DocumentationRelease Notes
Log In
Documentation

Add databases to Password Safe

Suggest Edits

There are two ways to discover and manage database instances:

  • Auto-discover using a scan template, and then auto-manage using a Smart Group. Use this method for SQL Server and Oracle.
  • Manually add and manage databases. Use this method for MongoDB, MySQL, Sybase ASE, and Teradata.

Auto discover and manage database instances

The following scan types include database instance data in the scan results:

  • Detailed Discovery Scan: This scan requires credentials and it deploys a scan agent to the scan targets. Besides systems, this scan provides associated information on services, scheduled tasks, users, and databases.
  • Advanced Discovery Scan: This scan performs the same operations of the detailed scan, but provides information on all associated attributes.

After you run a scan, the assets are displayed on the Assets page. At this point, you can create a Smart Rule to manage the database instances.

  1. From the left menu, click Smart Rules.
  2. Click + Create Smart Rule.
  3. Select or create a new category and provide a name and description for the Smart Group.
  4. For selection criteria, select Address Group, and then select the group that includes the database instances.
  5. Add another condition, select Host Database Instance, and then select the database types.
  6. For the actions, select Show asset as Smart Group.
  7. Add more actions of Manage Assets using Password Safe, and then select the platforms, account name formats, functional accounts, and other desired settings, ensuring to use the default port numbers for the databases:
    • Oracle: 1521
    • SQL Server: 1433
  8. Click Create Smart Rule.

ℹ️

Note

An Oracle database can be part of a database cluster. If several nodes are found through discovery, only a single database managed system is created. Cluster fail over is supported.

ℹ️

Note

The Smart Rule auto-excludes the functional account assigned for that system, as well as the sa account for MS SQL Server systems, from Password Safe onboarding. The sa account is excluded as a precaution against it being inadvertently onboarded by mistake. If you want Password Safe to manage the sa account, you can either manually create the managed account or use the Create Managed Account on each system Smart Rule action in a Managed System Based Smart Rule.

ℹ️

Note

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

  • Once the rule is saved, click View Results.
  • You are taken to the associated grid, where the contents of the Smart Rule are listed.
  • If the rule is actively processing, a banner displays letting you know that.

ℹ️

Note

  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

ℹ️

Note

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Manually add database instances

You can manually add the following database instance types. When selecting the database platform, ensure the correct port number is displayed.

  • Mongo: 27017
  • MS SQL Server: 1433
  • MySQL: 3306
  • Oracle: 1521
  • PostgreSQL: 5432
  • SAP HANA: 30015
  • Sybase ASE: 5000
  • Teradata: 1025

Manually add databases to assets managed by Password Safe

  1. From the left menu, click Assets.
  2. Click the vertical ellipsis button for the asset, and then select Go to Advanced Details.
  3. Under General Data, click Databases.
  4. Click + Add Database above the grid.
  5. Provide a name, select the platform, add a version, leave the default port, and then click Save Database.

Manually add databases to Password Safe management

  1. From the left menu, click Assets.
  2. Assets that host database instances are indicated by a Database Host icon in the Solution column.
  3. Click the vertical ellipsis button for the desired asset, and then select Go to Advanced Details.
  4. Under General Data, click Databases.
  5. Click the vertical ellipsis button for the desired instance, and then select Add to Password Safe.
  6. On the Create New Managed System form, expand Credentials and select the functional account.
  7. Select other settings as desired, and then click Create Managed System.

Manage database instance accounts

Once the database instances are managed, create a managed accounts Smart Rule to manage the database instance accounts. The steps are the same for both auto-discovered or manually added database instances.

  1. From the left menu, click Smart Rules.
  2. Select Managed Account from the Smart Rule type filter dropdown.
  3. Click + Create Smart Rule.
  4. Select Managed Accounts from the Category dropdown.
  5. Provide a meaningful Name and Description for the Smart Rule.
  6. Select the criteria to match on the database instance account name, filtering out any named functional accounts.
  7. Select Yes from the Discover accounts for Password Safe Management list.
  8. From the Discover accounts from list, select the smart group where the database instance resides.
  9. In the Actions section, select Show managed account as a Smart Group from the list.
  10. Select Manage Account Settings from the list.
  11. Select a password rule, and either auto-manage the accounts or do not.
  12. Click Create Smart Rule.

ℹ️

Note

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

  • Once the rule is saved, click View Results.
  • You are taken to the associated grid, where the contents of the Smart Rule are listed.
  • If the rule is actively processing, a banner displays letting you know that.

ℹ️

Note

  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

ℹ️

Note

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

ℹ️

Note

When using MYSQL with multiple accounts with the same name, Password Safe can only support rotating the password on all instances of the username using a functional account.

Discover accounts for SAP HANA databases

Most database platforms leverage the Discovery Scanner to discover the asset and then find the accounts in the database . SAP HANA, however, does not use the Discovery Scanner. With the SAP HANA database platform, you must manually create the asset and then leverage a managed account Smart Rule for account discovery.

When creating the managed account Smart Rule, select the following under Selection Criteria:

  • User Account Attribute from the first dropdown list.
  • Account Name from the second list.
  • The appropriate operator from the third list, i.e. contains, equals (=), starts with, etc.
  • Enter the appropriate value in the next field.
  • Yes from the Discover Accounts for Password Safe Management dropdown list.
  • An existing asset Smart Group that contains the SAP HANA asset(s) in your environment, from the Discover Accounts From dropdown list.

Create a functional account for SQL Server

When you are adding SQL Server as a managed system, you must first create a security login in SQL Server to use for the functional account.

Permissions and roles in SQL Server

The following roles and permissions are required in SQL for the functional account:

  • Server roles – public
  • ALTER ANY LOGIN
  • CONNECT SQL

ℹ️

Note

Per Microsoft, it is considered best practice to disable the SA account for security purposes. However, if the SA account is not disabled, rotating the password regularly increases security. The functional account must have sysadmin privileges to rotate passwords for accounts that have sysadmin privileges.

Apply permissions to a functional account:

The following code samples show you how to apply the required permissions to the functional account.

GRANT CONNECT SQL TO [FunctionalAccountName];

GRANT ALTER ANY LOGIN TO [FunctionalAccountName];

Create the account in SQL Server

  1. Connect to a database as the SQL Server sa on the asset you manage.
  2. Expand Security and expand Logins.
  3. Right-click Logins and select New login.
  4. Enter a Login name and select SQL Server Authorization.
  5. Enter and confirm a password.
  6. Configure the user as desired and click OK.
  7. To configure the user, right-click the user and select Properties.
  8. Select Server Roles and ensure the public roles is selected.
  9. Select Securables and click Search.
  10. Select the server instance and click OK.
[![Set permissions in SQL Server for the login that was created for the functional account.](../../resources/images/ps-admin/ps-sql-server-permissions-6-9_thumb_0_0.jpg)](../../resources/images/ps-admin/ps-sql-server-permissions-6-9.png)
  1. From the list of permissions, ensure the Alter any login and Connect SQL are selected for Grantor sa.
  2. Click OK.

Retrieve SQL Server instance port

To configure a SQL Server database for Password Safe, you must retrieve the port number on the managed database instance using a query. The below query is required for database instances only. You do not need to provide a port number for the default instance.

  1. Create an instance on SQL Server.
  2. Once the instance is running, open the database and then select New Query.
  3. Execute the following query as shown on separate lines: 
    GO
xp_readerrorlog 0, 1, N'Server is listening on'
GO
  4. From the left sidebar in BeyondInsight, click Assets.
  5. On the Assets page, find the asset where the SQL Server database is installed.
  6. Click the vertical ellipsis for the asset, and then select Go to Advanced Details.
  7. Under General Data, click Databases.
  8. Click + Add Database above the grid.
  9. Enter a name for the instance.
  10. Select MS SQL Server from the Platform dropdown.
  11. Leave the default port or manually add the correct database port.
  12. Click Save Database.
  13. From the Databases grid, click the vertical ellipsis for the newly created database, and then select Add to Password Safe.
  14. Select the details required for the managed system.
  15. Click Create Managed System.

Add a PostgreSQL database instance

A PostgreSQL database instance must be added manually.

Before adding the instance to Password Safe management, you must create an account in PostgreSQL to use as the functional account in Password Safe.

Create accounts in PostgreSQL

ℹ️

Note

The following instructions are for guidance only. For details on how to create an account, refer to the PostgreSQL documentation.

To create the account with appropriate level permissions:

  1. Run pgadmin from the icon on the tray.
  2. Right-click Login/Group roles, and then click Create.
  3. Enter a name. This is the functional account.
  4. On the Privileges tab, ensure the following permissions are in place for the functional account: Login, Create role, and Inherit rights from parent roles.
  5. Right-click Login/Group roles, and then select Create.
  6. Enter a name. This is the managed account.
  7. On the Privileges tab, ensure the following permissions are in place for the managed account: Login, and Inherit rights from parent roles.

You must also know the database instance name and the port number. In pgadmin, click Object , select Properties, and then click the Connection tab.

Add the PostgreSQL instance to Password Safe

  1. Scan the asset where the PostgreSQL instance resides.
  2. From the left sidebar in BeyondInsight, click Assets.
  3. Click the vertical ellipsis button for the asset, and then select Go to Advanced Details.
  4. Under General Data, click Databases.
  5. Click the vertical ellipsis button for the desired instance, and then select Add to Password Safe.
  6. Set the following:
    • Instance Name: Enter the instance name.
    • Platform: Select PostgreSQL.
    • Version: Enter the PostgreSQL version number. This is optional.
    • Port: The default port value is 5432.
  7. Click Create Managed System.

Configure settings on the Oracle platform

When adding Oracle as a managed system, follow these steps:

  • Add the functional account to the console.
  • Add the functional account to the Oracle user list in Oracle.
  • Set the IP address for the host in Oracle Net Manager.

Add the functional account

  1. Select Configuration.
  2. Under Privileged Access Management, click Functional Accounts.
  3. Click Create Functional Account.
  4. Select Database from the Type dropdown list.
  5. Select Oracle from the Platform list.
  6. Select SYSDBA from the Privilege list, and then enter the username and password. The SYSDBA role is required if you use the SYS Oracle account as the functional account.
  7. Continue to set the remaining options.

ℹ️

Note

When adding the Oracle platform as a managed system, be sure to select the SYSDBA functional account.

Set permissions for the functional account in Oracle

In Oracle Enterprise Manager, the functional account (other than SYS) must be added to the Oracle user list.

The user account must be assigned the following Privileges & Roles:

  • ALTER USER
  • CONNECT
  • SELECT ON DBA_USERS (Required for auto Discovery of Oracle instance managed accounts.)

Create the functional account in Oracle

To create a functional account in Oracle:

CREATE USER [FunctionalAccountName] IDENTIFIED BY password;
    GRANT CONNECT TO [FunctionalAccountName];

To grant permission to the functional account to change passwords on a managed account:

GRANT CONNECT TO [FunctionalAccountName];
    GRANT ALTER USER TO [FunctionalAccountName];
    GRANT SELECT ON DBA_USERS TO [FunctionalAccountName];

Configure the host

On the Oracle platform, you must configure the following settings:

  • In Oracle Net Manager, the host name IP address must be explicitly set as a listener.
  • Also in Oracle Net Manager, set the service name as the host name IP address.

Use encrypted connections

Password Safe supports Oracle database connections that are configured to use encryption. Using encryption is optional.

The following encryption protocols are supported:

  • AES128
  • AES192
  • AES256
  • RC4_128, RC4_256, 3DES112
  • 3DES168

Configure encryption using Oracle Net Manager.

ℹ️

Note

The following section is provided for guidance only. For more information, refer to Oracle product documentation.

On the Profile node, select Network Security and then set the following:

  • On the Integrity tab, select:
    • Server from the Integrity menu
    • required from the Checksum Level menu
    • SHA256 as the method
  • On the Encryption tab, select:
    • Server from the Encryption menu
    • required from the Encryption Type menu
    • AES256 as the method

ℹ️

Note

If you select required for Checksum Level and Encryption Type, you must enter an encryption seed in the sqlnet.ora file.

Oracle internet directories (OID)

OID Connect Descriptors (also known as TNS Connect Strings) define all parameters needed to connect to a specific Oracle database service, such as the instance name, DNS name, IP address, and port. You can leverage OID Connect Descriptors to add Oracle database systems to Password Safe.

When adding an Oracle database as a Managed System in Password Safe, select the appropriate database service and Password Safe reads the Connect Descriptor data when communicating with the Oracle database.

Configure an Oracle internet directory

To use this functionality, you must configure an OID, as follows:

  1. Go to Configuration > Privileged Access Management > Oracle Internet Directories.
  2. Click Create New Oracle Internet Directory +.
  3. Enter a name for the directory, a short description, and information for the LDAP server.
  4. Check Use SSL if desired.
  5. If you turn off Use Anonymous, enter a name and password.
  6. Click Create Directory when done, or Discard, if you do not wish to keep it.
  7. You can also click Test Server to test the connection.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.