DocumentationAPI ReferenceRelease Notes
Documentation

Best Practices: Smart Groups | PS

Summary

This guide helps you design Smart Groups for BeyondInsight deployments, both on-premises and in cloud environments. Follow these best practices to create Smart Rule configurations that are easier to manage, scale, and troubleshoot, while maintaining reliable performance for Password Safe and Endpoint Privilege Management (EPM) use cases.

Terms

For a list of terms and concept as BeyondTrust uses them in this document and in the BeyondInsight interface, see Password Safe glossary.

Concepts

Discovery

Discovery brings asset and account data into the BeyondInsight database. It is typically the first phase of any use case that requires identifying an asset or privileged account. Assets and accounts must exist in BeyondInsight before other products can interact with them.

Discovery methods include client communication, network scanning, manual import, and API‑based creation.
For more information about asset types, see Asset types.

Onboarding

Onboarding converts an asset or privileged account into a managed system or managed account in Password Safe. It is typically the second phase of a Password Safe use case.

  • For managed systems, onboarding associates the platform and functional account with the system and prepares it to be associated with a managed account.
  • For managed accounts, onboarding configures Password Safe account settings such as rotation and session release timeframes that users must follow.

For additional information on how to onboard systems or accounts, see Onboarding systems and accounts.

Linking

Linking defines the relationship between systems and directories in Password Safe. It specifies which accounts are visible to a given asset or managed system.

You can configure linking by using Smart Rule actions, API calls, or manual configuration. You can remove links only through manual configuration or API calls; Smart Rules do not support an unlink action.

🚧

Important information

Because there is no unlink Smart Rule action, include Asset Smart Rule criteria in all Access Managed Account Smart Rules. This prevents accidental linking that could grant users broader access than intended.

Dedicated account mapping

Dedicated account mapping restricts access to a managed account to a single user. An account becomes dedicated only after the mapping process completes successfully. After dedication, no other user, including the biadmin account, can request access to the account.

Dedicated accounts help incident response and operations teams clearly identify which user performed an action on an endpoint. This capability improves confidence in endpoint log data but does not replace the forensic validation provided by Password Safe audit and session recording logs.

Grant access

Users receive role-based access to BeyondInsight and Password Safe through group membership. Local or directory user groups are onboarded into BeyondInsight with their user lists. Feature permissions, Smart Group permissions, and API registrations are assigned to the user group to control what users can see and edit in BeyondInsight.

For example, assigning the Endpoint Privilege Management feature with read access, and assigning a specific Smart Group with read access, lets users in that group read the PM events from clients within that Smart Group.

Password Safe roles (Requestor, Approver, or Auditor) and the appropriate access policy workflow are also assigned to the Smart Group within the user group.

ℹ️

Users who belong to multiple groups may receive more access than intended. Plan and apply role-based access policies carefully.

General guidelines

Management strategies

Before you create Smart Groups, discuss your use cases at a high level to determine the strategy that best suits your needs. There are two basic strategies for Smart Group creation.

Few Complex

The Few Complex strategy minimizes the number of Smart Rules by using more complex criteria filters to capture a larger set of objects in a single rule. Complex criteria filters can result in long processing times. Smart Rule count and process time can become a performance concern. For more information, see the Overview – Smart Rule Performance document.

Many Simple

The Many Simple strategy is more widely used. In this strategy, administrators create many straightforward Smart Rules. Where feasible, use no more than two criteria filters and no more than two actions for any Smart Rule.

Approaches for dynamic processes

After you decide on a strategy, choose one of the following two common approaches.

By API and attributes

This approach is common for large customers who have developers available to create and run scripts regularly as the environment changes.

  1. Identify: Define assets, accounts, and custom attributes.
  2. Discover: Create assets, attributes, and accounts manually, by scan, by endpoint installation, or by API. The PM agent can discover assets based on client communication.
  3. Assign attributes: Configure Smart Rules or API actions to set attributes on assets and accounts.
  4. Onboard: Use additional Smart Rules that consume these attributes to configure managed systems and managed account settings.
  5. Grant access: Configure user group permissions and roles.

By scan data

This approach is most common for small to medium organizations that allow network scans. New assets and accounts are dynamically onboarded as recurring scan data finds them.

  1. Identify: Create an Address Group or Directory Query to scan.
  2. Discover: Schedule recurring scans to gather data on assets and local accounts.
  3. Onboard: Dynamic Smart Rules consume the scan data to configure managed systems and managed account settings.
  4. Grant access: Configure user group permissions and roles.

Naming conventions

Use a consistent prefix for all Smart Groups that perform similar actions. Consistent naming groups related Smart Groups together in the BeyondInsight interface and helps administrators identify problems such as overlapping onboarding rules or overbroad linking rules.

The examples in this guide use the following prefixes:

  • Discovery:
  • Onboard:
  • Access:
  • Map:
  • Link:

Key guidelines

Although Smart Rules vary by use case, the following guidelines always apply:

  • Apply the Manage action to each asset or account only once.
  • Configure an appropriate processing schedule for each Smart Group.
  • For large deployments (5,000 or more assets), configure multi-node omni worker processing.
  • Avoid the following filter types when possible, because they are computationally intensive:
    • Matches regular expression
    • Does not match regular expression

Smart Rule Sections

Each Smart Rule has three sections: Heading, Criteria, and Actions.

Heading

  • Names the Smart Group.
  • Categorizes the Smart Group.
  • Describes the Smart Group.
  • Defines how the Smart Group is processed.

Criteria filters

  • Use Any (OR) or All (AND) grouping to get the expected results.
  • Place the most restrictive filter at the top to reduce the result set used in subsequent filters.
  • Complex Smart Rule filtering with nested filters is efficient and supported.
  • Review criteria results carefully before saving.
  • Use short names rather than full DNS names for asset matching when possible.
  • When using Active Directory queries to filter, make them as restrictive as possible.
  • Avoid Matches regular expression and Does not match regular expression filters when possible, because they are computationally intensive.

Parent and child Smart Rules: A Smart Rule that has child Smart Rules triggers the children to run before the parent completes. You can reuse a Smart Rule to save time when creating new ones, especially for a complex set of filters. Reusing a Smart Rule further refines the assets in the parent rule.

For additional information on Smart Rules, see Smart Rules: Overview.

Action options

When a Smart Rule assigns a setting such as Manage Assets using Password Safe, make sure that multiple Smart Groups are not configuring the same assets or accounts with the same action. Each managed system or managed account should have this action applied only once. If a managed system or managed account appears in multiple Smart Groups with the same action, inefficient overwrites occur and can cause confusion.

Tip

Minimize the use of Email Alert actions for best performance.

Asset Smart Groups

Asset Smart Groups show each endpoint that has communicated with BeyondInsight. Both Privilege Management and Password Safe use this Smart Group type. Privilege Management uses them for client status, events, and policy deployment. Password Safe uses them as the first step in many use cases to identify the asset associated with managed accounts.

Asset Discovery Smart Groups

Discovery by Scan

Dynamic asset discovery is typically performed by scanning a Directory Query of computer objects or a static list in an Address Group, set as the criteria in an Asset Smart Rule. Asset Smart Groups that use NSS scanning for discovery must include the Show as Smart Group action, regardless of the criteria type.

Discovery by API

API onboarding scripts or manual asset entry are alternative ways to bring asset information into BeyondInsight. After an asset is created in BeyondInsight, create an Asset Smart Group to group assets based on criteria provided manually or by API — such as operating system type or a custom attribute — to perform further actions on that group.

Assigning Attributes to Discovered Assets

Attributes enable you to further group assets or accounts. Create the attributes before assigning them. You can assign attributes manually, by API, or by Smart Rule. After attributes are assigned, they can be used as criteria to filter assets and enable further actions such as onboarding or access permissions.

Asset onboarding Smart Groups

Password Safe Onboarding

The criteria in Asset Onboarding Smart Groups can be any data that identifies the assets to manage, such as a predefined custom attribute or scan data. The Manage Asset with Password Safe action defines an Asset Onboarding Smart Group. This action sets the functional account that Password Safe uses. After an asset is managed, it is also listed as a managed system. Password Safe uses the assigned functional account to automate password rotation for local managed accounts on the managed system.

ℹ️

Asset Onboarding Smart Rules have a sign-in performance penalty. Do not grant Password Safe users Read access to these Smart Groups.

Asset Access Smart Groups

Asset Access Smart Groups group assets that user groups can read or modify in BeyondInsight. They are most commonly used for delegated BeyondInsight administrative access. These Smart Groups typically use attributes, scan data, or other limiting datasets in their criteria, and use only the Show as Smart Group action.

Asset Troubleshooting Smart Groups

Use troubleshooting Smart Groups for reporting and to identify assets that are not being captured correctly. For example:

  • Criteria that capture systems that are assets but not yet managed systems.
  • Criteria that capture assets for which credentialed scanning is not completing successfully.
Asset PM Agent Status Smart Groups

Privilege Management (PM) includes built-in Smart Groups that provide details about the PM agent status.

Assets Deploying PM Policy Smart Groups

This Smart Group type is used only with Privilege Management. The criteria identify and group the assets that need the policy. The action selects the policy to apply.

Managed System Smart Groups

Managed System Smart Groups are used only with Password Safe. They provide groupings of systems that are under Password Safe management.

Managed System Access Smart Groups

Managed System Access Smart Groups are similar to Asset Access Smart Groups. They group systems based on specific criteria and are used primarily to delegate user permissions to the managed system. Full permission provides delegated BeyondInsight administrative access to add or edit local managed accounts for managed systems within the group.

Managed Account Smart Groups

Managed Account Smart Groups are used only with Password Safe. They group the privileged accounts that Password Safe manages. Managed Account Smart Groups are also the most common Smart Groups assigned permissions and Password Safe roles in user groups.

Managed Account Onboarding Smart Groups

Dynamic onboarding

Managed Account Onboarding Smart Groups are typically dynamic rules based on scan or query results. The Manage Account Settings action identifies a Managed Account Onboarding Smart Group and configures the account to be managed by Password Safe.

🚧

Important information

If Enable Password Management is set to Yes in the Manage Account Settings action, the password for each matched managed account rotates when the Smart Rule is saved. When you first create a Managed Account Smart Rule, consider setting this option to No so you can verify that the rule returns only the intended results before enabling rotation.

Scan data for Managed Account onboarding

Assets are scanned with credentials to pull in local user data. For privileged accounts to be managed by Password Safe, use the User account attribute in the Smart Rule criteria. This also works when the Privilege Management client is configured to scan and report local user data to BeyondInsight in place of a network scan.

Directory query for Managed Account onboarding

If you use a Directory Query as the criteria, add an action to link the domain accounts to the appropriate Managed System Smart Groups.

Managed Account dedicated account mapping Smart Groups

This Smart Group type is used for one specific Password Safe use case: managing individual privileged accounts instead of shared ones (also called one-to-one mapping).

The criteria use the Dedicated Account option with a prefix, suffix, or directory attribute such as employeeID. The action uses Map Dedicated Accounts To and selects the user group that contains the user whose username matches the managed account. This mapping prevents any other Password Safe user, including administrators, from using the managed account.

ℹ️

Managed Account Smart Groups that use Dedicated Account criteria process when a change to the mapped user group is detected.

Managed Account Linking Smart Groups

Linking is an action available for previously onboarded directory managed accounts. Directory managed accounts must be linked to a managed system before they appear in Password Safe.

Smart Rule actions can only create linking settings between managed accounts and managed systems. There is no Smart Rule action to unlink a managed account from a managed system. To unlink, use one of the following methods:

  • Manually unlink individual accounts.
  • Use the API.
  • Use the bulk Unlink option by selecting accounts in the Managed Account grid view.
Managed Account Access Smart Groups

Managed Account Access Smart Groups delegate access to user groups when you need to restrict access to a smaller subset of managed accounts or user groups. Criteria can use attributes for additional filtering.

Managed Account Manual Smart Groups (Quick Rules)

You can select managed accounts and quickly add them to a static Smart Rule by selecting Add to Smart Group in the Managed Account grid view. This process creates a Smart Group without requiring custom criteria and action selections. Quick Rules do not have a recurring processing schedule and can only be edited from the Managed Account grid view.

Additional Smart Groups

BeyondInsight includes additional built-in Smart Groups.

User policy Smart Groups

This Smart Group type is used only with Privilege Management. The criteria identify and group users who need the user policy applied. The criteria is typically a Directory Query that pulls in user accounts for users who sign in to systems with the PM client. The action selects the policy to apply to authenticated users.

Building security with Smart Rules

Password Safe provides a method for users to access a resource (system or application) using an account. BeyondInsight provides a method for applying elevation rules to a group of resources. In both cases, access allows an unprivileged user to reach and use a privileged resource. The asset (resource) is a critical component of the full access strategy.

When you use the Many Simple strategy, multiple BeyondInsight features work together to build layered access reduction. Building an appropriate access policy requires creating and managing multiple Smart Rules, each performing some level of access reduction that the unprivileged user ultimately experiences.

Layers of access

Apply the following functions in layers to control access in BeyondInsight for EPM elevation or Password Safe:

  • Groups of resources that are the target of access.
  • Roles of unprivileged users who receive the access grant.

Password Safe access management includes these additional layers:

  • Groupings of accounts that have the appropriate rights to the resource.
  • Managed account dedication to ensure each user cannot request another user's dedicated administrator account.
  • Account linking to identify which resources are connected to which Active Directory, LDAP, or Microsoft Entra ID domains.

Each layer expands or contracts the resources an unprivileged user can reach. All layers are active in the Password Safe processing chain from the user's role to the target resource, even if the user or administrator does not directly see that Smart Group in the role's access rights.

Password Safe processing chain

For Password Safe users requesting access to a resource, Dedicated Account Mapping rules enforce dedicated account mapping system-wide, and Linking rules enforce linking system-wide. You can therefore rely on the results of Linking and Mapping rules when you design Access Rules.

For example, if a user has Requestor access to an Access rule that lists 50 dedicated admin accounts, they see only their own account for checkout. This lets you build an Access Smart Rule with only two criteria, an Asset Access Smart Rule for MSSQL database servers and all managed accounts with a specific suffix such as _adm , and assign the DBA Role Requestor rights to that Smart Rule so that only DBAs can sign in to only the Microsoft SQL servers.

Configuration example

Example

The following steps walk through a complete Smart Group configuration workflow for a typical Password Safe deployment.


1

Step 1: Asset Discovery

Create a Discovery/Scanning Smart Rule to scan assets. If you use attributes, create a Discovery Rule to identify the asset.

Step 2: Asset onboarding

Onboard assets based on attributes or variable data by creating an Asset Onboarding Smart Rule with the Manage Asset with Password Safe action.

Step 3: Asset access control

After assets are onboarded into Password Safe, create an Asset Access Control Smart Rule to group assets for user access.

Step 4: Account onboarding

Onboard accounts either locally or from Active Directory. For directory accounts, create a Managed Account Onboarding Smart Rule with a Directory Query as the criteria, and add a Linking action.

Step 5: Account linking and dedicated account mapping

In many deployments, linking and mapping are applied broadly. Linking is done to all systems in the appropriate domain. Dedicated Account Mapping is not domain-specific or system-specific; any account maps to all users who can sign in to Password Safe. Access Control performs the majority of account limiting.

Step 6: Account access control

Create an Account Access Control Smart Rule that groups the onboarded accounts and assets together and applies the appropriate access settings.

Step 7: RBAC assignment

Assign the User Group to the Account Access Control Smart Rule to complete the role-based access control configuration.

Updated about 4 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.