For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Traditional privileged access management (PAM) solutions involve complex architectures, lengthy deployment times and onerous management requirements. In nearly every recent high-profile breach, privileged accounts have been compromised to gain access to critical systems and data. But you can limit the damage from a breach by adopting a SaaS solution that provide a secure, efficient and compliant way to access to privileged accounts. One Identity Safeguard On Demand combines a secure password safe and a session management and monitoring solution with threat detection and analytics all managed and delivered from the cloud. It securely stores, manages, records and analyzes privileged access.

Key Benefits

Safeguard On Demand is a powerful cloud-delivered privileged access management (PAM) solution that automates, controls and secures the granting of privileged credentials with role-based access management and workflows. You lose no PAM, cybersecurity or compliance functionality . The user centered design of Safeguard On Demand means a reduced learning curve. Plus, the solution enables you to manage privileged passwords and privileged sessions from anywhere and using nearly any device. The result is that you can operate with privileged access management best practices. Plus, your enterprise is secure while your privileged users enjoy a new level of freedom and functionality.

Full-strength PAM with SaaS delivery
Mitigate potential damage of a security breaches
Meet compliance requirements
Realize ROI quickly with simplified deployment
Satisfy auditors with efficient audit-report creation
Identify and stop risky behaviors and unusual events
Simplify privileged account management


The One Identity Approach to Privileged Access Management

The One Identity Safeguard portfolio includes the industry’s most comprehensive set of privileged access management (PAM) solutions. You can build on the capabilities of One Identity Safeguard On Demand with solutions for granular delegation of the UNIX root account and the Active Directory administrator account; add-ons to make open-source sudo enterprise-ready; and keystroke logging for UNIX root activities – all tightly integrated with the industry’s leading Active Directory bridge solution.

Policy-based Release Control

Using a secure web browser with support for mobile devices, you can request access and provide approval for privileged passwords and sessions. Requests can be approved automatically or require dual/multiple approvals based on your organization’s policy. So, whether your policies consider the requestor’s identity and level of access, the time and day of the request attempt, and the specific resource requested—or all of these — you can configure One Identity Safeguard On Demand to meet your customized needs. Plus, you can input reason codes and/ or integrate with ticketing systems.

Full-session Audit, Recording and Replay

All privileged session monitoring – down to the keystroke, mouse movement, and windows viewed – is captured, indexed, and stored in tamper-proof audit trails that can be viewed like a video and searched like a database. Security teams can search for specific events across sessions and play the recording starting from the exact location the search criteria occurred. Audit trails are encrypted, time-stamped and cryptographically signed for forensics and compliance purposes. 

Instant On

Safeguard On Demand operates in transparent mode, requiring no changes to user workflows. Acting as a proxy gateway, Safeguard On Demand can operate like a router in the network—invisible to the user and to the server. Admins can keep using the client applications they are familiar with, and can access target servers and systems without any disruption to their daily routine. 

User Behavioral Biometrics

Each user has an idiosyncratic pattern of behavior, even when performing identical actions, such as typing or moving a mouse. The algorithms built into Safeguard On Demand inspect these behavioral characteristics. Keystroke dynamics and mouse movement analysis help identify breaches and also serve as a continuous, biometric authentication, thus strengthening the cybersecurity of privileged access. 

Approval Anywhere

Leveraging One Identity Cloud Assistant, you can approve or deny requests from anywhere — and with nearly any device.

Personal Password Vault

All your organizations employees can store and generate random passwords for non-federated business accounts in a free personal password vault. This enables your organization to use a sanctioned tool with the ability to securely share and recover passwords providing much needed security and visibility into business accounts.


Quickly access the passwords that you use most often right from the login screen. You can group several password requests into a single favorite so you can get access to all the accounts you need with a single click.


Quickly discover privileged accounts or systems on your network with host-, directory- and network-discovery options.

Real-time Alerting and Blocking

Safeguard On Demand monitors traffic in real time, and executes various actions if a certain pattern appears in the command line or on screen. Predefined patterns could be a risky command or text in a text-oriented protocol, or a suspicious window title in a graphical connection. In the case of detecting a suspicious user action, Safeguard On Demand can log the event, send an alert or immediately terminate the session.

Command and Application Control

Safeguard On Demand  supports both black listing and white listing of commands and windows titles.

Wide Protocol Support

Full support for SSH, Telnet, RDP, HTTP(s), ICA and VNC protocols. In addition, security teams can decide which network services (e.g. file transfer, shell access, etc.) within the protocols they want to enable/disable for administrators.

Full-text Search

With its Optical Character Recognition (OCR) engine, auditors can do full-text searches for both commands and any text seen by the user in the content of the sessions. It can even list file operations and extract transferred files for review. The ability to search session content and metadata accelerates and simplifies forensics and IT troubleshooting.


Safeguard On Demand uses a modernized API based on REST to connect with other applications and systems. Every function is exposed through the API to enable quick and easy integration regardless of what want to do or which language your applications are written.

Change Control

Supports configurable, granular change control of shared credentials, including time-and last-use-based, and manual or forced change.


One Identity Safeguard On Demand
One Identity Safeguard On Demand
One Identity Safeguard On Demand
SaaS delivery to securely store, manage, record and analyze privileged access
Read Datasheet
Your Secure Path to the Cloud
Your Secure Path to the Cloud


Your Secure Path to the Cloud
Watch this video to learn how One Identity’s progressive cloud strategy futureproofs your Identity Governance and Administration (IGA) infrastructure, no matter how complex or the mix of on-prem to cloud resources. See how our approach enables your organization to preserve your investment in on-premise systems while developing new SaaS and cloud-based uses cases.
Watch Video
One Identity Manager On Demand Security Guide
Technical Brief
One Identity Manager On Demand Security Guide
One Identity Manager On Demand Security Guide
One Identity Manager On Demand Security Guide
Read Technical Brief
One Identity Safeguard On Demand Security Guide
Technical Brief
One Identity Safeguard On Demand Security Guide
One Identity Safeguard On Demand Security Guide
One Identity Safeguard On Demand Security Guide
Read Technical Brief

Get Started Now