Is Account Password Rotation Available on SPP 6.11

Hello,

We are running SPP 6.11 and are trying to determine if it is possible for a randomly generated password to be issued for an admin every time the admin requests access to login into an asset. One time use per say. It would be rotated aftr that Request check-in.

I was able to find the information for scheduling password rotation by profile - but not for one time use. I am trying to implement this for one test user only, not across all yet. A copy function would also be necessary.

Thank you.

Parents
  • Hi Alfredo,

    The setting to Change password after check-in can be enabled as part of the Entitlement > Access request policy > edit the policy > Select the Access config

    Here there are two options that could help with your inquiry:

    • Include password release with sessions requests (If Access Type is RDP, SSH, or Telnet, select this check box to include a password release with session access requests.) 
    • Change password after check-in (Select this check box if the password is to be changed after the user checks it back in.)

    Please refer to the admin guide section here:

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/6.11.1/administration-guide/62#TOPIC-1693655

    Note: We recommend upgrading SPP to latest version, currently latest available versions are SPP 6.13.1 and SPS 6.13

    Thanks!

  • Thank you Tawfiq,  I did not have the passowrd release checked. Is there a copy function to copy the password?

  • Yes there is a copy icon for the password.

    Please refer to the admin guide section here for information on the Access request workflow:

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/6.13.1/administration-guide/23#TOPIC-1777774

    Thanks!

  • Thank you, I appreciate your assistance, I just inherited this project, I have configured the policy accordinging to the admin guide but apparently there is a part I'm missing. There is a token that is rotated and using the copy function I can copy the connection string - but I was assuming that the AD privileged password word would be changed in Safeguard upon check-in and AD updated. I tried with both a Scope: of an Asset and with an Account - saqme result. I have a call into Pro services. Thanks again!

    Scope Tried with an Asset
    Tried with an Account; same result
    Access Request Policy: 
    Property Description
    Require Comment Checked
    Auto-Approved Checked
    Access Config tab:
    Property Description
    Access Type RDP (Remote Desktop Protocol)
    Include password release with sessions requests Checked
    Change password after check-in Checked
    Asset-Based Session Access Linked Account
    Allow password access to linked accounts NOT an option
    Enable scope filtering  Checked
  • For RDP Access request policy:

    If you are looking to authenticate using an AD account then you only need to add the Asset to the scope.

    Option 1: if using Asset Based Session access as Linked account then the AD account should be added from the Users section > Select user (who is logging to SPP to make the request) > select the Linked Account tab > here you can add the AD account as a Linked account to the user that is initiating the Access Request.

    If you do it this way, then no need to enable the box "Enable scope filtering" - this can be unchecked.
    Linked account is used so that one Entitlement can be used for many users with each user able to request only their linked AD account.

    Everything else can remain the same.

    Option 2: Otherwise, if using Asset Based Session access as Directory account then you can browse and select the AD account here but this is more for a shared AD account where multiple assigned users to this Entitlement would have access to this specified AD account (Shared AD account for example)

    Then after you make the RDP request, this will allow you to launch the session and connect to the target asset then once you signed out and checked the request back in, SPP will trigger a password change for the AD account used.

    You can use the Activity Center icon to see the activity events which will show the Password change event after the request is checked in.

    We recommend engaging Professional Services team for implementation assistance to help you with the solution based on your requirements.

    Thanks!

Reply
  • For RDP Access request policy:

    If you are looking to authenticate using an AD account then you only need to add the Asset to the scope.

    Option 1: if using Asset Based Session access as Linked account then the AD account should be added from the Users section > Select user (who is logging to SPP to make the request) > select the Linked Account tab > here you can add the AD account as a Linked account to the user that is initiating the Access Request.

    If you do it this way, then no need to enable the box "Enable scope filtering" - this can be unchecked.
    Linked account is used so that one Entitlement can be used for many users with each user able to request only their linked AD account.

    Everything else can remain the same.

    Option 2: Otherwise, if using Asset Based Session access as Directory account then you can browse and select the AD account here but this is more for a shared AD account where multiple assigned users to this Entitlement would have access to this specified AD account (Shared AD account for example)

    Then after you make the RDP request, this will allow you to launch the session and connect to the target asset then once you signed out and checked the request back in, SPP will trigger a password change for the AD account used.

    You can use the Activity Center icon to see the activity events which will show the Password change event after the request is checked in.

    We recommend engaging Professional Services team for implementation assistance to help you with the solution based on your requirements.

    Thanks!

Children
No Data