BeyondInsight and Password Safe 24.3.0
BeyondInsight and Password Safe 24.3.0 release notes
December 20, 2024
Note
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
Supported Platforms for previous versions of BeyondInsight and Password Safe can be found in the BeyondInsight, Password Safe, and U-Series Appliance Documentation Archive.
New features
Existing Team folders will be migrated to Safes upon upgrade to BeyondInsight/Password Safe 24.3.
What does this mean?
- Previously, ownership of secrets was set to either users or the entire group that owned the team folder. Secrets can now be owned by both users and groups at the same time. Additionally, ownership supersedes any safe-level permissions for any owned secret as long as the user has read access to that safe.
- Root folders, now know as Safes are no longer created or removed by assigning/unassigning the Secrets Safe feature permission.
- BeyondInsight Administrators lose access to all folders in Secrets Safe by default and must be assigned permissions to safes to access their contents. Administrators do not see all safes by default. They only see safes is they are a member of the team folder group that created it A Show All Safes toggle switch has been added to view all safes.
- Only BeyondInsight administrators can manage migrated safe permissions by default. Users and groups can manage these safes once they’ve been assigned the Manage Safe permission.
- Administrators do not see all safes by default. They only see safes is they are a member of the team folder group that created it. A Show All Safes toggle switch has been added to view all safes.
- Users cannot see a safe and its contents unless they have read access.
- The group that created a team folder is automatically assigned the Create and Read permission to the new safe on upgrade. This does not apply to new safes created after upgrade.
- Secrets cam now be searched by their ID.
- Orphaned secrets (secrets without owners) can now exist. As a result, deleting a user only deletes their Personal Secrets. Since it is expected that any personal data associated with a user is also deleted, no additional warning is displayed when deleting a user.
Microsoft 365 Government Community Cloud (GCC) is becoming a more common cloud platform. Password Safe now supports customers in discovering identities within GCC environments and facilitates the deployment of Password Safe in these settings. This integration allows users to utilize GCC identities to access BeyondInsight/Password Safe seamlessly.
In 24.3, Password Safe supports Entra ID hosted in Microsoft Azure US Government (in addition to the current Azure Commercial) which also applies to all Entra ID features: BeyondInsight Users & Groups, Directory Credentials, Azure Scan Target Collectors, and Password Safe's Entra ID platform.
Password Safe now supports Google Cloud Platform (GCP) as part of BeyondTrust’s Advanced Cloud Management initiative. Providing this capability allows us to enhance our ability to discover cloud identities that users are requesting.
In 24.3, GCP is a full-featured platform which provides our customers with GCP account discovery (via smart rule), password change/test/, and auto-management capabilities.
Users now have the ability to manually create Assets with a description. This an also be achieved through the use of Directory Query based Smart Rules. If the System Description is populated in Active Directory, it will now be available on the Asset and copied to the Managed System if the user chooses to overwrite the Description on the Managed System using the new Smart Rule option.
This feature is only available for Active Directory and not Entra ID or LDAP configurations.
A new configurable setting has been added for the Password Safe Portal - Max Rows. This allows administrators to determine the max rows returned for a search, rather than having a hard limit.
Enhancements
Secrets Safe Secrets API
Changed the getCredential API to return owner names as First, Last for improved readability of Ownership data.
Internal API
Logged in users cannot delete themselves.
In case of user self deletion, the user receives an error with the message "For your security, account deletion cannot be performed while you are logged in. Please contact your system administrator to proceed with this request."
Improved the security posture of communications between the U-Series Appliance and BeyondInsight.
- SSO working with token passed to new endpoint in request body rather than URL
- If POST endpoint is not yet available, fallback to legacy GET behavior
Public API
Entra ID - Updates to include users and groups
- New GroupType - groupType : string = "EntraId"
- New UserType - "UserType" : "EntraId"
In GET Requests/?queue=app, the following has been added to the response:
- RequestorName : string - The full name of the Requestor User (First + Last Name)
- RequestorUserID : int - The Requestor User ID
Added to the Request Body JSON snippet: ServiceAccountKey : string
Added to the “Request body details” section: ServiceAccountEmail: string (required for Google functional accounts). Max string length is 255.
Active Users Report: update to parameter label and logic
The label has been changed to Include Accounts never used with a default value of No. When No is selected the report displays only accounts that have been logged into within the numbers of days set via Used in X days parameter. When Yes is selected the report also shows accounts that have never been logged into.
Prior to 24.3, some sites within BeyondInsight, such as the SAML site, had their own logout page. This required that those pages be maintained separately. Now, a common logout page is available for all of the logout services within BeyondInsight. This page explicitly states that the user has been logged out and their session is completed.
Displaying the Logout Success page is optional. For users to view this page upon successful logout, it must be configured under System > Site Options > Logout Success Page.
If the Logout Success page is not configured to display, the end of a regular session returns the user to the login page, and the end of an SSO session uses the single logout success page with default messaging.
BeyondInsight now displays the ‘Last Successful Login’ date and time. To view, click Profile and preferences in the upper right corner.
Last Login Date has also been added as an optional column to the User and Groups > User grid.
A new UseSSL toggle has been added to the create and edit UI for LDAP functional accounts.
Redesigned Domain Account Linking Smart Rule to optimize database performance.
EntraID no longer allows testing an application using a managed account by getting a token without the account being a user of the application. Adding the managed account as a user of the application gives too much privilege. A second application can be created with the bare minimum User.Read permission. This application ID can now be entered into the new Test Application field in the Functional Account create/edit form.
To enable managing Google Cloud user accounts, a new type of functional account has been added to interact with Google Cloud Platform and Google Cloud Identity.
Google Cloud Platform users are managed via the Google Cloud Identity product. API access is administered through GCP. In order to access users in Cloud Identity via API, a service account is required in GCP (for API access) and a user to impersonate in Cloud Identity (for user data access). The functional account stores the following information from these two accounts:
From service account: (these come from the JSON file downloaded when you generate service account keys)
- ClientEmail
- PrivateKey
From Cloud Identity user:
Previously, users were allowed to reuse a request when trying to execute Quick Launch for an account they already had active access to. This occurred silently in the background, and all new request details were ignored, including the request duration. This caused frustration as users were required to enter data that was not needed and were given sessions where the remaining duration of the active request may be less than expected.
The Quick Launch form has been updated to indicate when a user already has access to the selected account. When a request is available for reuse:
- All request-specific inputs (Reason, Ticket System, Ticket Number, Duration, and Access Policy) are hidden.
- A banner displays with the following information:
- The access type of the approved requests
- End time of the approved requests
- A “View Request” link will be displayed that takes the user to the Requests tab with the side panel open for the specified request
- The “Advanced Request Options” details will be automatically expanded
Note
If the only available access is “Retrieve Password” this section will not be displayed.
- Added captions for grids in the product to be seen by screen readers.
- Further improved page responsiveness based on screen resolution.
Improved performance and scalability of scan data processing through architectural changes.
Updated the Access Policy create/edit form to include an API Only Access setting which, when set, allows an API account to retrieve credentials without the credential being viewable in the Password Safe user interface.
By default, Detailed Discovery Scans include Software, Databases, Services (6 types), and Accounts (2 types with extra configurability). Software collection often slows scans or causes failures. To avoid this, the Software checkbox should be unchecked by default, requiring customers to opt in explicitly. Software checkbox is now unchecked by default.
Auto Shrink is disabled by default on new and upgraded environments. In the unlikely event that Auto Shrink must be enabled, turn it on manually after this and any subsequent upgrades of BeyondInsight/Password Safe.
Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Secrets Safe | Secrets Safe endpoints in PAPI followed a permission assertion patten that required a user to have Read/Write access for permissions (aka - features) being checked against (e.g. Secrets Safe, Workforce Passwords). The Secrets Safe service itself only required READ for many of the endpoints. | Public API endpoints have been updated to be consistent with the Secrets Safe service endpoints, and include only READ for GET and PUT requests, while CREATE and DELETE include WRITE access; the exception being for the “/permissions endpoints”. Additionally, the Workforce Passwords feature enables access to operations within the context of “Personal Folders” only, and authorization is prevented for endpoints outside the scope of Personal Folders (e.g. /secrets-safe/safes). |
| Password Safe | An error was occurring in the omniworker log. As a result changepasswordqueuemonitor failed and omniworker had to be restarted. The heartbeat and utilization information was reported every 10 min; this also stopped reporting after the failure and did not come back until the restart of omniworker. | Existing ‘BeyondTrust.BeyondInsight.Omniworker.Service.Logic.dll' has been backed up and the new dll has been replaced. Error no longer occuring. |
| Password Safe | Session recording not capturing keystroke when sftp file tranfer was initiated from the command line (direct connect ). | Keystroke is now captured. |
| BeyondInsight | Completed Session Grid View loading issue - An unexpected error occurred for Administrators who have access to All Managed Accounts. | Error no longer occurring. |
| Password Safe | Omniworker does not reload event forwarding connector config in cloud on both nodes. Sometimes expected results occur, sometimes the changes have no effect. Only one node of the scale set reloads the config, then the other retains the legacy settings. | All nodes of a scale set (cloud) or multi-node setup (on-prem) now reload the event forwarding connector config when updates are made, ensuring consistent behavior. |
| Analytics and Reporting | Managed Account Password Age report had an optional field, Managed System, set up as a required field. Report would not run if field was blank. | The report now runs with optional field, Managed System, left blank. |
| Functional Accounts | When creating an AWS functional account via PAPI, the Access Key ID and Secret Access Key were not saved properly. | The Request Body for /BeyondTrust/api/public/v3/FunctionalAccounts has been updated. APIKey is now an optional field, but required when Platform.RequiresAPIKey is true. Secret is now additionally required for Amazon as a platform. |
| Password Safe | When a customer configures HSM, on the main console, they configure HSM in the remconfig utility and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\Use64bitHSM gets set to 1 when the credential is saved. However when there are worker nodes, there is no need to configure HSM again. However, by default the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\Use64bitHSM is set to 0 and only gets set to 1 when the hsm credential is saved. This requires that the customer go to the registry and change the setting to 1 on the omniworker nodes. | HSM RegKey now is set to 1 by default on worker nodes. |
| Password Safe | Passwordservices Plugins are not adhering to Managed System timeout setting. Some decommissioned managed systems have managed account password rotation turned on. When attempting to rotate the local managed accounts, the password change queue becomes bloated, delaying forced password changes and rotation on reset. | Updated the SSH plugin. Issue resolved. |
| BeyondInsight | Dashboard session count doesn't match count of completed sessions in completed sessions grid. Caching issue. | User must be an Administrator OR they require the the "Password Safe Admin Session Reviewer" permission or completed Admin Sessions won't show up in the grid (but they will be included in the dashboard tile stats). Caching issue resolved. |
| Smart Rules | Removed deprecated Smart Rules are still showing up for multi-org scenarios. | Removed previously deprecated Smart Rules. |
| BeyondInsight | Database performance issues: Identity Service fails to load the existing config, which causes it to recreate the clients. Additionally, only the client secret is being checked when updating a client. The ID was left the same. | Reduce stress \ load on the database. Client ID is now written to the BI config when we recreate that client. |
| Password Safe Cloud | In Password Safe Cloud, old algorithms cannot be enabled for testing and changing passwords. | Added a new option: Enable legacy algorithms for SSH account management tasks" This option will only be used if the regkeys that were previously used do not exist, so as to not affect anyone who has previously set the regkeys. If there are no regkeys present for Encruption, Macs or Kex, then the UI toggle will basically enable all 3 regkeys to enable the legacy algorithms. |
| Password Safe | Propagation Actions grid filter by last changed date returns all items regardless of time selected. | Backend/SQL issue has been resolved. Grid now filters by last changed date within Propagation Actions. |
| Password Safe | Passwords rotating while a releaserequest is open. For one customer a number of password rotations occur during a pmmreleaserequest checkout. A delay is occurring somewhere in rotating the password, which is causing this. | Delay no longer occurs. |
| Analytics & Reporting BeyondInsight Configuration - User Management | SAML logins always appear as ‘Never’ on the Active Users report, and Last Login information is blank for SAML users in User Management | Made updates so the Last Login data for SAML users is captured and stored correctly. Now it also appears on the Active Users report. |
| BeyondInsight Configuration - Smart Rules | When editing the Name field of a Managed Account Quick Group, the edited name change cannot be saved and throws an error. | Now the Name field of a Managed Account Quick Group can be edited and saved without errors. |
| BeyondInsight Configuration - Access Policies | In some cases, an access policy without any obvious dependencies, cannot be deleted, and an error is shown indicating an unseen dependency exists. | The access policy without dependencies can now be deleted without errors. |
| Password Safe | Users can create requests against Assets that are inactive, but can not view requests against assets that are inactive. | Assets that were previously Managed By Password Safe and marked as Inactive shall be Marked Active in the upgrade path. Assets that are Managed by Password Safe shall not be allowed to be Marked Inactive by Smart Rules. |
Known issues
| Product Area | Description | Workaround |
|---|---|---|
| Public API: Secrets Safe | Using the API, a user is able to share a Secret to the Safe that it already belongs to, resulting in duplication of that Secret on the Secrets grid. | There is no need to share a secret to a Safe that it already belongs to. This will be resolved in a future release. |
| Analytics & Reporting (Cloud only) | In the Subscriptions → Download Reports panel, if using ESC to close the panel, the keyboard focus does not go to a logical place and makes it seem like keyboard control has been lost. | You can quickly return to the appropriate spot using the mouse. If using the mouse is not an option, continue pressing the TAB key until you can see where the keyboard focus has ended up. This will be resolved in a future release. |
| Analytics & Reporting | When navigating the items on the Subscriptions tab, using the keyboard to access the menu for a single subscription may result in the menu placement appearing away from the selected subscription. | This occurs only when using the Space Bar as the action key. Using Enter works as expected. This will be resolved in a future release. |
| Secrets Safe | When an edited Secret is saved after all owners are removed from it, the Secret cannot be saved, and the warning that appears is vague. | You cannot save a secret without an owner. Add at least one owner to resolve the message. This will be resolved in a future release. |
| Secrets Safe | It is possible to assign ownership of a Secret to someone who does not have read access to the Safe that contains the Secret. In that case, the Secret “owner” cannot actually see or take any actions on it. | Either grant the user at least Read permissions to the Safe, or, don’t set them as an owner of the Secret. This will be resolved in a future release. |
| Secrets Safe | The Safe Advanced Details → Access Management grid does not correctly represent a group’s inactive status. Assigning Safe access to an inactive group has no effect since users in that group will not be able to access Secrets Safe. | Cross reference the User Management area to check whether a given group is active/inactive before assigning Safe access. This will be resolved in a future release. |
| Secrets Safe | On the All Secrets folder, when filtering the Secrets grid by Owner, the list of owners does not correctly include the owners of Secrets which reside in subfolders. | The ‘Owner’ grid filter functions properly when a Safe or subfolder is selected. This will be resolved in a future release. |
| Secrets Safe | Attempting to edit a secret which is owned by an account which no longer has access to the Safe will fail with an invalid ownership error. | The account which is now an invalid owner must be removed from the secret by temporarily re-adding the account to the Safe so the editing of the secret will be successful. This will be resolved in a future release. |
| BeyondInsight (on-prem only) | When updating a single-tenant system to multi tenant by adding a first new Organization, a flag that indicates the system is now Multi-Tenant does not get set properly for up to 1 day after the update time. Until corrected, the incorrect value on this flag will :
| Performing an IIS reset will update this flag to the correct value right away. This will:
If assets/managed systems/smart rules were created in the incorrect org before remedying this issue, those may require intervention from support to clean up. This will be resolved in a future release. |
Notes
- Direct upgrades to 24.3.0 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 24.3.0 supports SQL Server 2016 SP2 or higher.
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: eed9242ff66f62ff2c796887e94b1d4d
- The SHA-256 signature is: 1489c6aea87e9083e574b49b74b49cbcba06b628c5b7845f8c3ff0f1c6471a61
Deprecation notices
Starting with BIPS 24.3, the Password Safe platforms Cloud - Azure and Cloud - Office 365 are being deprecated and replaced with the Microsoft Entra ID platform (available since BIPS 22.3). This platform provides additional functionality to include rotation of Entra ID accounts with MFA enabled.
Required action
There is no automated process to migrate from Cloud - Azure and Cloud - Office 365 platforms to Entra ID. If you're using the deprecated platforms, you must manually migrate to the Microsoft Entra ID platform.
To migrate from Cloud - Azure and Cloud - Office 365 to Entra ID:
- Retrieve any existing Azure/Office 365 account passwords from Password Safe.
- Delete the Azure/Office 365 Managed Systems, Managed Accounts, and Functional Accounts.
- Create new Microsoft Entra ID Functional Accounts.
- Create new Microsoft Entra ID Managed Systems.
- Automatically discover and onboard managed accounts via Smart Rules.
Help and support
Contact BeyondTrust Support if you have any questions or need assistance with leveraging the Microsoft Entra ID platform
- Team Passwords Public API Endpoints have been deprecated and are no longer present in the 24.3 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.
- The following are deprecated in the 24.3 release:
- Analytics & Reporting > Clarity: Clarity and related reports and configuration.
- About > BeyondInsight Analysis
- Clarity Analytics is deprecated in the 24.3 release. Grids and Endpoints removed. Clarity menu item is removed for on-premise installs. Clarity Analytics Configuration menu item is removed for on-premise installs.
- Secrets Safe Secrets API Guide - OwnerId, OwnerType are deprecated. New parameters from "Owners" are being used instead.
- Secrets Safe Folders API Guide - UserGroupId is deprecated and no longer used.
- BT Analyzer is deprecated in the 24.3 release (on-premise only).