over telnet.
l Requesters' log in experience follows the regular client telnet or TN3270/TN5250 interface even when the session is being recorded. Sessions are not launched from Safeguard for Privileged Passwords and all required log in information is available through Safeguard for Privileged Passwords.
Steps for sessions access requests using telnet and TN3270/TN5250 over telnet
IMPORTANT: Assistance with One Identity Professional Services is required for help with configurations and installation including available plug-ins, policy creation, pattern files, shortcuts, and best practices.
SPS set up steps
Complete the following set up steps in Safeguard for Privileged Sessions (SPS). For operation details, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions Administration Guide.
l Import the necessary plug-in to supply authentication and authorization (AA) and credential store (credstore) information to authenticate with and pull the credentials from SPP. The plug-in file and instructions are available at the Safeguard Custom Platform Home wiki on GitHub.
l Create and assign Pattern Sets that use pattern files specific to the log in experience for each connection. A pattern file describes the log in experience for a
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
576
�specific system. The pattern file may include the on-screen location of the user name, password field location, login result, descriptions, states, and other required detail. Because log in experiences vary from mainframe to mainframe, custom pattern files must be created, uploaded, and referenced by the system-related connection policy. Template pattern files and instructions are available at the Safeguard Custom Platform Home wiki on GitHub.
CAUTION: Template pattern files are provided for information only. Customized telnet and TN3270/TN5250 pattern files need to be created. Updates, error checking, and testing are required before using them in production.
l Specify each Authentication Policy and list the authentication methods that can be used in a connection.
l Create and configure each Connection Policy. Multiple connection policies are typically required because of the uniqueness of each system log on experience and related pattern file as well as the fact that inband destinations are not used for TN3270/TN5250 over telnet. For example, telnet can be used for inband destinations. However, inband destinations are not used for TN3270/TN5250 over telnet. Instead, a fixed address including the port and server can be identified which results in the need for a different connection policy for each mainframe. A fixed address in SPS includes the port used; the SPP asset port is not used in the connection but is usually the same.
l Export a configuration file, if desired.
l Configure basic settings for the SSH server, cluster interface, and cluster management.
SPP set up steps
Complete the following set up steps in Safeguard for Privileged Passwords (SPP).
l The Asset Administrator adds the mainframe asset including the Telnet Session Port that is identified on the Administrative Tools | Asset | Management tab. For more information, see Adding an asset on page 185.
l The Policy Administrator sets the Access Type (Telnet) on the Administrative Tools | Entitlements | Access Request Policies tab.
SPP requester steps
In SPP after all configuration is complete, the requester proceeds based on the terminal service application in use.
l For a terminal service application that uses an inband connection string (like telnet), click Copy to copy the Hostname Connection string and check out the password. Then, paste the information in the log in screen.
l If the terminal service application requires more information for log in (for example, TN3270/TN5250 over telnet):
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
577
�l Click Show to display values that may include Vault Address (the SPP address), a one-time Token, Username, Asset, and Sessions Module (the SPS address).
l Click Copy by any of the values to copy a single value. Or, you can click Copy at the right of all values to copy the entire the connection string, if that is required by your terminal service application.
l Paste the necessary information into your terminal service application. l Click Check-In to complete the password checkout process. This makes the
session request available to reviewers.
l Click Hide to conceal the information from view. NOTE: The user would copy an entire connection string if, for example, you have a launcher to take the connection string and launch the profile of the terminal service application.
How do I set the appliance system time
NOTE: Changing appliance time can result in unintended consequences with processes running on the appliance. For example, there could be a disruption of password check and change profiles and audit log time stamps could be misleading. TIP:As a best practice, set an NTP server to eliminate possible time-related issues. For more information, see Time on page 321.
To set the time on your appliance l Use the appliance API to change the appliance time (SystemTime). For information about using the API, see How do I access the API.
How do Safeguard for Privileged Passwords database servers use SSL
Some database servers use Secure Socket Layer (SSL) when communicating with Safeguard for Privileged Passwords. Depending on the platform type, version, and configuration, the database server can either use SSL for only encrypting the session or it can use SSL for encrypting and verifying the authenticity of the database server.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
578
�ODBC Transport
The following platforms use the ODBC transport. Safeguard for Privileged Passwords installs the appropriate software driver on the appliance to communicate with the platform. The configuration data that Safeguard for Privileged Passwords uses to initialize a connection with the server is in the form of a connection string consisting of a colonseparated list of driver-specific options.
By default, the database servers encrypt the login data, but not the subsequent data passed on the connection. You must configure SSL and enable it on the database server to enable encryption for the session data.
Microsoft SQL Server
MicrosoftSQL Server is always capable of encrypting the connection with SSL. It listens on a single port for both SSL and non-SSL connections.
If you have set the Force Encryption option to yes on the SQL server, then it uses SSL to encrypt the data, regardless of whether the Safeguard for Privileged Passwords client requests it or not.
You can set the Force Encryption option to yes on the SQL server without configuring a server certificate. In this case, the SQL server transparently generates a self-signed certificate to use when a Safeguard for Privileged Passwords client requests encryption. This makes it possible for the SQL server to use SSL only to provide encryption for the session without verifying the server certificate.
NOTE: It is not possible from within a running session to detect whether the SQL server is using SSL for encryption.
Table 217: Microsoft SQL Server SSL support
Safeguard for Privileged
Passwords Client Options
Microsoft SQL Server Configuration
Result
Use SSL Verify Force
Server
Encryption SSL Encryption
Cert
Cert
Configured
No
n/a
No
n/a
The SQL Server does not encrypt the
session.
Yes
No
n/a
No
Safeguard for Privileged Passwords requests that the SQL server encrypt the session using a generated selfsigned certificate.
Yes
No
n/a
Yes
Safeguard for Privileged Passwords
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
579
�requests that the SQL server encrypt the session using the server certificate.
Yes
Yes
n/a
No
The SQL server rejects the connection as there is no certificate to verify against.
Yes
Yes
n/a
Yes
Safeguard for Privileged Passwords
requests that the SQL server encrypt
the session and verify the server certi-
ficate against the trusted CA certi-
ficates in Safeguard for Privileged
Passwords.
MySQL Server
To support SSL you must compile the MySQL server software with SSL support and correctly configure it with a CA certificate and server certificate. If there is any problem with the certificate, the MySQL server may log an error and start up without SSL support. In this case the MySQL server rejects the request to enable SSL for a session as there is no certificate to verify against and does not encrypt the session. The MySQL server listens on a single port for both types of connections.
The behavior of the MySQL server depends on the server version and configuration. In some versions of MySQL, the server enables SSL by default on all Safeguard for Privileged Passwords client sessions once it is configured.
If the MySQL server defaults to using SSL, or requires SSL for a user, the MySQL server encrypts the session even if the Safeguard for Privileged Passwords client does not request it. However, the Safeguard for Privileged Passwords client cannot request to use SSL just for encryption; it can only request SSL if you have imported the correct CA certificate to Safeguard for Privileged Passwords.
NOTE: It is possible to detect that SSL is in use from within a session by examining the session variables. That is, the Safeguard for Privileged Passwords client can detect if a request to use SSL has not been honored and displays an error.
Table 218: MySQL Server SSL support
Safeguard for Privileged
Passwords Use SSL Encryption
Option
SSL Supported on MySQL
Server
Result
No
No
Unencrypted session.
No
Yes
Determined by the MySQL server. The server
encrypts the session if it defaults to using SSL or
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
580
�Safeguard for Privileged
Passwords Use SSL Encryption
Option
Yes
Yes
SSL Supported on MySQL
Server
Result
requires it for this user.
No
Safeguard for Privileged Passwords client detects
this and reports a failure.
Yes
Safeguard for Privileged Passwords requests that
the MySQL server encrypt the session and verity
the server certificate against the trusted CA certi-
ficate in Safeguard for Privileged Passwords
For more information, see Preparing MySQL servers on page 527.
Sybase ASE Server
To support SSL you must correctly configure the Sybase server with a CA certificate and server certificate. The Sybase server listens on different ports for SSL and non-SSL connections, and rejects a mismatched request from a Safeguard for Privileged Passwords client to a particular port.
The Safeguard for Privileged Passwords client cannot request to use SSL just for encryption; it can only request SSL if you have imported the correct CA certificate to Safeguard for Privileged Passwords.
Table 219: Sybase ASE Server SSL support
Safeguard for Privileged
Passwords Use SSL Encryption
Option
Sybase Server Listening Port Uses
SSL
Result
No
No
Unencrypted session.
No
Yes
The Sybase server rejects the connection attempt.
NOTE: The ODBC driver cannot detect that this is an SSL error and displays a client cannot connect error.
Yes
No
The Sybase server rejects the session with an SSL
error.
Yes
Yes
Safeguard for Privileged Passwords requests that
the Sybase server encrypt the session and verify
the server certificate against the trusted CA certi-
ficates in Safeguard for Privileged Passwords.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
581
�For more information, see Preparing Sybase (Adaptive Server Enterprise) servers on page 531.
What are the access request states
Safeguard for Privileged Passwords uses the following access request states, which change as a request steps through the workflow process.
Table 220: Access request states
State
Description
Available
Approved requests that are ready for the requester. That is, for password release requests, the requester can view or copy the password. For session access requests, the requester can launch the session.
Approved
Requests that have been approved, but the checkout time has not arrived.
Denied
Requests denied by the approver.
Expired
Requests for which the checkout duration has elapsed.
Pending
Requests that are waiting for approval.
Revoked
Approved requests retracted by the approver.
NOTE: The approver can revoke a request between the time the requester views it and checks it back in.
What do I do when an appliance goes into quarantine
Safeguard for Privileged Passwords hardware and virtual appliances can end up in a quarantine state if something goes wrong while doing certain activities. The best defense against losing data or compounding problems associated with quarantined appliances is a good and recent backup. For more information, see Backup and Retention settings on page 334. The appliance (at least one appliance in a clustered environment), should be set up to take a scheduled backup regularly, that should be saved to an archive server so that if something happens, you can recover with minimum downtime and loss.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
582
�Recovering from a quarantine state
1. Follow these steps to create a quarantine bundle from the Recovery Kiosk. For more information, see Recovery Kiosk (Serial Kiosk) on page 549.
a. Prior to using the Quarantine Bundle function, set up a Windows share where the quarantine bundle is to be sent.
b. From the Recovery Kiosk, select the Support Bundle option, click the right arrow, and select Quarantine Bundle.
c. Enter the following information:
l Address: Enter the address of the Windows share (<IP Address>\<ShareName>) where the support bundle is to be saved.
l If the Windows share is not anonymous, enter the User name and Password.
d. Click Copy to Share.
2. You can now restart the appliance. Often, a quarantine happens because the system was waiting for a response that did not return in time. Restarting the appliance allows it to retry and frequently fixes itself.
a. To restart a quarantined appliance, connect to the Recovery Kiosk for that appliance and restart it from there. Once the appliance has restarted, it will take several minutes for Safeguard for Privileged Passwords to start.
b. If you log into the appliance using the desktop client while Safeguard for Privileged Passwords is starting, you will see a Maintenance mode screen. At the end of the Maintenance mode, you will see a Restart Desktop Client button or the Quarantine warning.
i. If you see the Restart Desktop Client button, the restart successfully recovered the appliance and brought the appliance back in a healthy state.
ii. If the Quarantine warning appears, contact One Identity Technical Support and report the result.
NOTE:Clustered environment: If the quarantined appliance was the primary appliance, use the Failover option to reassign the primary appliance role to a healthy member of the cluster. For more information, see Failing over to a replica by promoting it to be the new primary on page 491.
To remove a quarantined appliance from a cluster
You may want to remove a quarantined appliance from a cluster.
1. First try to unjoin the replica appliance from the cluster. For more information, see Unjoining replicas from a cluster on page 483.
2. If unjoining the appliance fails, reset the cluster to remove the appliance from the cluster. For more information, see Resetting a cluster that has lost consensus on page 497.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
583
�Considerations for a factory reset of a hardware appliance
CAUTION: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time on page 58. In addition, performing a factory reset may change the default SSL certificate and default SSH host key.
One Identity Technical Support can determine if a factory reset is necessary. If a factory reset is the last option, you will need to Support to complete the operation.
1. To perform a factory reset, connect to the Recovery Kiosk and select the Factory Reset option. For more information, see Factory reset from the Recovery Kiosk on page 553. Once the factory reset is started, you must wait until it finishes (it could take up to 30 minutes to complete). When the factory reset is complete, the kiosk will return an Online indicator.
2. Once the factory reset is complete: a. Re-configure the network interface settings. b. Re-apply any patches you had installed. c. If this is an unclustered appliance, upload and restore the most recent backup to retrieve your data. For more information, see Restore on page 345. d. If the appliance was a member of a cluster, skip the restore step and join the appliance to the cluster as if it were a brand new appliance. For more information, see Enrolling replicas into a cluster on page 482.Safeguard for Privileged Passwords will take care of replicating all the data back to the appliance.
What is required for Safeguard for Privileged Passwords, embedded sessions module
NOTE: The embedded sessions module is not available when using a virtual appliance. Safeguard for Privileged Passwords embedded sessions module allows you to issue privileged access to users for a specific period or session and gives you the ability to record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements. Before using Privileged Sessions, make sure the following settings and configuration are in place:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
584
�l Appliance Administrator: l Ensure the embedded sessions module for Safeguard for Privileged Passwords is licensed (Settings | Appliance | Licensing). For more information, see Licensing on page 312. l Ensure the Network Interface X1 is configured (Settings | Appliance | Networking). For more information, see Networking on page 318. l Ensure the session request service is enabled (Settings | Access Request | Enable or Disable Services). For more information, see Enable or Disable Services (Access and management services) on page 301. l Safeguard for Privileged Passwords ships with default session certificates; however, it is recommended that you replace the default certificate with your own (Settings | Certificates | Session Certificates).For more information, see Sessions Certificates on page 353.
l Security Policy Administrator: Ensure there is an entitlement with an access request policy for both SSH and RDP sessions defined. For more information, see Entitlements on page 258.
l Ensure Remote Desktop is enabled for Windows machines that will use RDP. l Ensure the necessary SSH algorithms are configured for any Unix or Linux machines
that will use SSH. NOTE:Safeguard for Privileged Passwords ships with default SSH algorithms configured for Unix and Linux machines. To add new algorithms, use the API endpoint: https://<Appliance IP>/service/core/swagger/SessionsSSHAlgorithm
Related Topics
About sessions and recordings
Verifying syslog server configuration
Use the Send Test Event link located below the Syslog configuration table on the Syslog pane to verify your syslog server configuration. Navigate to Administrative Tools | Settings | External Integration | Syslog.
To validate your setup
1. When configuring your syslog server, on the Syslog dialog add the test event. 2. Back on the Syslog pane, select the syslog server configuration from the table, then
select Send Test Event. Safeguard for Privileged Passwords logs a test message to the designated syslog server.
NOTE: To log event messages to a syslog server, you must configure Safeguard for
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
585
�Privileged Passwords to send alerts. For more information, see Configuring alerts on page 108.
When does the rules engine run for dynamic grouping and tagging
Dynamic account groups are associated with rules engines that run when pertinent objects are created or changed. For example:
l Whenever you add or change an asset account, all applicable rules are reevaluated against that asset account.
l Whenever you change an asset account rule, the rule is reevaluated against all asset accounts within the scope of that rule. In other words, the rule is reevaluated against all asset accounts for grouping and the asset accounts within the designated partitions for tagging.
You can create a dynamic account group without any rules; however, no accounts will be added to this dynamic account group until you have added a rule. In large environments, there is a possibility that the user interface may return before all of the rules have been reevaluated and you may not see the results you were expecting. If this happens, wait a few minutes and Refresh the screen to view the results. Related topic: Adding a dynamic account group
Why did the password change during an open request
There are three ways a password can change while a user has it checked out. 1. An Asset Administrator manually changes the password. For more information, see Checking, changing, or setting an account password on page 156. 2. A profile was scheduled to automatically change the password. For more information, see Change Password on page 421. 3. A policy allows both simultaneous access and requires that the password change when a user checks it in.
If the password changes while a user has it checked out, and the current request is still valid, the user can select either Copy or Show Password again to obtain the new password.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Frequently asked questions
586
�Appendix A
Safeguard ports
Ap p e nd ix :
Safeguard for Privileged Passwords requires port availability for various system operations.
Port details
Safeguard network port details are in the following table.
Table 221: Safeguard ports
Use in SPP
Appliance Protocol Description port
MGMT
TCP
HTTPS used for a secure first-time configuration of the appliance. The IP address is a fixed address that cannot be changed. It is available in case the primary interface becomes unavailable.
Typically used: TCP/443 and IP address: 192.168.1.105
Base operation 25
TCP
SMTP: Simple Mail Transfer
Base operation 53
TCP / UDP
DNS (Domain Name Server)
Base operation 123
NTP time synchronization
Base operation 88
UDP
For communication with Active Directory, Safeguard uses port 88 (for example, Kerbos authorization against Active Directory).
Base operation 389 (AD Asset and Account Discovery, password check and change)
TCP
LDAP used for Active Directory Asset
Discovery and Directory Accounts Discovery.
The standard global catalog port, 3268 (LDAP),
must be open on the firewall for every
Windows global catalog server in the
environment and SPP Appliance to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
587
�Use in SPP
Base operation (password check and change) LDAPS WMI
Appliance Protocol Description port
communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.
For basic functionality when changing an OS account password, the following ports are required:
l Windows Active Directory: TCP/389 and TCP/445
l Windows, Windows Desktop: TCP/445
Also see:
l Adding identity and authentication providers
l Preparing Windows systems
l Port 445
445
TCP SMB NetLogon Service (NP-In) is used to perform
password check and changes for Windows
Active Directory and Windows, Windows
Desktop. Also see port 389 and Preparing
Windows systems
636
Supported for non-AD LDAP providers. The
default LDAPS port is 636. Port 636 needs to
be open to use LDAPS for non-AD LDAP
providers.
135
TCP
(49152-
65535
Windows)
The firewall must be configured to allow Windows Management Instrumentation (WMI) for computer name and other lookups. WMI is also required if SPP performs any of the functions listed below on any Windows machine (whether it be a dependent system or a normal target platform):
l Managing service account passwords l Managing scheduled task passwords l Restarting a service l Using Account Discovery on the target
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
588
�Use in SPP
Appliance Protocol Description port
l Recording using embedded sessions
WMI / DCOM from DPA will need access to TCP/135 to initiate communication on the target. The conversation continues on a random negotiated port. On Windows 7 and Windows 2008 (and above) this is in the range: 49152 - 65535.
To limit the ports used by WMI/DCOM, refer to these Microsoft articles:
l How to configure RPC dynamic port allocation to work with firewalls
l Setting Up a Fixed Port for WMI
For Windows Active Directory, if using Account Discovery or Auto Discovery CLDAP ping UDP/389 is also required. See:
l Preparing Windows systems l Networking
WMI
4915265535
See port 135
Archiving
22
TCP (X0)
The Secure Shell (SSH) Protocol for SFTP/SCP transfers backups and session recordings to the archive server for the SPP embedded sessions module.
See:
l Assets, Management tab (add asset)
l Authenticating an asset, Password (local service account)
Embedded sessions
22 and 3389
TCP (X1)
RDP (3389/TCP) is permitted inbound for PSM RDP sessions (SPP embedded sessions module). Users who will use the embedded session require access to the cluster X1 ports on port 3389 to make an RDP connection to the target system and to port 22 for SSH connections. See: KB article 262371.
SPP/SPS
8649
internal commu-
nications
TCP
Used for the SPP/SPS internal communications
when SPS is joined with SPP.
l SPS to SPP:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
589
�Use in SPP
Firewall
Firewall and Client and Web browser points
Appliance Protocol Description port
l SPS completes the join by talking to SPP on port 8649.
l SPS authenticates a new session and acquires the password from SPP by talking on port 8649.
l SPS queries SPP for cluster information and the appliance version.
l SPP to SPS:
l SPP queries SPS for cluster information and node roles.
l SPP pushes SSH host keys to SPS when a session is initiated.
l SPP queries SPS for session playback, follow mode, and session termination.
In SPS, the nodes require UDP ports 500 and 4500 and TCP 8649. For the latest detail, see the SPS Administration Guide, Enabling cluster management.
655
TCP /
TINC (655) is open for secure VPN
UDP (X0) communication between appliances in a
clustered high-availability configuration. TINC
perfers UDP and uses TCP if UDP is unreliable.
See KB article 232671.
To enroll an appliance into a cluster, the appliance must communicate over port 655 UDP/TCP and port 443 TCP, and must have IPv4 or IPv6 network addresses (not mixed). See:
l KB article 232289 l KB article 252260 l KB article 232671 l Cluster settings l Enrolling replicas into a cluster
443
TCP
HTTPS over TLS/SSL (443/TCP) permits
(X0)
inbound requests (for client/Web/API access). Used to initially log on to the appliance to join
the cluster member. Users must have access
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
590
�Use in SPP
Appliance Protocol Description port
to the cluster X0 ports on port 443.
To enroll an appliance into a cluster, the appliance must communicate over port 655 UDP/TCP and port 443 TCP, and must have IPv4 or IPv6 network addresses (not mixed). See:
l KB article 232289 l KB article 252260 l KB article 232671 l KB article 229909 (Starling related
endpoint)
The port is used to prepare VMware ESXi host. See:
l Preparing VMware ESXi hosts
Global catalog 3268
The LDAP standard global catalog port for Active Directory. The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works. Also see:
l Adding an account l Adding a directory user group
There are no services listening for this port on a member/server workstation (local configuration).
Kiosk
DB9
SERIAL
To connect to the Safeguard Kiosk. See KB article 233584.
Radius server 1812
Default port number that a Radius server uses to listen for authentication requests. See Adding identity and authentication providers.
SonicWALL SMA 8443
TCP/ UDP For SonicWALL SMA or CMS appliance. See
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
591
�Use in SPP or CMS appliance SQL server
Telnet
Appliance Protocol Description port
information related to authenticating an asset, Password (local service account).
1433
The port on which the SQL server will be listening for connections. See information related to authenticating an asset, Password (local service account).
23
TCP
Telnet
Platform ports
ACF2 23 ACF2 LDAP 389 AIX 22 AWS 443 Cent OS 22 Cisco Pix 22 Debian 22 IDRAC 22 ESXi - 443 default F5 - 22 default Facebook (deprecated) - 443 Fortinet 22 default Free BSD 22 HP iLO IBM i 23 JunOS 22 MongoDB - https://docs.mongodb.com/manual/reference/default-mongodb-port/ MySQL 3306 Oracle 1521 Oracle Linux 1521 OSX 22 Other port is not supported for the platform Other Managed - port is not supported for the platform Other Linux 22 Pan OS 22
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
592
�PostgreSQL 5432 default RACF 23 RACF LDAP 389 RHEL 22 SAP Hana 39013 default SAP Netweaver 3300 Solaris 22 SoniOS 22 SonicWall SMA 22 SQL 1433 SUSE 22 SyBase 5002 Top Secret 23 Top Secret LDAP 389 Twitter (deprecated) 443 Ubuntu 22 Windows (various depanding on OS type) 135/389/445 and maybe dynamic ports
Archiving
Archiving uses uses SFTP/SCP and CIFS. l SFTP/SCP: 22 TCP (X0). See the Port details table, appliance port 22 for X0. l CIFS: Uses UDP ports 137 and 138 and TCP ports 139 and 445.
Backup
Same as Archiving.
External Authentication
Federation Port 443 Secondary Auth Radius Port 1812 Starling - Port 443
External Integration
SNMP Port 162 UDP SMTP - Port 25 TCP Simple Mail Transfer
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
593
�SysLog 514 UDP
External Integration for Password Workflow
Approval Anywhere - 443 Ticketing ServiceNow 443 Ticketing - Remedy 1433 (communicates to the SQL server directly)
Other
NTP port 123 UDP Directories Ports 389 LDAP and 3268 global catalog
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Safeguard ports
594
�Appendix B
SPP 2.7 or later migration guidance
Ap p e nd ix :
Safeguard for Privileged Passwords version 2.7 was simplified to allow for a separation of duties based only on identity management, asset management, access policy configuration, and appliance maintenance. In the migration to version 2.7 or later, greater flexibility is realized through these high-level assignments:
l Directories are migrated to assets. l Accounts include both directory accounts and asset accounts. l Each directory is assigned its own partition in the migration to version 2.7 or later.
The following information details the changes from version 2.6 to version 2.7 or later. The same information is generally true if you are upgrading from version 2.1 forward to version 2.7 or later.
Before you migrate
l Make sure you back up before migrating to version 2.7 or later. l Be sure you have data you want to migrate and perform general clean up. For
example, if you have entities that are not needed, remove them before migrating. l Complete as many outstanding Access Requests as possible. This is especially
important for Active Directory Access Requests because any outstanding Active Directory Access Requests will need to be recreated after the migration since they cannot be resubmitted. l Save all necessary version 2.6 logs. Directory log history prior to the migration to version 2.7 or later is not available after the migration. Details follow.
l Before the migration to version 2.7 or later, Directory Administrators, Asset Administrators, and Auditors can see audit log history for each of the directories, regardless of who created or changed them.
l The migration takes Directories and turns them into directory assets. All associated relationships with directories are also migrated to the new directory assets. The Directory Administrator role is removed and users with Directory Administrator permission are assigned as a partition owners for directories that are migrated to assets.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP 2.7 or later migration guidance
595
�l After the migration to version 2.7 or later, the Asset Administrator can see the directory asset whose audit log history starts on the day of the migration. Events prior to migration are not available.
l We recommend two clients:
l A version 2.6 client to connect to older appliances
l A new version 2.7 or later client to get the new features of Directory Assets and Discovery
This recommendation is made because a new client uses v3 endpoints. A version 2.6 appliance doesn't know how to respond to v3 calls. An new client pointed to an old appliance will get an error when trying to connect. You will see this message: The Safeguard desktop application is not compatible with this appliance. Please contact your administrator.
What to expect
The following lists entity changes you will note in the migration to version 2.7. or later.
Directories are migrated to Assets
l Directories are migrated to assets with the appropriate platform assignment.
l Directories are still synced with Safeguard.
l Migrated directory assets reflect any account dependencies with Windows services and task on other assets.
l You can select whether a directory asset manages the forest or a subset of the forest. Multiple assets can be assigned against the same forest.
l Every migrated directory has Managed Forest selected so the administrator can create a directory to manage a domain or part of a domain. As assets, directories can be shared and all domains in a forest can be managed from one instance of a domain. Navigate to Administrative Tools | Asset | Management tab | Managed Forest check box.
l Every migrated directory asset has Available for discovery across all partitions selected so the asset is available for asset and account aiscovery jobs beyond partition boundaries. Any partition that exists is able to use this directory asset. Navigation: Administrative Tools | Asset | Management tab | Available for discovery across all partitions check box.
l Discovery detail grids will identify migrated directory assets with a Partition value of Import.
l Each migrated directory asset is assigned to its own partition and includes the Account Discovery jobss, the check and change schedules, account password rules, password sync groups, and related functions.
l To view the Account Discovery job assigned as the results of migration, navigate to Administrative Tools | Asset. Select the directory asset then Edit. Then navigate to | Account Discovery tab to see the selected Account
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP 2.7 or later migration guidance
596
�Discovery job for the partition. If no schdule is selected, this message displays: No Account Discovery Chosen. l Directory tags are migrated into the appropriate partition tag. To copy a tag to a new partition, change the description then copy the tag.
Administrative Tools | Directories removed and Discovery added
When Safeguard for Privileged Sessions version 2.7 is installed, directories, discovery jobs, and other related entities automatically migrate to the appropriate associations. The Administrative Tools | Directories selection is gone, and Administrative Tools | Discovery has been added. Functionality is reorganized and streamlined for better data control.
Discovery
l During migration, existing partition account discovery jobs are separated by platform type, for example, Unix, Windows, or Directory. As a result, you will see discovery jobs with the same name and a different prefix which denotes the platform. For example, you may see: l (Unix) AD-Asset Discovery account discovery job l (Windows) AD-Asset Discovery account discovery job Each discovery job is assigned the appropriate asset and settings that apply to the platform. You can rename or delete jobs, as needed. Navigate to: Administrative Tools | Discovery.
l In version 2.6, you can have several directory account discovery jobs assigned to the same directory. During migration, all the directory account discovery jobs assigned to a directory are put in a single account discovery job with multiple rules, one for each prior job. The job schedule follows the directory sync interval.
l In version 2.7, you can assign a profile to the account or a sync group using the account template in the Account Discovery job rule. For more information, see Adding an Account Discovery rule on page 246.
Account changes
l Accounts include directory accounts and asset accounts. l Directory accounts are migrated into accounts and are assigned to the
appropriate asset. l Accounts identify the dependent assets. l Every migrated account has Available for use across all partitions selected. For
example, if you create an asset service account with this check box selected, the service account could be used from anywhere. Navigate to Administrative Tools | Account | Management tab | Available for use across all partitions check box.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP 2.7 or later migration guidance
597
�l You cannot add the same account to multiple partitions from the same domain. l You can select a directory account and view the assets that have dependency on the
directory account. Navigate to Administrative Tools | Accounts | Dependent Assets.
Dynamic account group changes
The rules for dynamic asset groups and dynamic account groups include attributes for directory assets.
NOTE: Dynamic asset groups rule attributes do not include attributes for directory accounts. A directory cannot be the target of an asset group because you can not get an RDP or SSH session to them. Dynamic asset groups are for Policy Administrator control and directories are not included in policies.
Identity and authentication provider migration
A directory identity provider is managed by creating a directory asset which points to the same directory. The directory identity provider can be created and, optionally, put under management or not. During migration from earlier versions of Safeguard for Privileged Passwords, if there are Active Directory users and user groups, SPP determines if Active Directory should be the identity provider or not. To see the result of the migration:
1. Navigate to Administrative Tools | Settings. 2. Select the directory then the General tab. 3. Scroll down to Available Domains for Identity and Authentication to view the
domains selected for the directory. Directory groups require the forest root domain to be visible and available for identity and authentication set on Administrative Tools | Settings | External Integration | Identity and Authentication. For more information, see Available Domains for Identity and Authentication (for Active Directory) on page 400.
After the initial migration to version 2.6, add the identity provider.
Entitlements and access request policies
l Entitlement access request policies are migrated. If the access configuration for the asset-based session asset is a directory and you are using the version 2.6 desktop client, the name of the directory account may be blank since version 2.6 understood only one assignment and version 2.7 or later handles multiple assignments. To verify this, navigate to the Entitlements | Access Request Policy | Access Config tab. For directory accounts, the Asset-Based Session Access is correctly identified as a Directory Account, however, the directory account name is blank.
Management
Directories can be subdivided so administrators can be assigned to manage portions of a directory. For example, Admin A may only manage objects in the Finance organizational
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP 2.7 or later migration guidance
598
�unit (OU) of the directory, and Admin B may only manage objects in the Engineering OU of the directory. This is possible via the settings on Assets including the asset Name, Domain Name, and whether to Manage Forest. This way, multiple assets can govern the same domain.
Directory accounts can be service accounts to other assets to run windows services/tasks on assets to keep password changes in sync.
Administrator role changes
l The Directory Administrator role is removed, and users with Directory Administrator permission are assigned as partition owners for directories that are migrated to assets. This role does not include the ability to manage identity providers.
l An Authorizer Administrator can now add an Active Directory forest only for identity to use as an unprivileged service account for connection.
l An Asset Administrator can now:
l Use service accounts to manage Active Directory. The service accounts can have limited permissions within a single domain.
l Use multiple service accounts for managing the same Active Directory domain with different limited permissions within the domain. For example, the administrator can add the domain as a managed asset multiple times with different service accounts.
l Use a service account from Active Directory to manage an asset from a different partition so that the administrator does not have to add that Active Directory to each of the administrator's partitions.
l Set up a dependent system for a service running as an Active Directory account that isn't in the administrator's partition. This avoids having to add the Active Directory asset or the account to the partition.
l Add Active Directory for authentication to Safeguard for Privileged Passwords without managing any of the accounts in Active Directory.
l Set up multiple assets for the same domain.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP 2.7 or later migration guidance
599
�Appendix C
SPP and SPS sessions appliance
Ap p e nd ix :
join guidance
CAUTION: The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback. Safeguard for Privileged Passwords version 2.7 introduced the ability to join Safeguard for Privileged Sessions for session recording and auditing. The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa. Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance. NOTE: if you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP and SPS sessions appliance join guidance
600
�Session recording, playback, and storage after the join
l Sessions recorded after the join are playable through SPP and are stored on the SPS appliance. An archive server can be set up through SPS.
l Sessions recorded prior to joining the Safeguard Sessions Appliances are not migrated to the SPS appliance. For that reason, it is recommended that the SPP sessions be migrated to an archive server prior to the join.
Functionality in SPS after the join
The following functionality handled in SPP's user interface is available in SPS after the join.
l Session certificate assignment is handled by SPS. The certificate is available for audit by the Auditor.
l After the join, you will set the following configurations in SPS. There is no migration of the SPP settings added via Administrative Tools | Entitlements | Access Request Policies | Session Settings. These include: l Session recording l SSH related command detection and controls (such as SFTP, SCP, and X11 forwarding) l RDP related command detection and controls (such as Windows title detection and allowing the clipboard)
l In SPS, you will: l Set the SSH banner text that is shown to session users when they initiate a privileged session notifying them the session will be recorded. l Identify the SSH host key presented to the user's SSH client when an SSH session is started. l Identify the status of the session module, such as session module health. l Edit the default policy.
Functionality in SPP after the join
l During the join, SPP sets the SPS Connection Policy to safeguard_default for SSH or safeguard_rdp for RDP, as appropriate and may need to be changed. This default is nothing more than SSH or RDP connection policy.
l Other configuration set via the Access Request Policies dialog, are not affected by the join. These include: General, Scope, Requester, Approver, Reviewer, Access Config, Time Restrictions, and Emergency tabs.
l The Activity Center shows all old sessions and new sessions per the configuration. You can play back a session from SPP. However, the session index, which makes the privileged users' activity searchable, is only available from SPS.
l Entitlement reports have not changed.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP and SPS sessions appliance join guidance
601
�l On the Dashboard, administrators can still view and manage access requests and accounts failing tasks as usual.
l After the join, Administrative Tools | Settings | Sessions functionality is no longer available and is handled via SPS. This includes session recording management, sessions module, SSH banner, and SSH host key.
Step 1: Prepare for the join
Move all session recording files from Safeguard for Privileged Passwords to an archive server.
1. Move the SPP embedded sessions recordings from local SPP to an archive server.
l If the join has not been started, you can use the SPP user interface to archive existing SPP sessions:
1. Set up the archive server. Navigate to For more information, see Archive servers on page 336.
2. Assign the archive server to the SPP appliances. For more information, see Assigning an archive server to an appliance on page 439. SPP moves the files and deletes the local file storage.
3. Verify the recordings have been archived by comparing the session events in the Activity Center with the actual recording files on the archive server.
4. Test the playback of a recording stored on the archive server. You will need to download it before you can play it. For more information, see Replaying a session on page 133.
l If the join is complete, use the API to archive existing SPP sessions.
a. Use the API PUT Core/v2/SessionArchiveConfigs/{id}. Call this API giving it the ID of the archive server (GET Core/v2/ArchiveServers) and the ID of the appliance (GET Core/SessionArchiveConfigs). Calling the above POST API will assign an archive server to archive session recordings. Within a few minutes, all remaining recordings will be moved to the archive server and removed from the local SPP storage.
b. Test the playback of a recording stored on the archive server. You will need to download it before you can play it. For more information, see Replaying a session on page 133.
2. Ensure the join is performed when open access requests are not pending, if possible.
When the SPS session connection is joined, open access requests are automatically closed. When you double-click the event in the Activity Center, the event details Action is Evicted.
3. Back up your appliances and archive servers. For more information, see Backup and Retention settings on page 334.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP and SPS sessions appliance join guidance
602
�Step 2: Join SPS and SPP
The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.
CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Step 3: Perform post join activities in SPP and SPS
Steps to perform in SPP
1. The Appliance Administrator assigns the managed networks for sessions management.
Navigate to Administrative Tools | Settings | Cluster | Managed Networks. For more information, see Managed networks on page 366.
2. The Appliance Administrator can view, delete, or edit join connections, as needed.
Go to Administrative Tools | Settings | Cluster | Session Appliances. For more information, see Session Appliances with SPS join on page 373.
If you soft delete a session connection, then reconnect, the access policies remain available. If you hard delete, the Policy Administrator will need to rejoin and reestablish the SPS Connection Policy via Administrative Tools | Entitlements | Access Request Policies | Session Settings. For more information, see Connection deletion: soft delete versus hard delete.
3. The Policy Administrator identifies the session settings on the entitlements access request policy.
Perform the following steps to ensure each policy's session setting is correctly assigned.
a. Navigate to Administrative Tools | Entitlements, select an entitlement, and open Access Request Policies.
b. Double-click a policy, or select a policy and click Edit Access Policy.
c. On the Session Settings tab, go to the SPS Connection Policy. The host name of the cluster master is displayed first followed by the IP address:
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP and SPS sessions appliance join guidance
603
�safeguard_default. d. If needed, select the cluster or appliance to which the policy applies.
For more information, see Session Settings tab on page 1. 4. While on the Access Request Policies dialog, the Policy Administrator checks any
other tab, as needed. The join does not affect the settings on the tabs including the General, Scope, Requester, Approver, Reviewer, Access Config, Time Restrictions, and Emergency tabs.
Steps to perform in SPS Complete any set up in SPS required (such as setting up an archive server, the SSH banner, the SSH host key, as well as SSH-related or RDP-related command detection and controls). For details, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. :
Standard operating procedure after the initial join
If you add another SPS cluster after the initial join, follow these standard operating procedures:
1. Add join connections. For more information, see Session Appliances with SPS join on page 373.
2. Identify the session settings on the entitlements access request policy (SPS Connection Policy that is the IP address of the cluster master). For more information, see Creating an access request policy on page 268.
3. Assign the managed networks. For more information, see Managed networks on page 366.
Reversing the join
CAUTION: It is not recommended to reverse the join. However, if you were using the embedded session prior to the join, you can return to the embedded sessions module via a factory reset or restoring the backup taken before the join. For more information, see Reversing the SPP to SPS join on page 377.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: SPP and SPS sessions appliance join guidance
604
�Appendix D
Regular expressions
Ap p e nd ix :
Regular expressions are used to parse large amounts of data to find matching patterns and validate a predefined pattern. For example, in Safeguard for Privileged Passwords, regular expressions are used for:
l Account Discovery rules (Property Constraints, Name Ranges and Group Ranges). Partial matches are acceptable (unless the regular expression itself is defined to only return exact matches).
l Ticket numbers when an external ticketing system is not used. Matches must be exact.
For details, see these Microsoft resources:
l .NET Regular Expressions l Regular Expression Language - Quick Reference
Best practices for ticketing not tied to external ticket system
These best practices are for adding a regular expression for ticketing not tied to an external ticket system. For more information, see Ticketing systems on page 413. If you use an alternation construct ("|" which is "or"), the longest matching expression is defined first to the least matching expression because Windows.Net regular expression (regex) stops after finding the first match. For example: A{3}[0-9]{5}ZZZ|A{3}[0-9]{5} is advised instead of the reverse order. Sample entry results follow for the A{3}[0-9]{5}ZZZ|A{3}[0-9]{5} expression:
User entry: Match?
AAA12345
Yes. Matched on the second regex
AAA12345Z No. There is no exact match.
AAA12345ZZZ Yes. Matched on the first regex.
If the expression were reversed (A{3}[0-9]{5}|A{3}[0-9]{5}ZZZ) there would be a partial match on the first expression and the entry would be returned as invalid.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Regular expressions
605
�You may want to wrap each expression in an alternation construct with the anchors ^ and $ when using alternation constructs. An example follows: ^A{3}[0-9]{5}ZZZ$|^A{3}[0-9]{5}$.
The ? lazy quantifier should be avoided, especially at the end of the expression. For example, if the regex is A{3}[0-9]? and the user enters AAA12345, AAA1 is returned as a matched string which is not an exact match of AAA12345.
If the greedy quantifier (*) is used against AAA12345 then the matched string will be AAA12345 and be an exact match.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Regular expressions
606
�Appendix E
Historical changes by release
Ap p e nd ix :
IMPORTANT: The following feature update information is relevant only for the designated release.
What's new in version 2.1.0.5687
Safeguard for Privileged Passwords 2.1 (2.1.0.5687) introduces the following new features and enhancements.
Table 222: Safeguard 2.1: Features and enhancements
Feature/Enhancement Description
Additional platform support
Safeguard for Privileged Passwords now supports the management of assets on the following additional platforms:
l ACF2 - Mainframe r14 and r15 l ACF2 - Mainframe LDAP r14 and r15 l Debian GNU/Linux 9 l ESXi 6.5 l Fedora 26 l Fortinet FortiOS 5.2 and 5.6 l F5 Big-IP 12.1.X and 13.0 l MAC OS X 10.13
Cluster patching
The cluster patching process now allows you to patch all cluster members without having to first unjoin a replica and re-enroll it after it has been updated. During the cluster patch operation, access request workflow is available so authorized users can request password releases and session access.
Federated login
Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
607
�Feature/Enhancement Description
authentication with many different Identity Provider STS servers and services, such as Microsoft's AD FS.
Immediate recording archival
Safeguard for Privileged Passwords provides the ability to immediately archive session recordings from a specific Safeguard for Privileged Passwords Appliance to a specified archive target. When an archive server is configured, session recordings are removed from the Safeguard for Privileged Passwords Appliance and stored on the archive server.
Lights Out Management (BMC)
The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.
Multi-request
Authorized Safeguard for Privileged Passwords users can now request multiple password releases or sessions in a single request. In addition, these requests can be saved as a "favorite" access request, providing quick access to the request from the user's Home page.
Safeguard for Privileged Passwords Desktop Player enhancements
The new version of the Safeguard for Privileged Passwords Desktop Player includes the following new features:
l Ability to display user activity as subtiltes when playing back a recorded session. The user activity that can be displayed as subtitles includes windows titles, executed commands, mouse activity, and keystrokes, as they occurred during the recorded session.
l New timeline with user event indicators showing when user activities and screen changes occurred within the recorded session. Clicking an indicator on the timeline takes you to the relevant user event in the recording.
l Ability to export the sessions recording file, including the user event subtitles, as a video file.
Security Policy Administrator dashboard
The new Access Request dashboard allows Security Policy Administrators to review and manage access requests from a single location. From this view, the Security Policy Administrator can revoke a request, follow an active session, or terminate a session.
Restore/Suspend accounts
Safeguard for Privileged Passwords allows you to suspend Safeguard for Privileged Passwords managed accounts when they are not in use to reduce the vulnerability of password attacks on privileged accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
608
�Feature/Enhancement Description
NOTE: This new feature applies to Windows platforms (Windows server and Active Directory accounts) and Unix platforms (AIX, HP-UX, Linux, Solaris, and Mac OS X accounts).
TLS 1.2 Only
To remediate security vulnerabilities identified in early versions of the TLS encryption protocol, Appliance Administrators can configure Safeguard for Privileged Passwords to respond only to TLS 1.2 requests. This allows organizations to comply with the security and strong cryptography requirements in PCI-DSS.
X11 Forwarding
When configuring the settings for SSH session access requests, Security Policy Administrators can now enable Allow X11 Forwarding, which forwards a graphical Xserver session from the server to the client.
What's new in version 2.2.0.6958
Safeguard for Privileged Passwords 2.2.0.6958 introduces the following new features and enhancements.
Table 223: Safeguard for Privileged Passwords 2.2: Features and enhancements
Feature/Enhancement Description
Additional platform support
Safeguard for Privileged Passwords now supports the management of assets on the following additional platforms:
l FreeBSD l MongoDB l PostgreSQL l RACF - Mainframe LDAP l SAP HANA
Application to Application Using the Application to Application service, third-party
(A2A) integration
applications can interact with Safeguard for Privileged
Passwords in the following ways:
l Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
609
�Feature/Enhancement Description
l Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.
Asset Administrator dashboard
The Account Automation tab on the Dashboard allows Asset and Directory administrators to view information regarding accounts that are failing different types of tasks, including:
l Accounts where password check tasks failed. l Accounts where password change tasks failed. l Accounts where SSH key change tasks failed. l Accounts where suspend tasks failed. l Accounts where restore tasks failed.
Dynamic grouping and tagging
Dynamic grouping and tagging helps classify assets allowing Safeguard for Privileged Passwords to assign automatically provisioned systems and accounts to a policy.
Tags allow Asset Administrators to add additional metadata to accounts and assets to enrich the data on the object as it is added to Safeguard for Privileged Passwords. Tags can be dynamically added to assets and accounts based on tagging rules or they can be added manually.
Policy administrators can create rules based on tags or from attribute information that is on the account or asset (for example, name, platform, partition, network address, and so on) to define group membership.
Event subscription
As a Safeguard for Privileged Passwords user, you can now control the email notifications you receive. Using the Manage Email Notifications control in your My Account pane, you can remove the events for which you do not want to receive email notifications.
As a Safeguard for Privileged Passwords administrator, you can use the API to subscribe to the events for which you are interested in receiving notifications.
Audit log archive
Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to rotate audit logs from the Safeguard for Privileged Passwords appliance and archive older audit logs to a designated archive server.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
610
�Feature/Enhancement Description
Site awareness and network segmentation
As an Appliance Administrator, you can define managed networks (network segments) for your organization so Safeguard for Privileged Passwords can more effectively manage assets and accounts, and service access requests. Managed network information is used for scheduling tasks, such as password change and account discovery, and for session management in a clustered environment to distribute the task load. That is, by using managed networks the load is distributed in such a way that there is minimal cluster traffic and appliances that are closest to the target asset are used to perform the task.
Attribute search
The attribute search functionality in the user interface allows you to limit an object list based on the object attributes. For example, in the Accounts view, you can now filter the accounts list based on whether the specified attribute contains the search string entered.
Starling Join
The newest versions of One Identity's on-premises products offer a mandatory One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join Safeguard for Privileged Passwords with the One Identity Starling softwareas-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Safeguard for Privileged Passwords. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Safeguard for Privileged Passwords to add value to your subscription.
Starling Identity Analytics & Risk Intelligence integration
The Starling Identity Analytics & Risk Intelligence service collects and evaluates information from data sources, such as Safeguard for Privileged Passwords, to provide you with valuable insights into your users and entitlements. When integrated with Safeguard for Privileged Passwords, Starling Identity Analytics & Risk Intelligence allows you to identify Safeguard for Privileged Passwords users and entitlements that are classified as high risk and view the rules and details attributing to that classification.
What's new in version 2.3.0.7426
Safeguard for Privileged Passwords 2.3.0.7426 introduces the following new features and enhancements.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
611
�Table 224: Safeguard for Privileged Passwords 2.3: Features and enhancements
Feature/Enhancement Description Synchronized passwords As an Asset Administrator, you now have the ability to
synchronize passwords so accounts can use the same password on the same or different assets.
What's new in version 2.4.0.7846
Safeguard for Privileged Passwords 2.4.0.7846 introduces the following new features and enhancements.
Custom platform (770747)
Asset Administrators now have the ability to add a custom platform for use when adding or updating an asset. A custom platform allows Safeguard for Privileged Passwords to connect to and manage password operations on platforms that are not supported by Safeguard for Privileged Passwords out of the box. You can upload a custom platform script file to add support for any system that you want to manage. In this release, only SSH-based custom platforms are supported; other protocols will be added in future releases. To access examples of custom scripts and view commands, visit:
l Scripts: https://github.com/OneIdentity/SafeguardCustomPlatform
l Command wiki: https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/CommandReference
Auditors and Partition Administrators have read only rights to custom platforms. However, Partition Administrators retain the ability to add or remove assets.
Authentication options (765396)
With appropriate administration credentials, you can change the primary and secondary identity and authentication providers for authentication to Safeguard for Privileged Passwords. The feature enables customers to integrate Safeguard for Privileged Passwords with their existing identity and authentication services. For example, a customer can use Radius for primary authentication and rely upon their own company policies for functions like 2FA.
Safeguard Sessions Appliance join (770739)
CAUTION: The SPS/SPP join feature in the Safeguard for Privileged Passwords 2.4 release is intended for proof of concept and preview purposes only. This feature should not be used in production.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
612
�The Asset Administrator can now join a Safeguard Sessions Appliance with a standalone primary Safeguard for Privileged Passwords Appliance. Once joined, all sessions are recorded via the Safeguard Sessions Appliance and the embedded sessions module for Safeguard for Privileged Passwords is no longer available. The user initiates the join by connecting to the Safeguard Sessions Appliance over SSH, selecting Join to SPP, and providing the requested information. After the join is complete, the user restarts the desktop client to complete the connection and update settings and entitlement policy details. Sessions recorded prior to joining the Safeguard Sessions Appliances are available to play back from local storage and in accordance with the permissions of the Safeguard for Privileged Passwords Appliance. Sessions that are archived are also available to play back. Once a Safeguard for Privileged Passwords Appliance has been configured to use the Safeguard Sessions Appliance, it can only be reversed by a factory reset of the Safeguard Passwords Appliance or restoring a backup that was taken before the first join of Safeguard for Privileged Sessions (SPS). Either method unjoins the Sessions Appliance and redeploys the Safeguard for Privileged Passwords Appliance sessions module.
What's new in version 2.5.0.8356
Safeguard for Privileged Passwords 2.5.0.8356 introduces the following new features and enhancements.
Directory based user discovery (713614 and 761638)
When adding a new directory based user group, the Authorizer Administrator or the User Administrator now have the option to:
l Configure primary and secondary authentication providers and l Set administrator permissions on the imported or updated Safeguard for Privileged
Passwords users.
In addition, any managed directory accounts that exist in Safeguard for Privileged Passwords at the time of the import process (or during the background synchronization of the directory), can automatically be assigned to a Safeguard user as a linked account. That association will be dependent upon the value of an attribute from the directory (such as "managedObjects" or "directReports" in Active Directory or "seeAlso" in OpenLDAP 2.4).
Offline Workflow (782735)
To ensure password consistency and individual accountability for privileged accounts, when an appliance loses consensus in the cluster access requests are disabled. In the event of an extended network partition, the Appliance Administrator can manually place an appliance in Offline Workflow Mode to run access request workflow on that appliance in isolation from the rest of the cluster. When the network issues are resolved and connectivity is reestablished, the Appliance Administrator can manually resume online operations to
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
613
�merge audit logs, drop any in flight access requests, and return the appliance to full participation in the cluster. It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow Mode. The Appliance Administrator must manually restore the online operations before adding other nodes to ensure the appliance can seamlessly reintegrate with the cluster.
What's new in version 2.6.0.8961
Safeguard for Privileged Passwords 2.6.0.8961 introduces the following new features and enhancements.
Automatic Offline Workflow Mode (794644)
To reduce potential downtime, the Appliance Administrator can configure Offline Workflow Mode to be performed automatically. Offline Workflow Mode allows an appliance that has lost consensus (quorum) to operate in isolation from the cluster to process access requests using cached policy data. To ensure the outage is not a short-lived outage, the default time before the appliance is automatically switched to Offline Workflow Mode is 15 minutes. The time threshold can be changed to 5 minutes or more. If automatic Offline Workflow Mode is enabled, you can enable automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. The minutes to wait after consensus is restored before automatically resuming online workflow defaults to 15 minutes. The time threshold can be changed to 5 minutes or more. When Offline Workflow Mode settings are configured to run automatically, an Appliance Administrator can override the automatic settings and manually place an appliance in Offline Workflow Mode or manually restore an appliance to online workflow, as needed. The user views status messages that clearly communicate the appliance state and the ability to request passwords. This new feature is available via Settings | Cluster | Offline Workflow.
Export a report as a .csv or .json file (788932)
Administrators and users can export a report to a .csv or .json file to easily view, manipulate, and share data. This functionality includes entitlement reports, Activity Center exports, Activity Center scheduled reports, account automation reports, and access request reports.
Identity provider initiated single sign on flow (788935)
To enable users to have a centralized logon experience, an Appliance Administrator can configure their identity provider to redirect to Safeguard for Privileged Passwords. All
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
614
�security requirements, such as two-factor authentication, are enforced. For example, a user can go to a portal, authenticate against their identity provider, and select an application, including Safeguard, based on their organizational role. Safeguard accepts the "unsolicited" SAML 2.0 response assertion and logs in the user without additional authentication. Systems Integrators can offer Safeguard as an application in their single sign-on (SSO) portal. Support personnel can then click the appropriate tool on their dashboard to access Safeguard for Privileged Passwords and Safeguard for Privileged Sessions. This feature only works with SAML 2.0 and the web user interface, not the desktop client.
Policy allows password requests to include all linked accounts (776867)
A Policy Administrator can create a policy that allows a user's password request to include access to assets for all the accounts linked to the user's account. For example, if a company uses personal admin accounts in Active Directory, a single policy can be created to grant password access to each user with a personal admin account. This function is set by selecting the following check box: Entitlements | Access Request Policy | Access Config | Allow password access to linked accounts.
Restore a backup from a previous version (790917)
An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 2.2.0.6958. Only the data is restored; the running version is not changed. If the administrator attempts to restore a version earlier than 2.2.0.6958, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '2.2.0.6958' for restore. You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version]. The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.
Service discovery (773722)
Overview The Asset Administrator or delegated administrator can configure service discovery jobs to scan Windows assets and discover Windows services and tasks that may require authorization credentials. If the Windows asset is joined to a Windows domain, the authorization credentials can be local on the Windows asset or be Active Directory credentials. Running Service Discovery jobs Service discovery jobs run automatically in the background or may be manually run. Discovered services and tasks association to known Safeguard accounts
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
615
�Service discovery jobs associate Windows services and tasks with accounts that are already managed by Safeguard for Privileged Passwords. The accounts put under management display on the Windows Assets | Discovered Services tab. When the account's password is changed by Safeguard, Safeguard updates the password corresponding to the services or tasks on the asset according to the asset's profile change settings.
Service Discovery with Active Directory
A discovered service or task configured to use Active Directory authentication can be automatically linked to the asset with the account managed by Safeguard. Effectively, the asset will have an account dependency on the account.
To automatically link, the Account Discovery job (which runs when Safeguard synchronizes the directory) must have the Automatically Manage Found Accounts check box selected on the Discovery tab. The Assets | General tab designates the directory profile to govern the accounts the discovery job adds to Safeguard.
Unmanaged accounts
The administrators can view Discovery | Discovered Services to identify unmanaged accounts that they may want to manage to require authentication for local users or Active Directory users, if the asset is joined to a domain. For more information, see Adding an account on page 147.
View Service Discovery job status
From the Activity Center, you can select the Activity Category named Service Discovery Activity which shows the Event outcomes: Service Discovery Succeeded, Service Discovery Failed, or Service Discovery Started.
Session player installation (794597)
CAUTION: To play back sessions, the new Desktop Player must be installed for one user or system-wide users after installing Safeguard for Privileged Passwords 2.6 or later.
When Safeguard for Privileged Passwords 2.6 or later is installed, the existing Desktop Player is removed and the latest Desktop Player must be installed.
Once Safeguard for Privileged Passwords is installed, the new player can be accessed by going to the Windows Start menu, Safeguard folder and clicking Download Safeguard Player. The One Identity Safeguard for Privileged Sessions - Download Software web page displays.
To continue the installation for one or system-wide users, follow the Install Safeguard Desktop Player section of the player user guide found here:
1. Click this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
2. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
User experience if the Desktop Player is not installed
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
616
�If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes and will be taken to the download page to complete the install. New Desktop Player versions When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.
Time zone change (780266)
Safeguard for Privileged Passwords sets a default time zone based on the location of the person performing the set up. The time zone is expressed as UTC + or hours:minutes and is used for timed access (for example, access from 9 a.m. to 5 p.m.). It is recommended that the Bootstrap Administrator set the desired time zone on set-up. An Authorizer Administrator can also change the time zone. Time zone changes are made via Settings | Safeguard Access | Time Zone and selecting the Default User Time Zone.
What's new in version 2.7.0.9662
Safeguard for Privileged Passwords 2.7.0.9662 introduces the following new features and enhancements.
Sessions Appliance join (792394)
CAUTION: The embedded sessions module in Safeguard for Privileged Passwords version 2.7 will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
Managing sessions via the Safeguard Sessions Appliance is now available for use in production. For this release, the embedded sessions module for Safeguard for Privileged Passwords is still available. The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa. Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance. Session recording, playback, and storage
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
617
�l Sessions recorded after the join are playable through SPP and are stored on the SPS appliance. An archive server can be set up through SPS.
l Sessions recorded prior to joining the Safeguard Sessions Appliances are not migrated to the SPS appliance. For that reason, it is recommended that the SPP sessions be migrated to an archive server prior to the join.
Safeguard for Privileged Passwords join guidance
Before initiating the join, review the steps and considerations in the join guidance. For more information, see SPP and SPS sessions appliance join guidance on page 600.
Safeguard for Privileged Sessions join steps and troubleshooting
The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
Separate identity and management for directories for fine grained management (773267)
The following information summarizes the changes at a high level. For more information specific for your initial deployment of Safeguard for Privileged Passwords 2.7, see the Safeguard for Privileged Passwords Administration Guide, SPP 2.7 or later migration guidance.
Overview
Safeguard for Privileged Passwords version 2.7, has been simplified to allow for a separation of duties based only on identity management, asset management, access policy configuration, and appliance maintenance. In the migration to version 2.7, greater flexibility is realized through these high-level assignments:
l Directories are migrated to assets.
l Accounts include both directory accounts and asset accounts.
l Each directory is assigned its own partition in the migration to version 2.7.
The following information details the changes from version 2.6 to version 2.7. The same information is generally true if you are upgrading from version 2.1 forward to version 2.7.
Administrators
l The Directory Administrator role is removed and users with Directory Administrator permission are assigned as partition owners for directories that are migrated to assets. This role does not include the ability to manage identity providers.
l An Authorizer Administrator can now add an Active Directory forest only for identity to use as an unprivileged service account for connection.
l An Asset Administrator can now:
l Use service accounts to manage Active Directory. The service accounts can have limited permissions within a single domain.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
618
�l Use multiple service accounts for managing the same Active Directory domain with different limited permissions within the domain. For example, the administrator can add the domain as a managed asset multiple times with different service accounts.
l Use a service account from Active Directory to manage an asset from a different partition so that the administrator does not have to add that Active Directory to each of the administrator's partitions.
l Set up a dependent system for a service running as an Active Directory account that isn't in the administrator's partition. This avoids having to add the Active Directory asset or the account to the partition.
l Add Active Directory for authentication to Safeguard for Privileged Passwords without managing any of the accounts in Active Directory.
l Set up multiple assets for the same domain.
Identity
During the migration to version 2.7, directories are migrated as an asset with the appropriate identity provider and associated users.
Management
Directories can be subdivided so administrators can be assigned to manage portions of a directory. For example, Admin A might only manage objects in the Finance organizational unit (OU) of the directory and Admin B might only manage objects in the Engineering OU of the directory. This is possible via the settings on Assets including the asset Name, Domain Name, and whether to Manage Forest. This way, multiple assets can govern the same domain.
Directory accounts can be service accounts to other assets to run windows services/tasks on assets to keep password changes in sync.
Accounts
l You can select a directory account and view the assets that have a dependency on the account.
l You can sync passwords between a directory account and an asset account.
Assets
l Directories are migrated to assets with the appropriate provider assignment.
l Directories are still synced with Safeguard.
l Migrated directory assets reflect the account dependencies.
l You can select whether a directory asset manages the forest or a subset of the forest. Multiple assets be assigned against the same forest.
l Migrated directory assets are available for access discovery jobs beyond partition boundaries.
l Each migrated directory asset is assigned to its own partition and includes the Account Discovery jobs, the check and change schedules, account password rules, password sync groups, and related functions.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
619
�l A directory is a member of an asset partition so that ownership of different parts of the directory can be delegated.
l During import, entities imported from a directory must be unique across all partitions (for example, you cannot import Admin C account into multiple asset partitions).
l When you add an asset, the Account Discovery job for the partition is displayed and can be changed.
Discovery jobs
l Account discovery includes the option for discovered accounts: enable password requests, enable session requests, and make the discovered accounts available for use across all partitions.
l Account discovery can be configured as Unix based, Windows based, or Directory based, each with its own schedule.
Account discovery enhancements (788930)
Asset Administrators and delegated partition owners can create Account Discovery jobs to perform the functions in the following list:
l Set the default password of a discovered account to configure the environment initially and incrementally.
l Add a discovered account to a sync group to configure the environment initially and incrementally.
l Immediately check and change the password of discovered accounts that are set to be automatically managed. This places the account under immediate management rather than waiting for the schedule to execute. NOTE: In Settings | Profile, the partition profile's Change Password Schedule and Check Password Schedule must both be set to a value other than Never.
Activity Center enhancements (799288, 799308, 799307)
From the Activity Center, you have the option to choose All entities (such as users, assets, and accounts) without picking all of them. You can export the report without first previewing the report.
Allow Oracle SYS account as a service account (799993, 800128)
An Asset Administrator responsible for Oracle database servers can use the SYS account with either SYSDBA or SYSOPER system privileges as a service account. The SYS account is automatically created when the administrator installs Oracle and has the necessary privileges. See the Oracle document, About Administrative Accounts and Privileges, for more information. The SYS user is automatically granted the SYSDBA
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
620
�privilege on installation and can be SYSOPER. For more details, see the Oracle document, SYSDBA and SYSOPER System Privileges. This is set via setting the Service Name when you add or edit an asset. Navigate to Administrative Tools | Assets | Connection tab.
Asset discovery enhancements (782848)
Asset Administrators are now given: l Expanded connection options when setting up the connection template to discovered assets to automatically manage discovered assets and service accounts. l The ability to set a platform type in the asset discovery rules. l The ability to assign a different profile to service accounts in the asset discovery rules so that the service account is assigned a profile other than default asset profile inherited by other accounts discovered on the asset.
In addition, SSH keys are now auto-accepted for supported platforms.
Custom platform: TN3270 (798892)
An Asset Administrator responsible for an AS400 and mainframe infrastructure (such as ACF2 or RACF) can manage servers customized log in screens and connection strings. A custom platform author can create a customer platform script to check and change passwords against servers where the login screens and connection strings have been customized.
Microsoft SQL Server TCP/IP support (798894, 799577)
An Asset Administrator responsible for Microsoft SQL Server can have Safeguard for Privileged Passwords connect to the databases using TCP/IP rather than named pipes.
Multiple directory account session support with access request policy (792426)
A Policy Administrator can add multiple directory accounts to a single access request policy. For example, you can grant access to a Windows asset via RDP using one of multiple directory accounts. Accounts are added when you create or edit an access request policy via the Administrative Tools | Entitlements | Access Request Policies | Directory Account option.
Radius enhancements (798896)
The User Administrator is offered two new configuration controls on Settings | External Integration | Identity and Authentication when Radius is selected as the provider.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
621
�l The User Administrator can choose to mask the Radius secondary authentication response entered by users by selecting the Always Mask User Input check box. If selected, the text box that the user enters their one-time password, or other challenge required by the Radius server, will always be a password style text box in which the user's input is masked and appears as a series of dots, not as clear text. This may be desired when the challenge is not just a one-time password, but also contains the user's PIN. This will prevent any passer-by from seeing the private information. Note, however, that when this setting is enabled, it will also override the Prompt attribute of the Radius server's Access-Challenge response, such that the user's input will always be masked.
l The User Administrator can choose to have the Radius secondary authentication presubmit an Access-Request message to the Radius server in order to initiate a challenge/response cycle before the user sees or enters any information. The PreAuthenticate for Challenge/Response check box is used to indicate whether an Access-Request call containing only the User-Name should be sent to the Radius server prior to the user's authentication attempt. This is done to inform the Radius server of the user's identity so the server can possibly begin the authentication process by starting a challenge/response cycle. This may be required to seed the user's state data. In addition, the Radius server's response may include a login message that is to be displayed, which is specific to that user. Note, if the Radius server is not configured to respond with an Access-Challenge, then this will cause the log in to fail and the user will be unable to proceed.
In addition, the timeout for log in is now configurable to more than 60 seconds.
What's new in version 2.8.0.10133
Safeguard for Privileged Passwords introduces the following new features and enhancements in version 2.8.0.10133.
Virtual appliance and web management console (770749, 781091, 798013, 798014, 798527)
The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.
l Initial Setup: Used to set up the virtual appliance for the first time including naming, OS licensing, and networking.
l Setup: After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console, Setup.
l Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
622
�bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support.
Security and backups
To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. Recommendations:
l X0 hosts the public API and is network adapter 1 in the virtual machine settings. Connect this to your internal network.
l MGMT hosts the web management console and is network adapter 2 in the virtual machine settings. This interface always has the IP address of 192.168.1.105. Connect this to a private, restricted network accessible to administrators only or disconnect it from the network to restrict unauthenticated actions such as rebooting or shutting down the appliance. The web management console is also available via the VMware console.
Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT.
To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Additionally, to ensure the security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.
Application to Application (A2A) enhancement: API visible to certificate user (794148)
When registering a third-party application configured for credential retrieval, the Policy Administrator can make the registration, including the API keys, visible to the certificate user that is configured for the A2A registration. The third-party application can discover the API key and other information needed. The Visible to certificate user check box can be selected when adding an application registration via Administrative Tools | Settings | External Integration | Application to Application.
Custom platform: telnet and HTTP support (799699, 787583)
Custom HTTP, SSH, telnet, and TN3270 transports are available. For more information, see Safeguard for Privileged Passwords Administration Guide,Custom platforms and Creating a custom platform script.
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
623
�Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:
l Command-Reference: https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/CommandReference
l Writing a custom platform script: https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/WritingACustomPlat formScript
l Example scripts platform scripts are available at this location: https://github.com/OneIdentity/SafeguardCustomPlatform/tree/master/SampleScri pts
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property which include: a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.
Advanced password complexity rules (780274)
Separate password complexity rules can be set for local users and managed accounts. Password rules can be finely managed.
l Set the allowable password length in a range from 3 to 225 characters. l Set first characters type and last character type. l Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols
along with the minimum amounts of each. l Identify excluded uppercase letters, lowercase letters, numbers, and symbols. l Identify if consecutive letters, numbers, and/or symbols can be repeated
sequentially and, if allowed, set the maximum repetitions allowed.
Passwords are validated against the password rules before they are saved.
Job scheduler enhancements (753203)
An Appliance Administrator can finely tune backup and password check and change job schedules including the ability to ensure changes occur after hours. The administrator can create time windows including start and end times, days of the week, and days in a month by a static day of month or the first through fourth day of the month.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
624
�Safeguard for Privileged Sessions (SPS) initiated session (797262)
CAUTION: This functionality supports Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. For information, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
The Safeguard for Privileged Passwords (SPP) Asset Administrator can enable an SPS initiated session to get the session credentials from SPP.
l The administrator will navigate to Administrative Tools | Settings | External Integration | Sessions Management and set the Session Module Password Access Enabled toggle on or off. When the toggle is on ( ), SPS has the ability to create an access request and check out a password from SPP on behalf of another user. When the toggle is switched off ( ), this ability is revoked.
CAUTION: On the Session Settings tab, SPS Connection Policy, do not select Sps initiated unless you have SPS version 6.2.0 or later installed. This is used when an access policy is used by SPS to create an SPS initiated access request.
Support for additional ServiceNow ticket types (793493)
System integrators designing privileged account access based on ServiceNow tickets can include ticket types for validation during access request workflow. The following tickets types are supported in addition to INC tickets:
l PRB (problem) tickets l CHG (change) tickets l RITM (request) tickets If the ticket number is found in any of the ServiceNow tables searched (INC, CHG, RITM, or PRB) and the ServiceNow API property for the ticket is "Active", the user can make the access request. Administrators can search by a ticket number in the Activity Center to find the access request.
What's new in version 2.9.0.10658
Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
625
�Appliance diagnostics package (797266)
Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering, as well as other other internal challenges. The appliance diagnostics package is available from the web Support Kiosk, not the Serial Kiosk (Recovery Kiosk). The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria that may include the minimum Safeguard version, appliance ID, and expiration time-stamp UTC. New product code and database changes are not included in an appliance diagnostics package.
SPP-SPS join enhancements (803185)
Safeguard for Privileged Passwords (SPP) is enhanced to more easily use Safeguard for Privileged Sessions (SPS) for session recording and playback.
Appliance Administrators can identify the SPP SPS join connections by:
l Host Name
l Network Address (identified by the IP address of the session connection)
l Other nodes in the SPS cluster
l Other nodes that belong to each SPS cluster that has been joined to SPP
Navigate to Administrative Tools | Settings | Cluster | Session Appliances for details.
Appliance Administrators can also identify managed networks by the host name and IP address of the cluster master. Navigate to Administrative Tools | Settings | Cluster | Managed Networks and view Sessions Managed By.
Policy Administrators can identify the host name and IP address of the SPS cluster master
from which policies originate. A Warning icon displays if a policy is not functional. Navigate to Administrative Tools | Entitlements | Access Request Policies | Session Settings tab and view the SPS Connection Policy.
Users and administrators receive timely notification if an access request will not result in a launchable session request. The notifications identify details such as:
l User are informed if SPP could not contact SPS and are given the option to try again so the request can be redirected to another managed host in the SPS cluster.
l Policy Administrators can identify the SPS connection policies by the host name and IP address of the SPS cluster master from which the policies originate.
l User are informed if the SPS configuration is locked and are given the option to try again later. This condition is typically because the SPS administrator is making configuration changes to the SPS appliance at the same time that a new access request is being created or a session is being launched.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
626
�Telnet and TN3270/TN5250 session access request support (782501)
Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording.
Actions
l Security officers can record activities of administrators who maintain critical systems running on IBM iSeries and mainframe computers.
l Asset Administrators can:
l Customize the TN3270/TN5250 login screen field detection to work for the Safeguard custom login setup.
l Mark an asset as supporting telnet sessions and specify if the asset is available.
l Policy Administrators can create an entitlement with an access policy that includes session access using telnet and TN3270/TN5250 sessions over telnet.
l Requesters' log in experience follows the regular client telnet or TN3270/TN5250 interface even when the session is being recorded. Sessions are not launched from Safeguard for Privileged Passwords and all required log in information is available through Safeguard for Privileged Passwords.
High level steps
IMPORTANT: Engagement with One Identity Professional Services is required for assistance with configurations and installation including available plug-ins, policy creation, pattern files, shortcuts, and best practices.
In Safeguard for Privileged Sessions (SPS), the following steps are required. For operation details, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions Administration Guide.
l Until supplied by SPS, import the plug-in to supply authentication and authorization (AA) information to authenticate with and pull the credentials from SPP.
l Create and assign Pattern Sets which use pattern files specific to the log in experience for each system connection, which vary from mainframe to mainframe.
l Specify each Authentication Policy.
l Configure each Connection Policy. Multiple connection policies are typically required because of the uniqueness of each system and pattern file.
l Perform related activities based on your installation.
In Safeguard for Privileged Sessions (SPS):
l The Asset Administrator adds the mainframe asset including the Telnet Session Port that is identified on the Administrative Tools | Asset | Management tab. For more information, see Adding an asset on page 185.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
627
�l The Policy Administrator sets the Access Type (Telnet) on the Administrative Tools | Entitlements | Access Request Policies tab.
l When configuration is complete, the requester proceeds to use the terminal service application in use. The requester will copy the required information based on the telnet or TN3270/TN5250 over telnet connection requirements.
For more information, see How do I set up telnet and TN3270/TN5250 session access requests on page 576.
Additional log in step and two-factor authentication with FIDO2 (79072)
IMPORTANT: All users will experience an additional step to log in to Safeguard for Privileged Passwords. After clicking Connect, the user sees a message like: You'll now be redirected to your web browser to complete the login process. You can select: Don't show this message again. Then, click OK. The browser window can be closed. On the user login screen, the user entered the User Name and Password as usual. A new secondary authentication type, FIDO2, is now supported and can be assigned to any Safeguard for Privileged Passwords user, providing they have at least one compatible FIDO2 authenticator security key. After being configured by a User Administrator, a Safeguard for Privileged Passwords user will be prompted to register their FIDO2 authenticator security key at next login. For more information, see Requiring secondary authentication log in on page 457. Users are then responsible for managing their own FIDO2 authenticator keys, including registering additional keys for backup purposes, viewing, renaming, or deleting unused keys. For more information, see User information and log out (desktop client) on page 82. Authenticator support Any FIDO/FIDO2 authenticator that supports the WebAuthn standard can be used for twofactor authentication, this includes some older U2F authenticator security keys. Safeguard for Privileged Passwords does not use or require any authenticator attestation data. User verification, such as PIN or biometric is also not used.
Virtual appliance using Hyper-V (801564)
The Appliance Administrator can use Hyper-V as the virtual target environment deployed by importing the Safeguard for Privileged Passwords Hyper-V zip file with the virtual machine settings.
VMware ESXi: Backup and restore required
vSphere Hypervisor (ESXi) is enhanced in Safeguard for Privileged Passwords (SPP) 2.9. For SPP 2.9 only, you are required to take a backup of your 2.8.x system and restore it on your SPP 2.9 system. Future versions will not require this action.
CAUTION: Failure to backup of your 2.8.x system and restore it on your SPP 2.9 system will result in loss of configuration and functionality.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
628
�What's new in version 2.10.0.10980
Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
A2A service supports events for multiple accounts (804349)
Using the A2A service, an administrator can use a single signalR connection to monitor password change events for multiple accounts across multiple A2A registrations. A signalR connection failure message is returned if any of the following occur:
l The accounts sent in the authorization header is larger than 8K. l One or more of the API keys sent failed validation. l One or more of the API keys sent failed to match the user certificate used for
authentication. This may occur across multiple A2A registrations.
Active Directory account discovery dynamic tags and dynamic groups (798532)
An Asset Administrator can: l Dynamically tag an account from Active Directory. l Add an account to a dynamic account group based on membership in an Active Directory group. l Add an account to a dynamic account group based on if the account is in a particular organizational unit (OU) in Active Directory.
The options to select Include objects from sub containers is available when adding an account discovery rule from Administrative Tools | Discovery | Account Discovery | Account Discovery Rule dialog. For more information, see Adding an Account Discovery rule on page 246.
Configure Web Client Inactivity Timeout (803424, 782603)
The Appliance Administrator can configure the Web Client Inactivity Timeout which is the time that has elapsed since the user made a request to the server. The minimum value is 5 minutes and the maximum value is 2880 minutes (2 days). When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes. To configure the value, navigate to Administrative Tools | Settings | Safeguard Access | Login Control and set Web Client Inactivity Timeout.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
629
�"Other Managed" platform type (805372)
To ensure the automation environment is compliant, a System Integrator can use a generated password that is securely stored and periodically rotated. To ensure compliance in an ultra secure environment, an Asset Administrator can manage an asset that Safeguard for Privileged Passwords cannot connect to (for example, when there is a one-way firewall). In the Add Asset dialog under the Management tab, select the Product setting Other Managed. When selected, Safeguard for Privileged Passwords stores the password and can automatically check and change it per the profile configuration. There is no active connection or service account. The passwords are rotated internally and an event notifications is sent when the rotation is complete. Another component or piece of automation can change the password or make use of the password in the configuration files. For example, a listener can pick up the change event via the Safeguard for Privileged Passwords Application to Application (A2A) service and perform actions, as required.
What's new in version 2.11.0.11444
Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
Access requests proceed regardless of the review state of an earlier request (TFS 805354/DevOps 191598)
Policy Administrators can choose to allow subsequent access requests to proceed even if the required review on a previous access request is incomplete. This prevents blocking a new session request when the prior request requires a review and the review is not done. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy) | Reviewer tab. For more information, see Reviewer tab on page 274.
Audit history for passwords and sessions (TFS 805354/DevOps 191549)
In preparation for a future release of Safeguard for Privileged Sessions, a toggle has been added to allow the Safeguard for Privileged Passwords Appliance Administrator to push audit data to SPS. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services. For more information, see Enable or Disable Services on page 310.
Azure to run in cloud (191524)
Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
630
�Generic ticket system without ticket system validation (TFS 794519/Dev Ops 191534)
Policy Administrators can require requesters to reference a ticket number in their password or session access request. Tickets do not have to be validated against an external ticketing system but, optionally, may be validated against the regular expression of a generic ticketing system. The ticket number is used in the decision to approve the request and serves as a reference visible in the Activity Center. Navigate to Administrative Tools | Settings | External Integration | Ticket Systems. In Type, select Other. For more information, see Ticketing systems on page 413.
Support dynamic grouping for assets based on Active Directory groups (TFS 806225/ DevOps 191499)
Implementers can create tags / asset groups based on any Active Directory group of which the asset is a member unrelated to discovery. For account or asset groups, use the rule editor controls on:
l Account Rules tab of the Dynamic Account Group dialog l Asset Rules tab of the Dynamic Asset Group dialog To add a dynamic tag for an asset or asset account, use the New button on the Tags pane in the Settings | Asset Management settings page.
Web client (TFS 795288/DevOps 200361)
The Safeguard for Privileged Passwords web client provides a web-based user interface that can be used instead of the desktop client for the request workflow and some administration functions. Requesters use the web client to:
l Search for and request password access, session access, or both. l Concurrently request access to multiple passwords and sessions. l Create and use a favorite to quickly access the common access requests. Reviewers use the web client to review requests. Approvers use the web client to: l See the access requests awaiting approval. l See which access requests require immediate attention. l View the details of each access request. l Approve or deny an access request. l Select multiple access requests to approve or deny at the same time. l Return to an approved, active access request and revoke the request.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
631
�Administrators can also use the web client to:
l Configure time, network, and license. l Shutdown or reboot the appliance
For more information, see Using the web client on page 69.
Windows SSH platform (TFS 792427/DevOps 191511)
Safeguard for Privileged Passwords can utilize SSH to connect to the target Windows asset and run commands to manage standard platform tasks. Using SSH only requires opening a single well known SSH port. OpenSSH is the recommended connectivity tool; however, other SSH servers may also work. Windows SSH assets support both SSH password and SSH session access requests. From Administrative Tools | Assets | Management tab, you can select the Product as Windows SSH and the Version. Best practices When configuring the SSH service on the asset, it is recommended to use automatic (versus manual) startup. You can also set the default shell to PowerShell. You can control this by going to HKLM\SOFTWARE\OpenSSH and creating a new string value called "DefaultShell and setting it to C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Appendix: Historical changes by release
632
�Glossary
A
access request Rule-based password request and/or session request for an account. Access can be automatically approved or require one or more approvals. Email or toast notifications can be set.
access request broker With the Application to Application service, a third-party application can create an access request on behalf of another user.
access request policy Settings that restrict system access. Used to manage access (for example, to a password release request policy or session request policy). Defines the scope (assets, asset groups, accounts, or account groups), the access type (password, SSH, RDP, or telnet), and the rules for password checkout (duration and number of approvals). Entitlements are sets of access request policies.
access request policy time restrictions Enforce when a user can access the account passwords. If there are entitlement and policy time restrictions, the overlapping period is valid.
account May be a directory account or service account associated with an asset. An account can only be associated with one asset. Accounts are added to policies for management (for example, to a password release request policy or session request policy). An account may be associated with an entitlement, account group, or both. Also see user.
account dependency SPP maintains the passwords for dependent accounts on all the systems that use them (for example, one or more Windows servers use a directory account, such as an Active Directory account, to run services or tasks).
Account Discovery job Job with rule-based settings to discover all accounts assigned to the assets in a selected partition, are made available globally, or only the accounts that match the rules criteria. You can automatically manage the found accounts and automatically discover and configure dependent systems. Or, you can manually add the discovered accounts.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
633
�account group A set of accounts that can be added to the scope of an access request policy, which in turn can be associated with an entitlement. See dynamic account group.
AD (Active Directory) Microsoft AD consists of services running on a Windows Server to manage permissions and access to networked resources. AD stores data as objects.
AD FS (Active Directory Federated Services) A software component developed by Microsoft that runs on a Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.
appliance The SPP appliance is hardware with pre-installed software to for easy installation. The appliance is hardened to ensure security at the hardware, operating system, and software levels.
Appliance Administrator Responsible for configuring and maintaining the SPP appliance.
Application to Application (A2) An SPP service where third-party applications can retrieve a credential from SPP to 1) perform automated functions or 2) allow a user to log in to SPP to retrieve a password or start a session.
Approval Anywhere SPP feature where an approver can approve (or deny) access requests through their mobile device.
archive servers External physical servers where you store backup files.
asset A computer, server, network device, directory, or application managed by Safeguard for Privileged Passwords. You can log in to an asset with more than one account, but an account (user, group, or service) can only be associated with one asset. All assets must be governed by a partition profile. Assets may be subdivided into subsets for management. For example, a directory asset can manage a subset of the forest.
Asset Administrator Manages all partitions, assets, and accounts.
Asset Discovery job Job with rule-based settings to discover and add assets that are not in SPP. A job can be run against a directory or network (IP range).
asset group A set of assets that can be added to the scope of an access request policy, which in turn is associated with an entitlement. See dynamic asset group.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
634
�asset tag rules Can be set to dynamically add tags to assets and asset accounts so the assets and asset accounts can be identified and added to dynamic groups.
audit log management Tasks defined and scheduled to purge audit logs from the SPP Appliance and archive older audit logs to a designated archive server.
audit log signing certificate Used to sign the audit log files saved to an archive server. Proves that the audit logs were created by and came from a particular SPP cluster.
Auditor Administrator Role with read-only access to all features to review all access request activity.
authentication Authentication is the process of validating an identity provided to a system. For example, a system checks the user's login name and password. In SPP, a user's identity provider and authentication provider can be the same or different.
authentication provider In SPP, any mechanism that a user enters credentials into to prove they are acting on behalf of a specific user or system, but does not necessarily contain any personal information of the user. An authentication provider can be the same as the identity provider (such as Active Directory). See identity provider.
Authorizer Administrator Creates and maintains users, directory groups, directory users, password rules, and passwords. Unlocks and enables or disables local and directory user accounts. Typically unlocks administrator accounts.
auto-login Automatic login that never exposes the account credentials to the user.
B
backup and retention settings Used to manage SPP backups and archive servers. SPP encrypts and signs the data before the data is made available for downloading to an off-appliance storage.
Bootstrap Administrator A built-in account to use to start up the appliance for the first time. The account is used to create other administrators. The Bootstrap Administrator default password should be changed. All actions are audited.
C
CA (certificate authority) The authority that issues SSL certificates that are publicly trusted by web browsers. Anyone can issue SSL certificates but the certificates are not automatically trusted
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
635
�by web browsers.
certificate (SSL certificate) A small file installed on a secure server that digitally binds a cryptographic key to a computer, device, individual, or organization. A certificate is used to establish trust for communication. Certificates contain information identifying the owner of the certificate, the public key, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.
certificate settings Used to manage the certificates that are used to secure SPP. Some SPP certificates are default and need to be replaced and others are user-supplied certificates.
certificate store A special key database file that Digital Certificate Manager (DCM) uses to store digital certificates. In SPP, the certificate store is owned by the cluster. SSL certificates in the store can be added to any appliance in the clustered environment.
change password For user and service accounts, the rules and process to reset and synchronize the user or service account password with the SPP database. For directory accounts, SPP synchronizes the directory account password provided by an external identity provider, such as Active Directory. Also see check password and set password.
check password For user and service accounts, the rules and process to verify the account password is in sync with the SPP database. If the password verification fails, you can change the password. Check passwords is associated with a partition. For directory accounts, the rules and process to verify the directory account passwords (such as Active Directory) and synchronize with SPP. Also see change password and set password.
CIDR (Classless Inter-Domain Routing) Allows flexible allocation of Internet Protocol (IP) addresses. A CIDR network address under IPv4 looks like: 192.20.250.00/18. The network address is 192.20.250.00 and the 18 indicates that the first 18 bits are the network part of the address that leaves the last 14 bits for specific host addresses.
clone of VM A copy of an existing virtual machine (the parent) that is a separate virtual machine which may share virtual disks with the parent virtual machine.
cloud platform account SPP can manage cloud platform accounts such as Amazon Web Services (AWS).
cluster A set of computers that work together where each replica (node) can perform the same task to enable high availability and load distribution.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
636
�consensus (quorum) A cluster has consensus (quorum) when the majority of the members (primary or replica appliances) are online and able to communicate.
credential retrieval With the SPP (Application to Application service), a third-party application can retrieve credentials from SPP outside the normal workflow.
CSR (certificate signing request) A CSR is submitted to a certificate authority (CA) to obtain a digitally signed certificate.
CSS (cascading style sheet) A .css file that describes how HTML elements display on screen, paper, or other media. See HTML5.
csv A file format used with programs that store data in tables, such as Microsoft Excel. CSV stands for Comma-Separated Values.
custom platform Platform added to SPP via uploading a custom platform script. The script may be selected when adding or updating an asset. Custom platforms are global across all partitions.
D
DCM (Digital Certificate Manager) Used to manage digital certificates on a network and use Secure Sockets Layer (SSL) to enable secure communications for applications.
default gateway The access point or IP router that sends information to a computer in another network when no other route specification matches the destination IP address of a packet.
default SSL certificate SPP provides a default self-signed SSL certificate for HTTPS assigned to the appliance. This certificate is not a trusted certificate and should be replaced.
delegated owner One or more users that the Asset Administrator selected to manage the assets and accounts in a partition.
deny An active access request can be either denied or approved. An approved active access request can be revoked.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
637
�directory A structure to catalog files and, possibly, other directories. In SPP, the structure and objects from a directory service, such as Active Directory or OpenLDAP, can be imported and synchronized.
directory account An account from an external identity store, such as Microsoft Active Directory, used to authenticate to a managed system (asset).
DNS (Domain Name System) System to translate human readable information (such as a domain name, web site, or other internet-based resource) to the addressing protocols (IP address).
DNS server (domain name server) Contains a database of public IP addresses and their associated hostnames and translates the common names to IP addresses.
domain name The name of a network (for example, oneidentity.com).
dynamic account group Account group made up of systematically identified accounts that meet asset account rules, directory account rules, or both. The rules engine runs when you add or change an asset account or an asset account rule.
dynamic asset group Asset group made up of systematically identified assets that meet identified rules.
dynamic disk Fault-tolerant volumes that may span multiple disks; flexible volume management with database tracking and replica storage of the dynamic disk database.
E
entitlement A set of access request policies that restrict system access (including rules and schedules), typically by job role. Entitlements are used to authorize users or user groups for accounts in the scope of the access request policies. Entitlements can be associated with one or more profiles.
entitlement time restrictions Controls identifying when an entitlement is in effect (user's time zone). If there are both entitlement and policy time restrictions, the overlapping period is valid.
explicit association (explicit assignment) You can explicitly add an asset to a profile. This overrides the implicit inheritance from the partition so the asset's profile is no longer determined by the partition. You can explicitly assign an account to a profile the account's profile is no longer determined the asset.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
638
�F
factory reset Operation to recover from major problems or clear appliance data and configuration settings. All data and audit history are removed.
federation metadata The data format for communicating configuration information between an identity (claims) provider and a relying party. The data format is defined in Security Assertion Markup Language (SAML) 2.0, and it is extended in WS-Federation.
federation provider Service provider that mediates between two or more trust domains so users can access applications and services using the same digital identity.
FIDO2 (Fast ID Online) A set of security specifications for strong authentication. FIDO2 supports multifactored authentication, public key cryptography, biometric authentication, and other personally identifying information (PII).
forest Network logical division that may contain one or more trees and in turn domains made up of objects (computers, users, devices) sharing the same database. The first domain in the forest is called the forest root domain.
FQDN (fully qualified domain name) A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). For example, given a device with a local hostname myhost and a parent domain name example.com, the fully qualified domain name is myhost.example.com.
G
gateway A device that connects two or more parts of the network. For example, the device may connect your local intranet and the external network (the internet). Gateways act as entrances to other networks.
GMT (Greenwich Meridian Time) GMT is never out of sync with UTC (Coordinated Universal Time) by more than nine tenths of a second so UTC and GMT are virtually equivalent in common usage.
H
HA (high availability) A system that is resilient and likely to operate continuously without failure for a long period of time.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
639
�Help Desk Administrator Sets passwords for non-administrative user accounts and unlocks user accounts. The Authorizer Administrator typically unlocks administrator accounts.
host A computer connected to the network. A host may offer resources, services, and applications to users or nodes on the network. May have virtualization software (such as ESX or ESXi) to run virtual machines (VMs).
hostname A label assigned a device connected to a network and that is used to identify the device.
HTML5 Hypertext Markup Language version 5 is the code that describes web pages and includes HTML for structure, Cascading Style Sheets (CSS) for presentation, and JavaScript (processing).
I
identification Identification happens when a user claims to be a specific system user. For example, a user's login name and password are used to establish identity. In SPP, a user's identity provider and authentication provider can be the same or different.
identity provider In SPP, the source from which the user's personal information comes from and is synchronized with. See authentication provider.
implicit association (implicit assignment) When an asset is added, it is added to the default partition and default profile (implicit association/assignment). Accounts inherit the parent asset's profile. This can be overridden by explicitly assigning an asset to a profile; the asset's associated accounts are also assigned to the new profile.
import Accounts, assets, or users in a Comma Separated Values (.csv) file can be added to SPP's database. Objects must pass validity tests. Default values may be added during the import.
IP address (Internet Protocol address) Unique internet number assigned to each device communicating across the internet. The IP address provides location and identification. See DNS.
IPv6 (Internet Protocol version 6) The most recent version of the Internet Protocol (IP). See IP address.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
640
�J
JavaScript A computer programming language commonly used for processing on the web. See HTML5.
json A language-independent data format. Code for parsing and generating JSON data is readily available in many programming languages. JSON stands for "JavaScript Object Notation".
K
key pair A private key and its related public key. The private key is known only to the owner, while the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.
KMS (Key Management Service) Used to activate systems in the organization's network so that individual computers do not have to connect to Microsoft for product activation.
KMS Server (Microsoft Key Management Server) A Microsoft Volume Activation 2.0 solution service used to activate volume licensed Microsoft products.
L
LDAP (Lightweight Directory Access Protocol) An application protocol for querying and modifying data using directory services running over TCP/IP.
lights out management (via BMC/baseboard management controller) Feature to manage the SPP power state and serial using BMC. This feature is used to power on an appliance remotely or to interact with the Recovery Kiosk.
M
MAC (Media Access Control) address An identifier assigned to a network adapter or any device with built-in networking capability (such as a printer). A MAC address is burned into the device at the factory (versus an IP address that is assigned later). Also called a hardware address or physical address.
Mac keychain The Apple password management system in Macintosh OS X.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
641
�managed networks Named lists of network segments serviced by specific SPP Appliances in a clustered environment. Used to distribute the task load by scheduling tasks (for example, password change or asset discovery).
MSI MSI is an installer package file format used to launch Windows-based software installations.
N
netmask For IPV4, a 32-bit mask used to divide an IP address into subnets and specify the network's available hosts.
network interface and proxy server Network interface X0 is the primary interface. Proxy server X0 is for relaying web traffic if the devices don't connect to the web.
NS lookup (named service lookup) Network utility program to obtain information about internet servers. It finds name server information for domains by querying the domain name server (DNS).
NTP (Network Time Protocol) Protocol to synchronize computer clock times in a network.
O
Offline Workflow Mode Appliance state when the appliance no longer has consensus (quorum) and has been enabled to process access requests using cached policy data. The appliance operates in isolation from the remainder of the cluster.
Operations Administrator Monitors the status of the appliance and can reboot the appliance. This role can be a script or external monitoring system.
OU (Organizational Unit) A subdivision within an Active Directory into which you can place users, groups, computers, and or any other organizational units (for example, functional or business hierarchy.
OVA (Open Virtualization Appliance) An OVA file contains a compressed version of a virtual machine (VM) to be installed. When you open an OVA file, the VM is extracted and imported into the virtualization software installed on your computer.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
642
�P
partition A group of assets (and the assets' associated accounts) governed by a partition profile and used for delegate asset management. An asset can only be in one partition at a time. All accounts associated with that asset are automatically added to the partition but can be reassigned.
partition profile The schedules and rules that are required to govern a partition's assets and the assets' accounts. You can set a default partition profile to assign to assets and assets' accounts. You can manually assign a partition profile to an asset or account.
password rules The requirements for user password authentication, such as uppercase and lowercase letters, numerics, and special characters. Password rules set in SPP apply to local users not users from external providers such as Active Directory.
password sync groups Used to control password validation and reset across all associated accounts.
ping A command that sends a message from a host to another host over a network to test connectivity and packet loss.
port A number from 1 to 65,535 for the destination application of the transmitted data. For example, SSH commonly uses port 22 and web servers (HTTP) commonly use port 443.
primary appliance One appliance in a cluster where vital data stored on the primary is also stored on replica appliances.
primary authentication The first authenticating factor for a remote user when two-factor authentication (2FA) is enabled.
priority precedence In authorizing password check-out, SPP first considers the entitlement priority then considers the priorities of access request policies in the entitlement.
profile See partition profile and directory profile.
PuTTY A free and versatile terminal tool for remote access to another computer.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
643
�R
RBAC (role-based access control) The role-based access control model restricts system access to authorized users based on roles. SPP supports this model.
RDP (Remote Desktop Protocol) A Microsoft proprietary protocol that provides graphical user interface to connect to another computer over a network connection.
regular expression A string that describes or matches a set of strings.
relying party A service or application, like Safeguard, that receives and accepts a SAML assertion issued by a SAML authority.
REST Architecture that allows other applications and systems to integrate with diverse systems and applications. SPP's API is based on a REST architecture.
revoke An approved active access request can be revoked.(An active access request can be either denied or approved.)
root SSL certificate (trusted certificate) A certificate issued by a trusted certificate authority (CA) at the top of the trust chain and used to issue intermediate SSL certificates to ensure the security of the system.
S
SAML (Security Assertion Markup Language) An open standard for sharing security information about identity, authentication and authorization across systems. SAML is implemented with the XML standard for sharing data. SAML provides a framework for implementing single sign-on and other federated identity systems.
scope An access request policies assets, asset groups, accounts, or account groups assignments.
Secure Shell (SSH) A security protocol for logging in to a remote server.
security key A small physical device that is inserted into a USB drive. Typically, you will enter your password then insert the security key as a required second form of authentication. You can use one security key with more than one account. You can
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
644
�have multiple security keys registered on an account. Activating the registration of a security key varies with the key (for example, press a button or tap). Security keys must be U2F or WebAuthn capable.
Security Policy Administrator Creates account groups, asset groups, and user groups. Creates entitlements and adds users or user groups to entitlements. Configures access request policies.
service account Used by an application or service to interact with the operating system or configuration.
service account domain name The name of the domain where the service account resides. SPP uses DNS-SRV to resolve domain names to actual domain controllers.
Service Discovery job Scans Windows assets and automatically discovers Windows services and tasks. If the directory accounts are managed by SPP, the service or task is automatically associated with the managed account. Administrators can identify unmanaged accounts to potentially manage.
sessions SPP issues privileged access to users for specific periods, called sessions.
set password Rules and process to manually set or randomly generate the user or service account passwords in the SPP database. The process does not change the account password on the asset. For directory accounts, SPP synchronizes the directory account password provided by an external identity provider, such as Active Directory. Also see check password and change password.
SID (Security IDentifier) An alphanumeric name used to identify user, group, and computer accounts in Windows. SIDs are created an account is first created in Windows and no two SIDs on a computer are ever the same.
SMTP server (Simple Mail Transfer Protocol server) Protocol server that handles email delivery process (for example, smtp.gmail.com).
snapshot of VM The state of a computer system at a point in time. Snapshots are not enough to restore a virtual machine and do not replace backukps.
SNMP (Simple Network Management Protocol) An industry standard protocol for network management. SNMP alerts are sent to a central SNMP server.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
645
�SPA One Identity Safeguard for Privileged Analytics solution to monitor behavior and identify threats.
split brain A split brain situation occurs when for some reason (for example, the loss of connection between the nodes) both nodes of a cluster become active as the primary. New data (for example, audit trails) may be created on both nodes without being replicated to the other node. Thus, it is likely in this situation that two diverging sets of data are created that cannot be easily merged.
SPP One Identity Safeguard for Privileged Passwords solution to secure privileged credentials.
SPS One Identity Safeguard for Privileged Sessions solution to control, monitor, and record privileged sessions.
SSH (Secure Shell) key An access credential in the SSH protocol. The function is similar to a user name and passwords, but SSH keys are primarily used for automated processes and for implementing single sign-on to an SSH server by system administrators and power users.
SSH authorized key The public key from an SSH identity key pair.
SSH banner Contains security warning information or general information.
SSH host key Used for authentication. Host keys are pairs. Public host keys are stored on or distributed to SSH clients. Private keys are stored on SSH servers.
SSH identity key An SSH key pair used for SSH 'publickey' authentication. The private key is required to prove identity and log in wherever the key is authorized.
SSH key An access credential in the SSH protocol. Functionally similar to a user name and password, but primarily used for automated processes and single sign-on by system administrators and power users.
SSH settings Parameters of the connection on the protocol level, including timeout value and greeting message of the connection, as well as the encryption algorithms used.
SSL Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
646
�SSL certificate store Contains uploaded or enrolled SSL certificates owned by a cluster. Any SSL certificate in the store can be assigned to any appliance in the clustered environment.
SSO (single sign-on) User logs in with a single ID and password per session to gain access to multiple services within a single organization.
STS (Security Token Service) A third-party servce responsible for issuing, validating, renewing, and cancelling security tokens. The tokens are used to identify the holder of the token to services that adhere to the WS-Trust standard.
support bundle System and configuration information sent to One Identity Support to analyze and diagnose issues.
syslog Protocol to produce and send log and event information from Unix/Linux and Windows systems and devices over UDP port 514 to a centralized syslog server.
T
tags Can be assigned manually (static) or dynamically set through tagging rules (identified by a lightning bolt icon). Tags are helpful in searches. Dynamic tags are updated when the rules engine runs when you add or change an asset account or an asset account rule.
TCP/IP (Transmission Control Protocol/Internet Protocol) A set of networking protocols that allows two or more computers to communicate.
telnet A terminal emulation protocol that enables a user to connect to a remote host or device using a telnet client.
thumbprint A unique hash value that identifies the certificate.
ticketing feature SPP can be integrated with a company's external ticket system, such as ServiceNow or Remedy.
TLS (Transport Layer Security) TLS and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the internet. The application can encrypt the communication between the clients and the server using TLS to prevent unauthorized access to sensitive log messages.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
647
�toast notifications A small, auto-expiring alert that displays when the desktop client application is not the active foreground application.
traceroute A command that shows all routing steps (the path of a message) between two hosts.
traffic shaping (packet shaping) Manipulates and prioritizes network traffic to reduce the impact of heavy use cases from effecting other use cases.
two-factor authentication (2FA) A user is required to provide two different authentication factors to verify themself. Provides a higher level of security than one factor and protects the user's credentials and the resources accessed.
U
UNC (Universal Naming Convention) path Used to access network resources and contains two or more of the following components: \\<servername>. <share>.<filename>
user A person who can log in to SPP. A user can be local or can be a directory user from an external identity store such as Microsoft Active Directory. A user may be associated with user groups, partitions, entitlements, and linked accounts. A user may or may not have administrator permissions.
User Administrator Creates (or imports) users. Sets passwords, unlocks accounts, and enables or disables non-administrator user accounts. Adds directory groups to directories, including directory users. Grants Help Desk Administrator permissions. The Authorizer Administrator typically unlocks administrator accounts.
user group A set of local users or directory users that can be added to an entitlement to use the entitlement's access request policies restricting system access.
UTC (Coordinated Universal Time) UTC is never out of sync with GMT (Greenwich Meridian Time) by more than ninetenths of a second, so UTC and GMT are virtually equivalent in common usage.
V
virtual machine (VM) A software computer that runs an operating system and applications and acts as an isolated computing environment. One host computer may have multiple virtual machines.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
648
�W
web console A web-based application that allows you to execute shell commands on a server directly from a browser (web-based SSH).
WMI (Windows Management Instrumentation) The infrastructure for accessing management data in an enterprise environment. You can write WMI scripts or applications to automate administrative tasks on remote computers. WMI also supplies management data to other parts of the operating system and products.
workflow engine Directs workflow and may include time restrictions, reviewers, approvers, emergency access, and policy expiration. May integrate with a ticketing system and have reason codes.
Safeguard for Privileged Passwords 2.11.1 Administration Guide Glossary
649
�About us
About us
One Identity solutions eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. Our solutions enhance business agility while addressing your IAM challenges with on-premises, cloud and hybrid environments.
Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit https://www.oneidentity.com/company/contact-us.aspx.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request. l View Knowledge Base articles. l Sign up for product notifications. l Download software and technical documentation. l View how-to videos at www.YouTube.com/OneIdentity. l Engage in community discussions. l Chat with support engineers online. l View services to assist you with your product.
Safeguard for Privileged Passwords 2.11.1 Administration Guide About us
650
�Index
I ndex
3
3270 session access request setup 576
5
5250 session access request setup 576
A
access API 561 Access Config tab 276 access historical information 565 Access Key, about 202 access request broker 379 Access Request Policies tab
account 141 account group 161 asset 180 asset group 217 entitlement 261 access request policy access settings 276 add account 169 approver settings 272 assign accounts and assets 270 emergency access 279 requester settings 271 reviewer settings 274 session access settings 277 time restrictions 279
Access Request Policy dialog Access Config tab 276 Approver tab 272 Emergency tab 279 General tab 269 Requester tab 271 Reviewer tab 274 Scope tab 270 Session Settings tab 277 Time Restrictions tab 279
Access Request settings 301 Enable or Disable Services 301 Reasons 303
access request states 582 access request workflow 107 access requests
enable for service account 194 enable or disable services 301 view details 89 Access Requests dashboard about 88 view details 89 account about 138 Access Request Policies tab 141 Account Groups tab 142 add 147, 168 add cloud platform account 148 add dependent account to a Windows
server 209 add to access request policy 142-143
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
651
�add to account group 142, 144, 151, 160, 168, 181
add to profile 296 associate with asset 178, 207 associated asset 140 change password 152 Check and Change Log tab 144 check and set password 156 General tab 139 History tab 145 manually add tag 150 modify 152 remove 152 select account group 151 unlock 466 account dependencies about 208 add to Windows servers 209 Account Dependencies tab asset 180 account discovery add setting 227, 241, 244, 325 delete job 250 delete setting 227, 241, 325 details 241 discover accounts 241 discover service accounts 241 edit job 250 how to setup 243 modify setting 227, 241 run setting 227 view setting 227 account discovery job about 240
account discovery rule add 246
account group about 159 Access Request Policies tab 161 Accounts tab 160 add 151, 164 add a dymanic group 165 add account 151, 168 add to policy 169 General tab 160 History tab 162 History tab membership operation 146, 163, 264, 291, 450, 471 modify 169 remove 170
Account Groups tab account 142
account password change 157 check 157 set 157
account password rules about 417 add 417, 419 add to profile 295 copy 418 delete 418 modify 418
Accounts tab account group 160 asset 178
ACF - Mainframe systems prepare for Safeguard 520
activate read-only appliance 492
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
652
�Activity Center about 90 apply search criteria 91 audit request workflow 98 delete saved search 97 delete scheduled report 97 edit saved search 97 edit scheduled report 97 generate report 93 query builder 91 save search criteria 92 schedule report 95
activity events filtering report results 99 view details 97
add account 138, 147 account dependency to Windows severs 209 account discovery rule 246 account discovery setting 227, 241, 244 account group 151, 159 account groups 164 account password rules 419 account to access request policy 169 account to asset 207 accounts to account groups 168 application registration 382 asset 172, 185 asset group 215, 220 asset or account to partition profile 298 asset to asset group 210 asset to partition 293 audit log signing certificate 351
cloud platform account 148 custom platform 325 directory group 474 dynamic account group 165 dynamic asset group 220 dynamic asset or asset account
tag 328 entitlement 258, 265 external federation provider
trust 566 external federation user account 568 license 312 managed network 369 partition 285, 292 password reset schedule 422 password sync group 429 password validation schedule
accounts 426 sessions certificate 355 trusted certificate 360 user 444, 451, 568 user group 467, 473 user group to entitlement 281 user group to role 477 user to entitlement 281 user to role 459 user to user group 476 admin password reset 50 Administrative Tools 103 administrator permissions 507 administrator permissions Appliance administrator 507 Asset administrator 509 Auditor administrator 511 Authorizer administrator 512
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
653
�Help Desk administrator 514 Operations administrator 514 Security Policy administrator 515 User administrator 517 Amazon Web Services platforms prepare for Safeguard 521 API access 561 customize response 563 EventSubscribers 393 query filtering 563 API key regenerate for Application to Applic-
ation service 384 appliance
activate 492 add license 312 appliance name, set 309 Appliance settings 304 assign SSL certificate 359 backup and restore cluster 495 diagnose cluster 492 diagnostics package 50-51, 306 factory reset 311, 498 information 49-50 LCD controls 545 LDD status messages 544 Lights Out Management (BMC) 313 modify network suffixes 319 monitor cluster health 363 networking settings 318 patch cluster members 493 remove from cluster 483 reset cluster 497 restart 310, 544, 551
shut down 309, 552 specifications 32 states 502 time 321 unjoin from cluster 483 update license 312 view information about 307 virtual appliance setup 45 Appliance administrator permissions 507 appliance configuration about 377 NTP server 322 appliance diagnostic package 50-51, 306 Appliance Diagnostics settings 50-51, 306 Appliance Information restart appliance 310 settings 307 shut down appliance 309 Appliance settings 304 application registration add 382 delete 384 Application to Application about 379 add registration 382 delete registration 384 regenerate API key 384 setting up 381 settings 378 Application to Application service check status 379 disable service 311 enable 379 enable service 311
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
654
�make request to 385 apply search criteria to a activity audit
log 91 Approval Anywhere
configure 389 approve password release request 116,
127 desktop client 116 approve session access request 128 Approver tab 272 archive backup file 347 archive servers 336 configure 337 configure for session recordings 438 delete configuration 336 modify configuration 336 asset about 171 Access Request Policies tab 180 Account Dependencies tab 180 Accounts tab 178 add 185 add dynamic tag 328 add to asset group 216, 223 add to partition 298 add to partition profile 296 add to partitions 293 associate account with 178, 207, 211 authentication types 192 copy tag to another partition 333 delete tag 332 Discovered Services tab 182 General tab 174 hide asset marked "ignore" 139, 172 History tab 183 import 172
link to profile 205-206 modify 210 modify connection timeout 210 modify tag 333 product (operating system)
not modifiable 188 remove 211 show hidden 139, 172 view tag assignments 334 asset account add dynamic tag 328 copy tag to another partition 333 delete tag 332 modify tag 333 view tag assignments 334 Asset administrator permissions 509 asset authentication type access key 194, 202 none 199, 203 password 200 Asset dialog Connection tab 192 General tab 186 Management tab 187 asset discovery about 226 add new job 228
General tab 229 Information tab 230 Rules tab 231
Asset Profile 237 Condition 232 Connection 234 Schedule tab 237 Summary tab 238
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
655
�delete job 239 directory scan 230 edit job 238 network scan 230 asset group about 215 Access Request Policies tab 217 add 220 add account to 223 add asset to 210 add dynamic group 220 Assets tab 216 General tab 216 History tab 218 History tab membership
operation 184, 218 modify 224 remove 224 view 215 Asset Management settings 324 Assets tab asset group 216 assign accounts and assets to access
request policy 270 assign user to partition 459 Audit Log Management settings 339 Audit Log Signing certificate 349 audit log signing certificates
add 351 create CSR 351 audit request workflow 98 Auditor administrator permissions 511 authentication options 612 Authentication tab 453 Authorizer administrator
permissions 512
Azure 54 backup and recovery 49, 56 change setup 54 deployment steps 54 IP settings 54 security 54
B
backup about 335 archive 342 archive backup file 347 clustered appliance 495 configure archive server 337 create 342-343 delete 342 download 342, 345 information 341 restore 342, 345 run now 342 schedule 343 upload 342, 345
Backup and Retention settings 334 Archive Servers 336 Audit Log Management 339 Safeguard Backup and Restore 341 Safeguard Backup Retention 347
backup retention setting enable 347
Best Practice Add service accounts to profiles set to never change passwords 194 Add User Groups as approvers or reviewers rather than individuals 273, 275
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
656
�After changing a user's administrative permissions, close the user's connections to the appliance 461
Disable directory users instead of deleting 462
Keep a minimum number of backups on the appliance 341
Perform backups more frequently than the Maximum Password Age setting 343
Setup an NTP server to eliminate system time issues. 578
bootstrap admin password reset 552
C
Cannot 543 certificate settings 348 Certificate Signing Request 352
create for audit logs 351 create for sessions 356 SSL certificate 359 certificate support for telnet 521, 525,
529, 534 certificates
about 348 Audit Log Signing 349 chain of trust 573 CSRs 352 how to prevent messages when
making RDP connections 571 install audiot log signing
certificates 351 install sessions certificates 355 RDP Connection Signing
Certificate 349, 353 Session Recording Signing
Certificate 349, 353 Timestamping Authority
Certificate 349, 353 challenge response process 50 change password 152 change password management
disable 303 enable 303 change password setting about 421 add to profile 295 copy 422 delete 422 modify 422 Check and Change Log tab account 144 check asset connectivity about 204 check password management disable 302 enable 302 check password setting about 425 add to profile 294 copy 425 delete 425 modify 425 Cisco devices prepare for Safeguard 521 cloud Azure 53-54 backup and recovery 49, 56 change setup 54 using 53 using Azure 54
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
657
�cloud platform account add to Safeguard 148
cluster about 479 appliance details 362-363 backup and restore 495 configurations 479 consensus 480 diagnose 492 failover to replica 491 health check 480 monitor health 362-363 patch 493 primary appliance 479 primary appliance failure 481 promote replica to primary 491 remove quarantined appliance 583 remove replica appliance 483 replica appliance 479 reset 481, 497 settings 361 troubleshooting tips 501 unjoin and activate 481 unjoin replica appliance 483 unlock 501
Cluster Management settings 362 cluster member
about cluster patching 494 Activate 485 Check Health 485 Diagnose 485 Failover 485 patch 493 Unjoin 485 Cluster monitoring page 361
cluster patching failure scenarios 494 service guarantees 494
Cluster settings Cluster Management 362 Managed Networks 366
cluster view pane 362 Cluster view pane 363 configure alerts 108 configure assets for Safeguard 519 configure Privileged Sessions 584 Connection tab 192 contact information
change personal information 82 continued access workflow 613 converting timestamps 102 copy
account password rule 418 asset or asset account tag to another
partition 333 change password setting 422 check password setting 425 SNMP subscription 407 syslog server configuration 412 create relying party trust in IdP-STS 567 Creating custom platform script 325 credential retrieval 379 custom platform 612 about 324 download script 325 view 325 custom platform script create 325
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
658
�D
delete account 138 account discovery setting 227, 241 account group 159 account password rule 418 application registration 384 archive server configuation 336 asset 172 asset group 215, 224 asset or asset account tag 332 change password setting 422 check password setting 425 custom platform 325 entitlement 259, 283 external federation service provider configuration 395 managed network 370 partition 285 password sync group 429 saved search 97 scheduled activity audit log report 97 sessions management 376 SNMP subscription 407 Syslog server configuration 412 ticketing system 415 user 444 user group 467
dependent accounts about 208
dependent system updates 209 desktop client
application settings 80 install 76
start 78 system requirements 35 uninstall 79 diagnostic tests about 314 clustered appliance 492 nslookup 315 ping 314 show routes 317 Telnet 316 trace route 316 directories that can be searched 37 directory add directory group 474 directory based user discovery 613 directory scan for assets 230 disable change password management 303 check password management 302 password requests 302 session module password access
enabled 303 session requests 302 toast notifications 108 disaster recovery about 479 diagnose cluster members 485 maintain cluster members 485 troubleshooting tips 501 discover accounts 241 service accounts 241 discovered services 182, 254 Discovered Services tab partition 182
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
659
�discovery about 225 account 240, 250 account and service 243 asset 226, 228, 238-239 run now 182 asset discovery job workflow 228
Domain Name System (DNS) set 570
download custom platform 325
download Safeguard federation metadata 396
dymanic account group add 165
Dynamic Account Group dialog Asset Account Rules tab 166 General tab 165 Summary tab 168
dynamic asset group add 220
Dynamic Asset Group dialog Asset Rules tab 221 General tab 221 Summary tab 223
dynamic tag add to assets or asset accounts 328
E
edit saved search 97 edit scheduled activity audit log
report 97 email
administrative permissions determine what emails are sent 109
configure notifications 393 configure Safeguard to receive notific-
ations 108 configure SMTP server 391 default events sent 109 modify templates 393 template macros 394 emergency access about 262, 280 Emergency tab 279 enable change password management 303 check password management 302 password requests 302 session module password access
enabled 303 session requests 302 toast notifications 81, 108 Enable or Disable Services settings 301,
311 enroll cluster member 482 entitlement
about 258 Access Request Policies tab 261 add 265 add policy 283 add user 260, 281, 283 add user group 281, 470, 477 change priority 267 delete 283 expired 262 General tab 259 History tab 263 invalid 258, 262 membership 280, 459 modify 283
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
660
�modify time restrictions 283 Policies tab 261 priority 266 time restrictions 268 Users tab 260 Entitlement dialog General tab 265 Time Restrictions tab 267 entitlement report filtering report results 99 Entitlements tab user 447 user group 469 export action bar option 94, 100 External federation add external federation provider
trust 566 add external federation user
account 568 configure 565 create relying party trust in IdP-
STS 567 external federation service provider
delete configuration 376, 395 modify configuration 376, 395 External Integration settings 377 Application to Application 378 Approval Anywhere 389 Email 391 External Federation 565 SNMP 407 Starling 408 Syslog 411-412 Ticketing 414
F
F5 Big-IP devices
prepare for Safeguard 524
Facebook Hosts
prepare for Safeguard 523
factory reset 311, 498, 553
FAQ
How do access the API 561
How do I audit transaction activity 565
How do I configure external federation authentication 565
How do I customize the response using API query parameters 563
How do I manage account passwords manually 569
How do I prevent Safeguard prompt when making RDP connections 571
How do I require users to log in using secondary authentication 457
How do I require users to log in using two-factor authentication 455
How do I set the appliance system time 578
How do I set up telnet, 3270, and 5250 session access requests 576
How do Safeguard database servers use SSL 578
What are the access request states 582
What do I do when an appliance goes into quarantine 582
What is required for One Identity Safeguard for Privileged Sessions 584
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
661
�When does rules engine run for dynamic grouping and tagging 586
Why did the password change during an open request 586
favorites create 84 remove 85 set color 85
federation metadata 565 download 396 download Safeguard federation metadata 566 manually input values 567
FIDO key 74, 82, 405 filtering report results 99 follow mode, session play back 134 forced access request 613 Forntinet FortiOS devices
prepare for Safeguard 523
G
General tab account 139 account group 160 asset 174 asset group 216 entitlement 259 partition 287 user 444 user groups 468
generate activity audit log report 93 quarantine bundle 583 support bundle 554
global access request settings 301
glossary 633
H
Help Desk administrator permissions 514
hide ignored assets 139, 172 History tab
account 145 account group 162 asset 183 asset group 218 entitlement 263 partition 291 user group 471 Home page about 86 navigation pane 85 widgets 86 HP iLO Management Processors prepare for Safeguard 525 HP iLO servers prepare for Safeguard 524 Hyper-V backup and recovery 49, 56
I
IBM i (AS/400) systems prepare for Safeguard 525
identity provider initiated single sign on flow 614
IdP-STS 565 create relying party trust 567
iDRAC devices prepare for Safeguard 522
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
662
�import about 152, 211, 462 accounts 139 assets 172 create import file 155 CSV Template Assistant 155 file format 155 how to import objects 152, 211, 462 users 444
install audit log signing certificate 351 desktop client 76 patch 323 sessions certificate 355 SSL certificate 358 update file 323
integrate with Safeguard external ticket system 414
J
join Safeguard for Priviliged Passwords to Safeguard Sessions Appliance 612
join to Starling 408 JunOS servers
prepare for Safeguard 526
L
launch RDP session 130 Safeguard Desktop Player 133 SSH client 129
LCD controls 545 status messages 544
license add 312 settings 312 update 312
licensing 42 Lights Out Management (BMC)
settings 313 Linked Accounts tab
users 448 live session
follow 134 terminate 134 Location tab 455 login control configure 431 Login Notification setting 416
M
manage accounts passwords manually 569
managed network add 369 delete 370 modify configuration settings 369 resolve IP address 370
Managed Networks settings 366
Management tab 187 member
add to entitlement 280, 459 add to user group 446, 459, 476 Message of the Day setting 416 Messaging settings 416 MIBSNMP configure subscriptions 407
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
663
�Microsoft SQL Servers prepare for Safeguard 532 SSL support 579
minimum required permissions for Windows assets 536
modify account discovery setting 227, 241 account group membership 169 account information 152 account password rule 418 archive server configuration 336 asset group information 224 asset or asset account tag 333 change password setting 422 check password setting 425 email template 393 external federation service provider configuration 395 managed network 369 network suffixes 319 password sync group 429 sessions management 376 SNMP subscription 407 syslog server configuration 412 ticketing system 415 user password rules 434
MongoDB prepare for Safeguard 526
MySQL servers prepare for Safeguard 527 SSL support 580
N
network diagnostic tools 304 Network Interface X0 properties 318
Network Interface X1 properties 319 network scan for assets 230 Network Time Protocol (NTP)
enable 322, 570 networking settings 318 new features and resolved issues 605,
607 nslookup 315
O
object ID 104 ODBC Transport 579 Offline Workflow mode 480, 489
enable 490 resume operations 490 Operations administrator
permissions 514 Oracle databases
prepare for Safeguard 527 Other (or Other Linux) operating system
about 187
P
Palo Alto Networks prepare for Safeguard 528
partition about 21, 285 add 292 add asset 293 add assets 298 assign asset 205 change description 298 default profile 297 delegate management of 293, 298, 447
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
664
�delete assets from 205 General tab 287 History tab 291 modify 298 Profile tab 290 reassign asset 294 reassign asset accounts 294 remove 299 Scope tab 288-289 set default 296, 299 partition profiles add assets or accounts 298 Partitions about 285 Partitions tab user 446 password change 82 change password manually 422 check and set 156 partition profile 186 policy, add to role 268 policy, modify 282 request, how to prevent 147, 207,
249 reset 465 viewing Password Archive 157 Password Archive viewing 157 password check and change did not
run 548 password Check and Change Log
view 145 password management services 301 password release
check-in 114-115
checkout 114-115 password release request 111
cancel pending request 114-115 desktop client approval 116 desktop client check-in 114 desktop client checkout 114 disable 302 enable 302 remove request 114-115 resubmit request 114-115, 125, 127 review 117 web client approval 116, 127 web client check-in 113 web client checkout 113 workflow 110 password sync group add 429 add to partition profile 296 change sync group password 429 delete 429 modify 429-430 priority 428, 430 password validation schedule add 426 patch cluster members 493 permissions about 507 Appliance administrator 507 Asset administrator 509 Auditor administrator 511 Authorizer administrator 512 delegated partition owner 459 Help Desk administrator 514 Operations administrator 514 Security Policy administrator 515
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
665
�User administrator 517 Permissions tab 456 photo
change 82 ping 314 platforms that can be managed 37 play back recorded session 133 Policies tab
account 141 account group 161 asset 180 entitlement 261 policy about 268 add accounts to scope 161, 217 add to role 261, 268 change priority 267 copy 282 edit 282 expired 258, 262 invalid 262 priority 270 reason codes 303 remove 281 time restrictions 268 view details 282 ports 587, 595, 600 PostgreSQL prepare for Safeguard 528 power options 50 prepare asset for management 519 ACF - Mainframe systems 520 Amazon Web Services platforms 521 Cisco devices 521 Dell iDRAC devices 522
ESXi Hosts 522 F5 Big-IP devices 524 Facebook Hosts 523 Fortient FortiOS devices 523 HP iLO Management Processors 525 HP iLO servers 524 IBM i (AS/400) systems 525 JunOS - Juniper Networks
servers 526 MongoDB 526 MySQL servers 527 Oracle databases 527 PAN-OS Networks 528 PostgreSQL 528 RACF - Mainframe systems 529 SAP HANA 529 SAP Netweaver Application
Servers 530 SonicOS devices 531 SonicWALL SMA or CMS
appliances 532 SQL Server 532 Sybase (Adaptive Server Enterprise)
servers 531 Topic Secret - Mainframe
systems 534 Unix-based systems 534 Windows systems 535, 538 prevent Safeguard prompts when making
RDP connections 571 priority
about 266 change entitlement priority 267 change policy priority 267 entitlement 266 policy 270
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
666
�Privilege Elevation Command 195, 197, 200
Privileged Sessions required configuration 584
product licensing 42 profile
about 21-22, 286 add asset or account to partition
profile 298 add to partition 290 assign to asset 206 explicit association 286 implicit association 286 reset default profile 286 Profile settings 417 Account Password Rules 417 Change Password 421 Check Password 425 profile, partition about 290 add 294 add accounts 296 add assets 296 add password sync group 296 modify 296, 299 set as default 297 Profiles tab partition 290 Proxy Server X0 properties 319
Q
quarantine bundle 583 quarantined appliance 582
R
RACF - Mainframe systems prepare for Safeguard 529
RDP connection prompts 571 RDP Connection Signing certificate 349,
353 RDP session
launch 130 read-only appliance
activate 492 reason codes 303 recover a quarantined appliance 582 recovery kiosk 549
appliance information 550 factory reset 553 generate quarantine bundle 583 generate support bundle 554 reboot appliance 551 reset bootstrap admin password 552 shutdown appliance 552 regnerate API key 384 remove asset group 224 quarantined appliance from a
cluster 583 trusted certificate 361 replay recorded session 133 replica failover to replica 491 promote to primary 491 remove 483 unjoin 483 Reports about 100
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
667
�run entitlement report 101 request password release 111 request workflow
audit 98 dialog 133 password release requests 110 Requester tab 271 reset bootstrap admin password 552 reset cluster 497 reset to default certificate 356 resolve IP address in managed
networks 370 restart appliance 310, 551 restore
backup file 345 clustered appliance 495 reversing the join sessions management 377 review password release request 117 session access request 132 session release request 132 Reviewer tab 274 role-based access control 507 role-based email notifications 109 run account discovery setting 227 run asset discovery job 182 run entitlement report 101 run in the system tray 81
S
Safeguard features 27 set up 58
Safeguard Access settings 431 Login Control 431 Time Zone 437 User Password Rules 434
SAP HANA prepare for Safeguard 529
SAP Netweaver Application Servers prepare for Safeguard 530
save search criteria 92 schedule
activity audit log report 95 asset discovery 237 auto account password reset 422 auto account password
validation 426 backup, how to 343 scope add assets or accounts to
partition 293 Scope tab
partition 288-289 search box 63
using 63-64 secondary authentication
about 457 enable 455 login 78 Secret Key, about 203 Security Policy administrator permis-
sions 515 separation of duties 58 server
archive, configure 337 service account 138
about 193 set as managed account 193
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
668
�service discovery 615 how to setup 243
session access request 120 approve 128 check-in session 123, 125 launch RDP session 130 launch session 123, 125 launch SSH client 129 review 132 revoke 128
session module password access enabled disable 303 enable 303
session recording about 118 follow mode 134 play back 133
Session Recording Signing Certificate 349, 353
session release checkout 124, 126
session release request cancel pending request 125, 127 remove request 125, 127 review 132
session request workflow 118 session requests
disable 302 enable 302 Session Settings tab 277 sessions about 118 about certificates 349, 353 Sessions Appliance join 612
sessions certificates about 349, 353 add 355 create CSR 356 reset to default certificate 356
sessions management about 373 reversing the join 377
Sessions Module settings 440 Sessions settings 438
Session Recording Storage Management 438
Sessions Module 440 SSH Banner 442 SSH Host Key 442 set account password reset schedule 422 set account password validation
schedule 426 set appliance name 309 set appliance system time 578 set password
generate 157, 569 manual 157 set telnet, 3270, and 5250 session access
requests 576 settings
Access Request 301 Account Discovery 240 Account Password Rules 417 Appliance 304 Appliance Diagnostics 50, 306 Appliance Information 304, 307 Application to Application 378 Approval Anywhere 389 Archive Servers 336 Asset Management 324
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
669
�Audit Log Signing Certificate 349 Autit Log Management 339 Backup and Retention 334 backup settings 343 Certificate Signing Request 352 Certificates 348 Change Password 421 Change Password Management
Enabled 303 Check Password 425 Check Password Management
Enabled 302 Cluster 361 Cluster Management 362 custom platforms 324 desktop client application settings 80 Diagnostics 314 Email 391 Enable Backup Retention 347 Enable or Disable Services 301, 311 External Federation 565 External Integration 377 Factory Reset 311 Licensing 312 Lights Out Management (BMC) 313 Login Control 431 Login Notification 416 Managed Networks 366 Message of the Day 416 Messaging 416 Networking 318 Password Requests Enabled 302 Profile 417 Reasons 303 run in the system tray 81 Safeguard Access 431
Safeguard Backup and Restore 341 Safeguard Retention 347 Session Module Password Access
Enabled 303 Session Recording Storage Manage-
ment 438 Sessions 438 Sessions Certificates 349, 353 sessions management 373 Sessions Module 440 SNMP 407 SSH Banner 442 SSH Host Key 442 SSL Certificates 357 Starling 408 Support Bundle 321 Syslog 411-412 Tags 327 Ticketing 414 Time 321 Time Zone 437 Trusted Certificates 360 User Password Rules 434 setup Safeguard 58 setup Starling account 409 show ignored assets 139, 172 show routes 317 shut down appliance 309 shutdown appliance 552 sign up for Starling One Identity Hybrid
service trial account 409 SNMP
copy subscription 407 delete subscription 407 modify subscription 407
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
670
�SonicOS devices prepare for Safeguard 531
SonicWALL SMA or CMS appliances prepare for Safeguard 532
sort entity lists 66 sorting report results 99 SSH Banner 442 SSH Host Key
add 542 algorithms for key exchange 542 sessions 442 SSH Host Key Fingerprint About 176 SSH key download 214 import 196 SSH session launch SSH client 129 SSL certificates about 357 assign to appliance 359 create certificate signing request 359 install 358 SSL support about 578 Microsoft SQL servers 579 MySQL servers 580 Sybase ASE servers 581 Starling join 408 Starling One Identity Hybrid service setup account 409 start desktop client 78 support bundle 321, 554 supported platforms 37
Sybase ASE servers prepare for Safeguard 531 SSL support 581
syslog 411 configure 412 copy server configuration 412 delete server configuration 412 modify server configuration 412
system requirements 34 desktop client 35 web client 36 web management console 37
T
tags copy asset or asset account tag to another partition 333 delete asset or asset account tag 332 manage asset and asset account tags 327 manually adding a tag to an account 150 modify asset or asset account tag 333 view asset and asset account tag assignments 334 when does rules enginer run 586
tasks stop 137 viewing 136
telnet certificate support 521, 525, 529, 534 session access request setup 576
Telnet 316 terminate session play back 134
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
671
�Test Connection about 194 disable UAC to resolve connectivity failures 540 resolve failures 555
ticketing system delete 415 integrate with Safeguard 414 modify settings 415
time current appliance time 321
time restrictions 268 Time Restrictions tab
Access Request Policy dialog 279 Entitlement dialog 267 time zone configure 437 timeout errors causing operations to
fail 558 timestamp
conversion 102 Timestamping Authority Certificate 349,
353 TLS 1.2 setting 307 toast notifications 108
about 81 toolbar
Adminitrative Tools views 105 main screen 80 Toolbox about 136 Topic Secret - Mainframe systems prepare for Safeguard 534 trace route 316
troubleshooting
account is stuck in a pending password change state 548
appliance information 550
appliance status 544
cannot add replica to cluster 554
cannot connect to remote machine through SSH or RDP 543
Check Password fails on Unix host 418, 547
Check, Change, or Set failures 540
cluster 501
diagnostic tests 314
domain controller issues 557
error message
An internal request has timed out 554
Anti Cross Site Request Forgery token error 540
cannot play session 544
no cipher supported 542
No SSH host key was provided 540
system was unable to unlock your login keychain 547
There is no cipher supported by both client and server 556
factory reset 553
How do I access the recovery kiosk 549
How do I dowload MIB Definitions 407
How do I enable Network Time Protocol (NTP) 322
How do I generate a support bundle 554
How do I make a Safeguard SSL Webserver Certificate 358
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
672
�How do I move assets from one partition to another 205
How do I obtain a new password during an open request 586
How do I reassign assets from one partition to another 294
How do I reboot the appliance 551
How do I reset the bootstrap admin password 552
How do I set a directory account's time zone 474
How do I shut down the appliance 552
How do I test an asset's connectivity 204
incorrect or insufficient service account privileges 542
incorrect service account credentials 541
incorrect SSH host keys 541
login credentials fail on Unix host 418, 547
networking issues 557
password fails for Unix host 547
Safeguard is not working on Windows-based systems 558
Test Connection fails for admin account on Windows machine not in domain 540
Test Connection failures 540, 555
Test Connection failures on archive servers 555
Test Connection failures on assets that require SSL 556
timeout errors causing operations to fail 558
What do I do if the system services do not restart 554
Why are directory users in wrong time zone 456
Why are my email template marcros blank 394
Why can't I checkout an account 548 Why can't my AD user log in 544 Why did Test Connection fail 540,
556-558 Why did the password change
fail 152, 194, 540, 543 Why didn't a user receive email
notifications 393 Why didn't the automatic password
check and change run on schedule 548 Why doesn't Safeguard automatically Check and Change SSH Keys 194 Why don't others see the changes I made 105 Why is the bootstrap account locked out of Safeguard 558 Why is the user account locked out of Safeguard 558 Why isn't the password available for checkout 194, 548 Why wasn't the Approver (or reviewer) notified 559 troubleshooting tools 304 trusted certificates about 360 add 360 remove 361
U
uninstall desktop client 79 Unix-based systems
prepare for Safeguard 534 unjoin
cluster member 484
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
673
�unlock account 466 unlock locked cluster 501 update license file 312 update Safeguard appliance 323 updates
install 323 user
about 443 add 444, 451, 568 add from Users selection dialog 281 add to entitlement 281, 448, 461 add to group 478 add to user group 446, 459, 476 administrator permissions 456 authentication settings 453 change password 82 change personal contact
information 82 change photo 82 change time zone 461 delete 444 enable or disable 461 Entitlements tab 447 export history 450 General tab 444 grant partition ownership 461 import 444 Linked Accounts tab 448 modify 461 Partitions tab 446 remove 462 reset password 465 User Groups tab 446 view history 450, 461 User administrator permissions 517
User dialog Authentication tab 453 Permissions tab 456
user group about 467 add 459, 473 add from User Groups selection dialog 281 add member 446, 459, 468, 476 add to entitlement 281, 477 add to role 478 add user 446, 459, 468, 476, 478 change description 477 delete 467 Entitlements tab 469 General tab 468 History tab 471 modify 477 remove 478 Users tab 468
User Groups tab user 446
user password rule about 434 configure 434
Users tab entitlement 260 user group 468
V
view access request details 89 account discovery setting 227, 241 activity event details 97
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
674
�asset and asset account tag assignments 334
Check and Change Log 145 custom platform 325 virtual appliance 44 backup and recovery 49, 56 set up 45 virtual kiosk support kiosk 49 VMware backukp and recovery 49, 56 VMware ESXi Hosts prepare for Safeguard 522
W
web client 69 about 80 approvals 71 change password 73 favorites 72 FIDO2 keys 74 log out 74 my requests 70 reviews 71 settings 73 system requirements 36 version 73 Windows client 73
web management console 44 system requirements 37
widgets approvals widget, controls 116, 128 requests widget, controls 125 reviews widget, controls 117, 132
Windows systems minimum required permissions 536 prepare for Safeguard 535, 538
Safeguard for Privileged Passwords 2.11.1 Administration Guide Index
675
�madbuild