Configuration

Network discovery

Description

The Network discovery tool will be in charge to scan the networks to find the hosts and retrieve information about user accounts. Network discovery can detect system accounts as well.

First of all, you need to create the networks that you want to scan. Visit the Networks page for more information. Then, on the Network discovery page, you need to configure for each network, the accounts and passwords of potential administrators to connect to the host and retrieve the information. And finally, you need to start the process execution or you can schedule the execution of the network discovery task.

The operating system of machines can be Windows or Linux and it is not necessary to install any additional software on those machines. 

Once the machines and accounts, both user and system, have been discovered, the critical accounts must be located in the password vault. You can visit the Password vault page for more information.

Screen overview

Standard attributes

Network attributes

Basic 

Those attributes are readOnly, you can update them on the Networks page.

💻 Image

image-1705573373643.png

Server

Accounts to probe

When you register a new account, that will be created as an unmanaged account. 

Schedule

For each value of month, day, hour, minute, or day of the week:

Current execution

Last execution

Previous executions

List the information about the previous executions:

Machine attributes

💻 Image

image-1705661256378.png

Actions

Network discovery query

Add new account repository

Allows you to create a new agent.

You must select the System type and the login name and password. When the agent is created, if the connection is successful, the reconciliation process will be executed.

💻 Image

image-1701426264500.png

Agent definition

Allows you to browse to the agent definition.

Accounts

Allows you to browse the accounts page and the accounts, which belong to this system, will be displayed

Add new entry point

Allows you to create a new entry point. 

You must select the Entry point type and the pale to locate it. Once the entry point is created, you can connect to the target system. Bear in mind, that if you need to create an account to connect, when you set the password to this account, the system (agent) must be in No ReadOnly mode.

💻 Image

image-1701426470540.png

Entry point definition

Allows you to browse to the entry point definition.

Network discovery detail

Apply changes

Allows you to save the data of network detail. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to undo any changes made.

Accounts to probe
Add

Allows you to add a new administrator potential account to connect to the machines of the network.  To add a new account, first of all, you need to click the add button (+) and close the accounts to probe list. Then you will need to choose if you want to add an existing account or register a new account.


save the data of a new network or update the data of a specific network. To save the data it will be mandatory to fill in the required fields

Delete

Allows you to delete one or more accounts of the accounts to probe. You need to select one or more records and next click the button with the subtraction symbol (-).


Schedule 

Start now

Allows you to launch the task execution.

Previous execution

 Logs

Allows you to download the log files of previous executions.

Machine

 Delete

Allows you to delete the machine and the PAM connectors for the device. Soffid will display a message to confirm the deletion process.

Password vault

Description

Soffid provides a protected storage, to save and manage accounts for multiple applications, that is the Password vault. Here you can save the accounts and passwords to access to critical systems and to your applications as well. Password vault allows you to handle the access control list to these accounts. Sometimes these accounts can be used by a specific user or a set of users.

The accounts are organized in folders depending on the permissión, and the criticality level, .... These accounts can be system accounts or user accounts.

The Password vault exposes a subset of accounts to some users. These accounts are available through the Self-services portal. You can visit My applications page for more information.

When a privileged account is being config, it will be able to assign a workflow or approval process to request in order to use that account. For more information visit the link How to apply policies

Users can be authorized to manage their own personal accounts, sso:manageAccounts. For more info visit the Authorizations page.

Folders

In the password vault, two kinds of folders are used: personal folders and shared folders, which depend on the Owners configuration you define.

On one hand, each user has their own personal folder. Inside this folder, the user can create accounts. That account will not be shared with any other user.

On the other hand, the shared folders could be used or managed by the owner/manager/SSO users.

Accounts

Soffid allows you to create new accounts on a specific folder on the password vault page, to add a new account will be mandatory to fill in some attributes, like System, name, and login name. You can consult the existing accounts related to a folder. For each account, you can update or delete the account, view and set a password.

Also, you can create accounts on the Account page and assign the appropriate vault folder.

Soffid allows administrator users to configure a workflow to request permissions when a user try to change the password of a privileged account in the password vault. That process can be defined with the BPM Editor as an Account reservation type. For more information you can visit the BPM Editor book.

Overview

  1. Accounts

Standard attributes

Folder attributes

Accounts attributes

Actions Tab

This tab shows the read-only attributes of the user account:

Also, this tab allows you to launch the connection to the target system, view the password, set the password to launch the connection, and unlock the use of that account. All those options depend on the account definition and user privileges.

Basics Tab

This tab displais all the account attributes and allows you to update the account configuration.

Visit the Account page to view more information about the standard attributes of an account.

Actions

Folders query actions

Query

Allows you to query folders through, only Quick search is available.

Add new

Allows you to create a new folder. You can choose that option on the hamburger menu or by clicking the add button (+).

To add a new folder it will be mandatory to fill in the required fields.

A folder needs to have, at less, an owner to manage it.

Folder actions

Apply changes

Allows you to save a new folder or update an existing folder. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder.

Undo

Allows you to quit without saving any change made.

Delete

Allows you to delete a folder if you have the right permissions. To delete a folder you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Account actions

Apply changes

Allows you to save a new account. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder. If the account exists on the system, you can assign the vault folder to the account window.

Undo

Allows you to quit without saving any change made.

Delete

Allows you to delete an account from a folder if you have the right permissions. To delete a host you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Set password

Allows you to set a password to access to the account.


How to apply policies

Soffid allows you to define policies and rules to apply to a specific folder or a set of folders. To do that is needed to install the XACML  addon and configure the proper policies and rules. 

Also, you can config a workflow or approval process to request in order to use accounts saved on a folder.

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Example 

XACML PEP config

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Password Vault:

image-1627909636077.png

XACML PEP config:

image-1627903193056.png

XACML Policy Management

You need to configure the access to the folder "VaultFolder", that folder can contain other folders and accounts. It will be mandatory to config the access list, who are the owners, managers, and so on. You need to know if you need to config the control access list by accounts, by folders, or both.

image-1627904759237.png

For instance, the policies you need to implement are the following:

1. Only users between 6:00 and 18:00 could use the accounts inside the "demoFolder".

image-1627909569093.png

image-1627909585789.png

2.- User "bob" never could use the accounts of demoFolder.

image-1627909447400.png

image-1627909485850.png

3. Users with result permits, need the authorization to use the accounts.

You need to config the workflow that will be called, to config you need to include the bpm obligation on the policy. Also, you can include a message to the user, or other obligations. 

image-1627909874242.png




Visit the XACML Book for more information.

Visit the BPM Editor Book for more information.



PAM Rules

Definition

Soffid allows you to define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it.

To use those rules you need to define the PAM policies. For more information, you can visit the PAM policies page.

Screen overview

image-1696499283030.png

Keyboard example

image-1696499194127.png

Screen example

image-1696499256255.png

Standard attributes

Actions

PAM rules query

Query

Allows you to query PAM rules through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM rule. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM rule it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM rules by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM rules list to add or update PAM rules to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM rules information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM rule or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM rule. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.


PAM Policies

Definition

Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization.

Soffid allows you to define policies, those policies can be made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished.

To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password Vault page

Screen overview

Standard attributes

When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules.

(*) You can visit the following page for more information about the issues:

https://bookstack.soffid.com/books/soffid-3-reference-guide/page/issue-policies https://bookstack.soffid.com/link/1153#bkmrk-pam-violation

Actions

PAM rules query

Query

Allows you to query PAM policies through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM policy it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM policies list to add or update PAM policies to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. Finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM policies information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM policy. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.