Privileged Account governance - Part 3.1 - Installation Prerequisites
- Installation Prerequisites
- One Identity Safeguard - PowerShell API
Features/Functions available in One Identity Manager 8.1 and above
Before we can start any installation, as you already know, we need some prerequisites. On the systems side, typically, they have to be installed or configured so that we can start with, for example, provision of common governance with Identity Manager. In our specific situation, the following is necessary. First of all, we need an installed Safeguard somewhere, and we need, of course, an installed Identity Manager somewhere.
Safeguard could be replaced by whatever else at-hand solution. But about this specific case, we'll talk a little bit later. Now, we have an installed Safeguard. We have an installed Identity Manager. And using these two tools, we can now activate the previous account governance functionality. That means we have to install the tool. We can do that just in an existing installation by adding with an upgrade migration this specific module, or we can do it during the initial installation, just by selecting that specific module.
Important, indifference to, for example, data governance, there is nowhere, something like an edition. That means we can use privileged account governance like any target system with any edition we like. This is the technical perspective. Don't forget, there is as well a sales perspective. But this is what we don't handle there.
Once the module is installed, there is something other else we have to take care about. And this is the configuration parameter target system PHG. This comes together with the module and should normally out of the box after installation enabled. If this is not the case, please enable this parent parameter, because then all the other parameters underneath become enabled as well. If this parameter is disabled for whatever reason, your complete privileged account governance functionality disappears, because it is one of these module parameters.
Next thing, if you want to admin your Safeguard, you need PowerShell. The Safeguard interface, it's a PowerShell interface, and for that, on that synchronization server, where you want to run your scripts, that means the server service that will do your privileged account governance or your Safeguard jobs needs a PowerShell interface, and therefore, you need Windows PowerShell 5 and upper.
Good message for everyone. PowerShell today it's something already installed nearly on every Windows server, so you should not really have a problem with that. Once this server's identified, and PowerShell is installed, this specific server surface, that will then later on do these privileged account governance jobs, needs a specific Safeguard interface, that means a specific Safeguard PowerShell module. We will talk about this in detail a little later, but this is necessary to be installed on that specific server.
On the Safeguard side, there is nothing to install. This is a good message, just one thing left, and this is, you have to create a specific Safeguard user. And this Safeguard user needs a set of Safeguard permissions to be able to query the complete data out of safeguard. So that means it is our synchronization user, and it's necessary here to be an authorizer, a user, help desk, appliance, asset directory, and security policy permissions. If these are all set in Safeguard-- Safeguard experts know what I am talking about-- then the user can be used as synchronization user.
So as shortly mentioned here, the way how to get the Safeguard PowerShell script resources directly from the GitHub on the left hand side, you will see the GitHub in the browser. It's HTTPS github.com. If I am on there, I can directly start searching for Safeguard. And its dash ps. So if I do so, then I find safeguard-ps from One Identity.
Here we are. I click just on that specific repository. I see some files. We'll talk about that secondly later. But down below here in the description, you will find as well the installation. There is, for example, a PowerShell installation. Directly, I can take this PowerShell installation command and can put it into a window.
One thing here-- it's not really helpful-- this is here the scope. It's for the current user, which is not really good, because I am locked in as an administrator for IM. But my server service will have its own account. So it's better not to do so. It's better to use it for all users. That means here at the end for the complete computer section.
I have to confirm. Here we are. And secondly, later, I will find then my Safeguard things as you can see here in that specific folder. And this is the folder here in the Explorer, as you can see Safeguard PS is now already installed. If I open that, s I will find here a couple of code.
The same code, by the way, it's code I can find here in the repository. I have to step in source. Yeah, here are the same files. And that will then be the way, for example, if I only want to modify one of them, or I want to replace one of the installed files by one of the newer files, maybe here in the repository. This is then a little bit I like to say more secure way to change something, instead of replacing the whole directory like it's done here with the help of this specific PowerShell command.
Additionally, I'd like to show you how to uninstall the complete thing, which is pretty easy as well. I have only to delete the parameters and to write a un in front of install. And then the complete module will get uninstalled. You will see that here. We have now uninstalled module. And what I now will typically do is just to copy the Safeguard PowerShell scripts from the setup DVD.
I've moved them here to the desktop before I started that experience. So I moved them in again, and now it's exactly the version that it's on the setup DVD. And wonder of wonder, it's the same version, but here, I'm now sure that these are the right files. All the other stuff was just there to show you how it works as well from the GitHub. And that might be helpful, for example, if you try to fix it back, or if you want to add more functionality to your synchronization project. And it's installed out of the box.