Add a Managed System Manually

Settings vary depending on the platform type. When an account is manually added to a managed system, the default configuration of the account is set to what is configured on the managed system.

There are two ways to add a managed system to Password Safe manually:

  • From the Managed Systems page, click Create New Managed System, and then complete the Create New Managed System form.
  • From the Assets page, click the vertical ellipsis for an asset, then select Add to Password Safe, and then complete the Create New Managed System form.

Below are the fields and settings with their descriptions that are available when creating a new managed system. The available fields change depending on the Entity Type and Platform for the system.

Field / Setting Description or Action
Entity Type Type of system: Asset, Database, Directory, or Cloud.
Platform The platform for the system based on the Entity Type.
Name Unique name for the system.
Instance Number (SAP only)

If you have added your System Application Products (SAP) environment to Password Safe management, provide the instance number.

Domain (Directory types only) Name of the Domain where the directory resides.
Description Description for the system.
DNS Name DNS name for the system.
IP Address IP address for the system.
Allow Managed System to be an Application Host (non-Windows systems only) Toggle on or off to allow the system to be an application host.
NetBIOS Name (Windows, Active Directory, and LDAP systems only) Unique NetBIOS name for the system.
Workgroup Select a pre-defined workgroup from the list.
Port

Enter a port number.

Automatic Password Change Options

Toggle Enabled to automatically check and update managed account passwords at a set frequency or after password releases.

Password Policy

Select a Password Safe password policy or use the default policy. The policy provides the requirements used by Password Safe to create passwords, such as password length and permitted characters.

Change Agent (available only when Endpoint Privilege Management is installed) Select Password Safe or Endpoint Privilege Management client from the list.
Elevation

Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.

If you are using pbrun jumpost, enter the IP address for the Privilege Management for Unix & Linux policy server that you want to connect to.

SSH Key Enforcement Mode is not available if you are using pbrun jumphost.

Change Agent (available only when Endpoint Privilege Management is installed) Select Password Safe or Endpoint Privilege Management Client from the list.
Functional Account

Select a functional account from the list. If a functional account is not available, click the Create New Functional Account link. The link is located in two places, below the dropdown and within the dropdown list. This allows you to create a functional account without leaving the Managed Systems page.

The Create New Functional Account link is only available to users with administrative privileges.

Use Login Account for SSH Sessions

Create a login account to allow the user to open an SSH session in environments where remote shell access is not permitted, for instance the root account.

Login Account: Select the account name.

Account Name Format (For Windows, Linux, Oracle, MS SQL Server, and Active Directory only)

Select a format for the account name from the list: Domain\Account, UPN: accountName@domainName, or sAMAccountName: Account Name only.

Timeout The timeout value determines the amount of time in seconds that a connection attempt to the managed system remains active before being aborted. In most cases, we recommend you use the default value (30 seconds). If there are problems with connection failures with the system, this value can be increased.
SSH Key Enforcement Mode

Verifies SSH host keys from a known host. You can import SSH keys from a host using a Smart Rule.

Auto Accept Initial Key: The first key imported is automatically accepted. Any new key imported after the initial key must be manually accepted.

Manually Accept Keys: SSH connections to the host are permitted for accepted keys only. If a new key is detected from the host, the key is stored in the database and an email is sent to the Administrators user group. The key must then be accepted or denied.

Default DSS Key Policy

If you are using DSS authentication for the system, select a key policy or use the default.

Release Duration

The duration that can be requested during the request process. The default value is 2 hours. When the Requested Duration (as entered by the user on the Requests page in the web portal) is exceeded, the session ends if the Force Termination option is enabled for the access policy.

Max Release Duration The maximum length of time the requester is permitted to enter on the Requests page. Applies to password and session requests. The maximum length that can be set is 365 days.
Contact e-mail Enter the email address where you want Password Safe system notifications to be sent.