I have a question regarding the discovered account configurations in Safeguard. Below are the details of the use case we have and the options which I have thought about. Can someone please help me by pointing out the right approach?
We have a Safeguard environments with Assets already present. These assets are discovered using Asset Discovery jobs which are already defined in the environment and are working fine till now. Each of the assets have some pre-configured accounts which are scanned using the Account Discovery Jobs associated with each of the asset discovery jobs.
We now want to scan the assets already present in the environment and any new assets coming ion for some more accounts which are defined by a decided criteria. The new accounts can be discovered using a new rule in each of the account discovery jobs. One thing which is different with these accounts is we do not want to automatically change password, or even check if the password is correct. We just want to add them to Safeguard for now so that they can be managed at a later stage.
While discovering the new accounts is the easy part. I want to know what is the right and recommended way of adding these accounts as un-managed. Here are the options which I have thought about:
- Unchecking the "Automatically Manage Found Accounts" option in the new Account discovery rules.
If we go by this route, will it serve our purpose, or the default profile of the partition will take over and automatically start to check and change the passwords for the new accounts?
- Checking the "Automatically Manage Found Accounts" option on the new Account Discovery rule and associate it with a new profile in the partition, where the profile will have a no-check, no-change option configured.
The question which arises here is, when we are configuring the new profile, in the Change Password section, we have to select either Manage Passwords or Manage SSH. Although we can configure the Change password to run "Never", will this not try to check / change the password when the accounts are first scanned? And can we achieve our goal safely by using this approach?
- Creating 2 asset discovery jobs, essentially targeting the same assets which are already present in the system, and then associating new profile with no-check, no-change configured for the password and new account discovery job containing the new rules for accounts.
The question here is, first of all how will Safeguard handle one asset being identified by 2 asset discovery jobs?
- Creating a new partition and then creating new asset and account discovery jobs and associated new profiles.
Might not be recommended for the scenario I am working on, but it will essentially separate out the new accounts from the existing (managed ones).
The question was a bit long, but if someone can suggest what is the right way to go, it would help me a lot.
I have recently started on Safeguard so if this is a very basic question please don't mind.