Safeguard custom platform scripts let you teach Safeguard for Privileged Passwords (SPP) how to work with systems that do not fit a built-in platform.
Custom platform scripts are JSON-based definitions that instruct Safeguard how to communicate with a target system and perform credential management operations such as password verification, password changes, SSH key rotation, account discovery, and related tasks.
They support both SSH- and HTTP-based integrations, which makes them useful for operating systems, network devices, appliances, web applications, cloud services, and proprietary systems.
From an administrator's point of view, the flow looks like this:
- You write a JSON script that defines one or more operations, such as
CheckPasswordorChangePassword. - You upload the script to SPP by using the web UI or API.
- SPP validates the script by checking its JSON structure, parameter types, and references to functions or commands.
- If the script references built-in function libraries through
Imports, SPP merges those reusable script functions into your script automatically. - SPP reads the validated script and derives the platform's capabilities from the operations and parameters you defined.
- The platform is saved with computed feature flags, so you never configure capabilities manually.
- When a task runs, such as a scheduled password change, SPP passes the relevant parameters to the script engine.
- The script engine executes the selected operation's
Doblock against the target system.
Key concept: feature flags are automatic. Your script content is the platform definition. If you add ChangePassword, SPP knows the platform can change passwords. If you add DiscoverAccounts, SPP enables account discovery. There is no separate capability switch to configure.
Use a custom platform when:
- Your target system uses SSH or HTTP but is not covered by a built-in platform.
- You need to manage credentials on a proprietary appliance, homegrown application, or cloud API.
- You need custom logic such as multi-step authentication, pagination, or conditional flows.
- You need to integrate with a system that exposes a REST API for credential management.
Consider alternatives when:
- A built-in platform already supports your target system.
- Your target is supported by a Starling Connect connector.
- You only need session recording without credential management, where SPS alone may be enough.
The following operation categories are available for custom platforms. Detailed behavior belongs in the reference documentation.
| Category | Operations |
|---|---|
| Connection | CheckSystem |
| Password | CheckPassword, ChangePassword |
| SSH Keys | CheckSshKey, ChangeSshKey, DiscoverSshHostKey, DiscoverAuthorizedKeys, RemoveAuthorizedKey |
| Discovery | DiscoverAccounts, DiscoverServices, DiscoverAssets |
| JIT Access | ElevateAccount, DemoteAccount, EnableAccount, DisableAccount |
| Dependencies | UpdateDependentSystem |
| API Keys | CheckApiKey, ChangeApiKey |
| Files | CheckFile, ChangeFile |
| Admin | CreateAdminUser |
Note
RetrieveSshHostKey and CheckHostKey are not supported for custom platforms.
| Concept | Meaning |
|---|---|
| Operations | Named entry points in your script, such as CheckPassword or ChangePassword. |
| Do blocks | The sequence of commands that runs for an operation. |
| Reserved parameters | Parameters with special names that SPP fills automatically, such as AccountPassword or Address. |
| Custom parameters | Parameters you define for asset-specific or platform-specific configuration. |
| Commands | Individual instructions inside a Do block, such as Connect, Send, or Request. |
| Imports | Built-in function libraries you can reference to reuse common scripting logic across platforms. |
| Feature flags | Platform capabilities that SPP derives from your script content. You never set them manually. |