VIP before 3 nodes of SPP

A customer has created a VIP before 3 nodes of SPP and if someone have to access to SPP he insert in desktop client or web GUI the VIP. This VIP send the call on one of the nodes of SPP but if a system administrator logs in and is routed to a replica node they do not have full administrative privileges and this is not good. Is it possible to create a unique access without specifying a specific IP or hostname of one of the three SPP nodes but still have administrators access with administrative privileges on SPP? for example if we have spp01.environment.test, spp02.environment.test, spp03.environment.test and the VIP is group.environment.test if everybody point to group.environment.test they are send to one of the node of SPP but the system administrator have to maintanance their administrative privileges. Is it possible?

Parents
  • Hi Dario,

    Load balancing SPP network addresses can be used for user access requests (to access a password or session from any available SPP node in the cluster)

    However, full administrative privileges are only available via Primary node.

    As per the admin guide:

    "Primary and replica appliances

    A Safeguard for Privileged Passwords cluster consists of three or five appliances. An appliance can only belong to a single cluster. One appliance in the cluster is designated as the primary. Non-primary appliances are referred to as replicas. All vital data stored on the primary appliance is also stored on the replicas. In the event of a disaster, where the primary appliance is no longer functioning, you can promote a replica to be the new primary appliance. Network configuration is done on each unique appliance, whether it is the primary or a replica.

    The replicas provide a read-only view of the security policy configuration. You cannot add, delete, or modify the objects or security policy configuration on a replica appliance. You can perform password and SSH key change and check operations and make password and SSH key release and session access requests. Users can log in to replicas to request access, generate reports, or audit the data. Also, passwords, SSH keys, and sessions can be requested from any appliance in a Safeguard cluster."

    Reference: https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/6.12.1/administration-guide/123#TOPIC-1738338

    Thanks!

  • thank you so much Tawfiq. Last question: if a primary no longer functioning, a replica can become primary by promoting this manually or is it an automatic process to change the primary?

    thanks a lot

  • Hi Dario,

    Promoting a Replica to become a new Primary is not automated and has to be done by an Admin in SPP.

    Depending on the situation, we recommend reaching out to support before making changes in a cluster to confirm if that is the right option for the encountered issue.

    Thanks!

  • ok Tawfiq, i think is enough.

    Thank you very much for your support.

    Have a great evening!

Reply Children
No Data