DocumentationRelease Notes
Documentation

Assets | BI Cloud

Suggest Edits

What is an asset?

Assets refer to any IP addressable device that exists in your environment (i.e. desktop machine, network device, or any of several supported platforms).

How is asset management useful?

Asset management is necessary for several reasons:

  • Network Visibility & Inventory Management – Keeping track of all assets ensures that organizations have a clear understanding of what devices are connected to their network, preventing unauthorized or unknown devices from posing security risks.
  • Security & Compliance – Identifying and monitoring assets helps enforce security policies, ensuring compliance with regulations and detecting vulnerabilities before they can be exploited.
  • Risk Management – Understanding what assets exist allows organizations to assess risks associated with each device, apply necessary patches, and implement security measures to reduce potential threats.
  • Incident Response – When a security incident occurs, knowing the assets in the environment helps in tracing the source of the issue, containing the attack, and implementing remediation steps.
  • Lifecycle Management – Organizations can track asset lifecycles, plan for hardware refreshes, software updates, and decommission obsolete devices.

How do I access assets?

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Assets page displays.

The Assets home page

BeyondInsight for Cloud Assets page
  1. Left menu: Easy access to all pages in BeyondInsight/Password Safe, including the Home, Assets, Smart Rules, Discovery Scanner, Management Systems, Managed Accounts, Password Safe, Secrets Safe , Analytics and Reporting, Configuration, and About pages.
  2. Header: Navigate to your favorite pages, view your notifications, access your connected apps, and set your account preferences.
  1. Select to Manage Smart Rules or Run a New Discovery Scan.
  2. Create New Asset: Click to create a new asset.
  3. Filters: Select a filter to refine your results.
    Filter types

    • Smart Group filter: Filter by Smart Groups.

    • Last Updated filter: Filter by last updated timeframe.

    • Filter by: Filter by Asset, Domain, Operating System, Description, Asset Type, Solution, DNS Name, Workgroup, or IP Address.

  4. Grid display preferences: Set display preferences on the Assets grid using the following options represented by icons above the grid:
    • Click to refresh the list, to download the list to a .csv file, to select which columns to display on the page, to configure your page display, andto expand the grid.
  5. Asset list columns: Not all columns display in the image above.
    Column Names

    • Asset

    • Domain

    • Operating System

    • Description

    • Asset Type

    • Solution

    • Last Updated

    • Created

    • DNS Name

    • Workgroup

    • IP Address

  6. Assets grid: Displays information based on filter selections.
  7. List navigation options: Navigate in the Assets list.

Manage assets

The Assets page allows you to review details about your assets quickly by filtering your assets by last update time, type of asset, domain, operating system, technical solutions applied to the asset (for example, an asset is a scanned host or database host), DNS name, Workgroup, and IP address.

Click to modify which columns to display in the grid.

ℹ️

To maintain a manageable database size, assets and scan data is purged every 30 days. We recommend running discovery scans at least every 30 days to refresh asset data.

Review asset details

ℹ️

Depending on the scan settings, information might not be detected and included in the scan results. If the following scan settings are turned on, more accurate scan results can be expected:

  • Perform Local Scanning
  • Enable WMI Service
  • Enable Remote Registry Service

To review high-level detail information for assets:

  1. Click > View Details.

To view advanced detail information for assets:

  1. Click > Go to Advanced Details.

Advanced Details - General data

  • Details & Attributes: Displays details about the asset such as: IP address, DNS name, domain, system name, system description, Workgroup, date the asset was added and updated, the operation system, etc.
  • Accounts: If the asset is linked to a managed system, the managed accounts on that system are listed in the grid.

ℹ️

Click the View Managed System link above the grid to view the advanced details for the managed system that is linked to the asset. To return to the advanced details for the asset, click the View Asset link.

  • IIS Application Pools: Displays IIS Application Pools discovered on the asset on the last successful scan of the system.
  • Databases: Displays the databases that are on the asset and allows you to add a database.
  • Smart Groups: Displays the Smart Groups that the asset is associated with.

Scan data

ℹ️

By default, the current snapshot of scan data is selected. You can select other available snapshots to load the data for that date. Scan snapshots are purged from the database every 30 days.

  • Ports: Displays the open port number, protocol, and description.
  • Scheduled Tasks: Displays information about scheduled tasks for a particular asset, including task name, task to run, last time the task ran, schedule type, etc.
  • Services: Displays discovered services, including name, description, state, logon details, startup type, and dependencies.
  • Software: Lists all software discovered on the asset, including version.
  • Users: Includes several attributes for user accounts, including: name, privileges, password age, last logon date, password expiry status, group membership, and status of the account, and allows you to filter by these attributes.

Create assets manually

Assets are added to BeyondInsight through discovery scans. Assets can also be manually added from the Assets page.

To manually add assets:

  1. From the left menu, click .
    The Assets page displays.
  2. Select All Assets from the Smart Group filter dropdown.
  3. Click + Create New Asset.
    The Create Asset panel displays.
  4. Complete the Create Asset form.
  5. Click Create Asset.

ℹ️

  • New assets created in any Smart Group other than All Assets might not appear under the selected Smart Group if the Smart Rule criteria is not met or until the Smart Rule processes. We recommend that you create new assets using the All Assets Smart Group.
  • A manually added asset can have its basic information edited, such as Name, DNS Name, Domain, Asset Type, IP Address,, and Workgroup. Asset attributes cannot be edited at the individual asset level at this time. If this is necessary, Smart Rules can be used to modify the attributes associated with an asset.

Delete assets

You can remove assets from the Assets grid immediately. Assets removed from the grid are deleted from the BeyondInsight database during the nightly data purge.

To remove an asset:

  1. From the left menu, click .
    The Assets page displays.
  2. Check the box to the left of every asset you want to delete.

ℹ️

Use the filters above the grid to narrow down your list of assets to those targeted for deletion, and then press ctrl + A to select all assets in the grid to delete at once.

  1. Click above the grid.
  2. Click Delete on the confirm deletion message.

Asset tools

BeyondInsight provides a set of tools to help you organize assets for scanning.

Depending on the number of assets that you want to scan or the critical nature of some of your assets, consider organizing the assets using address groups or Active Directory queries which can be part of a Smart Rule.

The following list provides examples on ways you can use these tools:

  • Create an IP address group that organizes assets by a range of IP addresses, including CIDR notation and named hosts.
  • Use an Active Directory query that will organize assets by organizational unit. Create a Smart Rule and use the query as your selection criteria.
  • Change the properties for assets, and then use the attributes as the selection criteria in the Smart Rule.

Scans can return a lot of information. To help you review scan results, you can create filters and set preferences on the Assets page to easily review scan results.

Create an address group

When creating a Smart Rule, you can create an address group to use as an IP address filter. An address group can contain included or excluded IP addresses. IP addresses are entered as a

  • Single IP address
  • IP range
  • CIDR Notation
  • Named host

ℹ️

  • The BeyondInsight user must be a member of the Administrators group or be assigned the Full Control permission on the Asset Management and the applicable Smart Rule Management feature(s) to be able to create and edit Smart Rules.
  • Users assigned Read Only permissions on these features may only view the details of Smart Rules.

Create an Always address group

You can create an address group and name it Always. The Discovery Scanner is designed to recognize this address group name and includes the group in every scan, regardless if the group is selected in the scan job. The address group can include and exclude IP addresses.

The next time a scan runs, the address group is synchronized with the Discovery Scanner. The IP addresses, whether they are included or omitted, are considered part of the running scan.

Example

If the Always address group is configured with 10.10.10.60 and buffett-laptop (omitted), it scans 10.10.10.50 and buffett-laptop. The results are as follows:

  • The scan includes 10.10.10.60 since this IP address was added to the Always address group.
  • The scan excludes buffett-laptop since this asset was explicitly omitted in the Always address group.
  • 10.10.10.50 is scanned as usual.

ℹ️

If an asset was scanned and later added to the Always address group as Omit, the asset is not scanned but might be displayed in the report. This only occurs with some reports.

  1. From the left menu, click .
    The Configuration page displays.

  2. Under Discovery Management select Address Groups.
    The Address Groups page displays.

  3. Click Create New Address Group +.

  4. Name the address group Always.

  5. Click Create Address Group.

  6. Select the Always address group.

  7. From the Addresses in Group pane, click Create New Address + to manually add the IP addresses.
    The Create New Address pane displays.

    • Select type from the Type list.
    • Enter the IP addresses, CIDR Notation, or host name, depending on which type you selected.
    • Enable Omit this entry to excluded addresses.
    • Click Create Address.

    Or click Import Addresses to import them into the group using a file.
    The Import Addresses pane displays.

    • Enable the Overwrite all existing addresses option, if desired.
    • Click Drag and drop or click to select files to upload to navigate to the import file.
    • Click Import.

ℹ️

The list in your import file depends on your particular needs. The list can contain all IP addresses that you wish to exclude. To exclude IP addresses, use the format: 192.x.x.x (1).

Create a Smart Rule based on an address group

When configuring an address group, you can choose to create a Smart Rule based on the address group.

  1. From the left menu, click .
    The Configuration page displays.
  2. Under Discovery Management select Address Groups.
    The Address Groups page displays.
  3. From the Address Groups pane, click for the address group.
  4. Select Create Smart Rule.
  5. Leave the default name, or name the Smart Rule as desired.
  6. Select the appropriate option to make the Smart Rule available to all user groups, or to administrators only.
  7. Click Create Smart Rule.
  8. A message stating Smart Rule has been created for this Address Group appears.

To view this new Smart Rule:

  1. From the left menu, click .
    The Configuration page displays.
  2. Under General select Smart Rules.
    The Smart Rules page displays.
  3. Navigate to the new Smart Rule.

Create a directory query

You can create an Active Directory or LDAP query to retrieve information from Active Directory or LDAP to populate a Smart Rule. To work with directory queries, the BeyondInsight user must be a member of the Administrators group or assigned the Asset Management permission.

Create a new directory query or clone an existing query as follows:

  1. From the left menu, click .
    The Configuration page displays.

  2. Under Role Based Access select Directory Queries.
    The Directory Queries page displays.

  3. Click Create New Directory Query

    or

    Click next to an existing query and select Clone.

  4. From the Directory Type list select Active Directory or LDAP.

ℹ️

Cloned queries keep the same directory type as the query being cloned.

  1. Enter a name in the Title field.

  2. Select a stored credential for running this query

    or

    Click Create New Credential to be taken to the Directory Credentials page where you can add a new one.

ℹ️

At minimum, the credential must have Read permissions on the computer assets you are enumerating.

  1. Enter the directory path for the Query Target, or click Browse to search for a path and add it.
  2. Select a scope to apply to the container.
  3. Select an object type.
  4. Enable or disable the Dynamically refresh results each use option.
  5. Provide a Name and Description or use the * wild card character to match multiple values for the Basic Filter.
  6. Click Test to ensure the query returns expected results.

ℹ️

We recommend you preview results before saving the query.

  1. Click Create Directory Query.
  2. A warning message displays the following: Creating or modifying Directory Queries can have a significant impact to the onboarding Smart Rules that use this query. Are you sure you want to save this Directory Query?
    • Click Confirm to create the query.
    • Click Cancel to return to the query form to make changes.
  3. If you did not test the query (step 15), a warning message displays the following: Are you sure you want to save this Directory Query without previewing the results?
    • Click Confirm to create the query without testing it.
    • Click Cancel to return to the query form to make changes or test the query before saving it.

Update a directory query

Update an existing directory query as follows:

  1. From the left menu, click .
    The Configuration page displays.
  2. Under Role Based Access select Directory Queries.
    The Directory Queries page displays.
  3. Click to the right of the query.
  4. Select Edit from the menu.
  5. Modify query details as necessary.
  6. Click Test to ensure the query returns expected results.

ℹ️

We recommend you preview results before saving the query.

  1. Click Update Directory Query.
  2. A warning message displays the following: Creating or modifying Directory Queries can have a significant impact to the onboarding Smart Rules that use this query. Are you sure you want to save this Directory Query?
    • Click Confirm to update the query.
    • Click Cancel to return to the query form if wish to make changes.
  3. If you did not test the query after making changes, a warning message displays the following: Are you sure you want to save this Directory Query without previewing the results?
    • Click Confirm to save the updated query without testing it.
    • Click Cancel to return to the query form if you wish to make changes or test the query before saving it.

ℹ️

If you’re changing the Query Target, we recommend testing the query before saving the changes to ensure the changes are working the way you expect. Any Smart Rules using that query will use the new target list the next time the rule processes.

Attributes and attribute types

Attributes can be used to label assets, and you can set attributes for each asset in a group using a Smart Rule. BeyondInsight ships with a default set of attributes that can be customized, except for the Criticality type, and you can also add new attribute types and attributes to meet your requirements.

Add a new attribute type

  1. From the left menu, click .
    The Configuration page displays.
  2. Under General select Attributes.
    The Attributes page displays.
  3. Click + Add New Attribute Type.
  4. Type a name for the attribute type.
  5. Press the Enter key.

Add a new attribute

  1. Click to the left of the desired attribute type to expand its attributes.
  2. Click + Add New Attribute.
  3. Type a name for the attribute.
  4. Press the Enter key.

Add Assets to Password Safe Cloud

The following is a high-level overview of adding systems and accounts to be managed by Password Safe. Once assets are managed by Password Safe, selected users can request access to them. For details on adding specific systems, search for the particular system using the Search field.

A system and the associated account can be added to Password Safe in any of the following ways:

  • Manually: After an asset is added to the management console, you can add the asset to Password Safe.
  • Smart Rules: You can create a Smart Rule with selected filter criteria, to match on the systems that you want to add to Password Safe.
  • Discovery Scanning: You can run a Discovery Scan in BeyondInsight on a selected range of IP addresses.

ℹ️

To maintain a manageable database size, assets and scan data is purged every 30 days. We recommend running discovery scans at least every 30 days to refresh asset data.

Add managed systems and accounts to Password Safe

There are three ways to add systems and accounts to Password Safe:

  • Add the asset manually.
  • Run a Discovery Scan and then import the assets using an address group or directory query.
  • Use API scripts.

The following is a high-level overview of the steps required to add systems and accounts to be managed in Password Safe.

  1. Add the functional account: A functional account is one that can access the system with the privileges required to manage and change passwords for shared accounts on the system.
  2. Add the managed system: A managed system is a computer or device where one or more account passwords are to be maintained by Password Safe. Managed systems can be Windows machines, Unix/Linux machines, network devices, databases, firewalls, routers, iLO machines, and LDAP or Active Directory domains.
  3. Add the managed account: A managed account is an account on the managed system whose password is being stored and maintained through Password Safe. Typically, managed accounts are privileged accounts that can perform administrative tasks on the managed system.
  4. Configure managed system settings: After a system is added to Password Safe, configure settings that apply to the managed system.
  5. Set up role based access: Create user groups that permit users to:
    • Log in to the Password Safe web portal.
    • Assign Password Safe roles, such as Requester or Approver.
    • Create access policies to permit accounts to access the systems, applications, and sessions, and to request password releases.

Create a functional account

A functional account on a managed system is required to manage passwords for accounts on that managed system. The passwords for functional accounts cannot be retrieved through the Password Safe web portal.

🚧

Important information

Do not set up a functional account as a managed account. Functional accounts have built-in management capabilities and passwords might fail to synchronize, causing issues.

ℹ️

The settings vary, depending on the type and platform chosen.

  1. From the left menu, click .
    The Configuration page displays.

  2. Under Privileged Access Management select Functional Accounts.
    The Functional Accounts page displays.

  3. Click + Create New Functional Account.
    The Create New Functional Account panel displays.

  4. Select a type from the list.

  5. Select a platform from the list.

ℹ️

DSS authentication and Automatic password management settings are not supported if you are using the pbrun jumphost elevated credential.

  1. Provide credentials and a description for the account.
  2. Provide an alias. The Alias value is shown in the selectors throughout Password Safe where you must select a functional account to use.
  3. Select a Workgroup, if applicable.
  4. If required, enable Automatic Password Management.
    • Select the password policy and change frequency. This option enables automatic password changes for each managed system that this functional account is associated with at the designated frequency.

ℹ️

If the Automatic Password Management option is enabled, passwords are set immediately when a new functional account is added to Password Safe.They are changed during the next scheduled rotation.

  1. Click Create Functional Account.

Override a functional account password

Every managed system that uses a specific functional account has a unique password associated with that functional account. The password on the managed system might be out of sync with the password in Password Safe. You can override a functional account password from the Functional Account section in the Advanced Details of a managed system.

Add a managed system manually

ℹ️

Settings vary depending on the platform type. When an account is manually added to a managed system, the default configuration of the account is set to what is configured on the managed system.

There are two ways to add a managed system to Password Safe manually:

  1. From the left menu, click .
    The Managed Systems page displays.
  2. Click Create New Managed System.
  3. Complete the Create New Managed System form.
  4. Click Create Managed System.

OR

  1. From the left menu, click .
    The Assets page displays.
  2. Locate the asset you want to add to the managed system.
  3. Click > Add to Password Safe.
  4. Complete the Create New Managed System form.
  5. Click Create Managed System.

Below are the fields and settings with their descriptions that are available when creating a new managed system. The available fields change depending on the Entity Type and Platform for the system.

Field / SettingDescription or Action
Entity TypeType of system: Asset, Database, Directory, or Cloud.
PlatformThe platform for the system based on the Entity Type.
NameUnique name for the system.
PortDefault RDP port for new managed systems.
Instance Number (SAP only)If you have added your System Application Products (SAP) environment to Password Safe management, provide the instance number.
Domain (Directory types only)Name of the Domain where the directory resides.
DescriptionDescription for the system.
DNS NameDNS name for the system.
IP AddressIP address for the system.
Allow Managed System to be an Application Host (non-Windows systems only)Toggle on or off to allow the system to be an application host.
NetBIOS Name (Windows, Active Directory, and LDAP systems only)Unique NetBIOS name for the system.
WorkgroupSelect a pre-defined workgroup from the list.
PortEnter a port number.
Automatic Password Change OptionsToggle Enabled to automatically check and update managed account passwords at a set frequency or after password releases.
Password PolicySelect a Password Safe password policy or use the default policy. The policy provides the requirements used by Password Safe to create passwords, such as password length and permitted characters.
Change Agent (available only when Endpoint Privilege Management is installed)Select Password Safe or Endpoint Privilege Management client from the list.
Elevation Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.
If you are using pbrun jumpost, enter the IP address for the Privilege Management for Unix & Linux policy server that you want to connect to.
SSH Key Enforcement Mode is not available if you are using pbrun jumphost.
Change Agent (available only when Endpoint Privilege Management is installed)Select Password Safe or Endpoint Privilege ManagementClient from the list.
Functional AccountSelect a functional account from the list. If a functional account is not available, click the Create New Functional Account link. The link is located in two places, below the dropdown and within the dropdown list. This allows you to create a functional account without leaving the Managed Systems page.
The Create New Functional Account link is available to users with the Password Safe Configuration Management feature permission.
Use Login Account for SSH SessionsCreate a login account to allow the user to open an SSH session in environments where remote shell access is not permitted, for instance the root account.
Login Account: Select the account name.
Account Name Format (For Windows, Linux, Oracle, MS SQL Server, and Active Directory only)Select a format for the account name from the list: Domain\Account, UPN: accountName@domainName, or sAMAccountName: Account Name only.
TimeoutThe timeout value determines the amount of time in seconds that a connection attempt to the managed system remains active before being aborted. In most cases, we recommend you use the default value (30 seconds). If there are problems with connection failures with the system, this value can be increased.
SSH Key Enforcement ModeVerifies SSH host keys from a known host. You can import SSH keys from a host using a Smart Rule.
Auto Accept Initial Key: The first key imported is automatically accepted. Any new key imported after the initial key must be manually accepted.
Manually Accept Keys: SSH connections to the host are permitted for accepted keys only. If a new key is detected from the host, the key is stored in the database and an email is sent to the Administrators user group. The key must then be accepted or denied.
Default DSS Key PolicyIf you are using DSS authentication for the system, select a key policy or use the default.
Release DurationThe duration that can be requested during the request process. The default value is 2 hours. When the Requested Duration (as entered by the user on the Requests page in the web portal) is exceeded, the session ends if the Force Termination option is enabled for the access policy.
Max Release DurationThe maximum length of time the requester is permitted to enter on the Requests page. Applies to password and session requests. The maximum length that can be set is 365 days.
Contact e-mailEnter the email address where you want Password Safe system notifications to be sent.

Add managed systems and accounts using Smart Rules

You can add assets to Password Safe using an asset-based Smart Rule.

ℹ️

  • Before proceeding, consider the selection criteria to use to add the assets. There are several options available, including Operating System and Directory Query.
  • SSH key enforcement is not supported when using the pbrun jumphost elevated credential. The settings display as available after pbrun jumphost is selected. However, the settings will not work with the elevated credential.
  1. From the left menu, click .
    The Smart Rules page displays.
  2. Select Asset from the Smart Rule type filter.
  3. Click + Create Smart Rule.
  4. Select a Category from the dropdown.
  5. Enter a Name and Description for the Smart Rule.
  6. Select a Reprocessing Limit from the dropdown to limit how often the Smart Rule processes.
    Default means the Smart Rule processes when necessary. This is the preferred setting for less intensive processing. For more intensive processing select another option to restrict the Smart Rule to run once per selection.

ℹ️

A Smart Rule always processes when first saved or updated.

  1. Set the Selection Criteria under Include Items that match the following.
  2. Select filter criteria from the list.
  3. If required, click Add Another Condition.
  4. Select Manage Assets Using Password Safe under Actions.
  5. Select the Platform, Functional Account, and Account Name Format under Actions. Other settings may be left as defaults or changed as required.
  6. Click Add another action.
  7. Select Show managed account as Smart Group.
  8. Click Create Smart Rule.

ℹ️

  • The Managed System Descriptions setting is available for Active Directory only.
  • These settings are the same settings available when adding the system manually by creating a new managed system.
  • To view contents of a Smart Rule when creating a new rule or editing an existing rule:
    • Once the rule is saved, click View Results.
    • You are taken to the associated grid, where the contents of the Smart Rule are listed.
    • If the rule is actively processing, a banner displays letting you know that.
  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show as Smart Group selected under Actions to view the results.
  • Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Add Active Directory managed accounts using a Smart Rule

You can create a Smart Rule that discovers and adds Active Directory accounts to Password Safe, using the below procedure. The procedure also shows how to link domain accounts to the system.

ℹ️

A directory query and a domain should be created prior to creating a Smart Rule.

  1. From the left menu, click .
    The Smart Rules page displays.
  2. From the Smart Rule type filter list, select Managed Account.
  3. Click + Create Smart Rule.
  4. Select a Category from the dropdown.
  5. Enter a Name and Description for the Smart Rule.
  6. Select a Reprocessing Limit from the dropdown to limit how often the Smart Rule processes.
    Default means the Smart Rule processes when necessary. This is the preferred setting for less intensive processing. For more intensive processing select another option to restrict the Smart Rule to run once per selection.
  7. Select the Selection Criteria as applicable:
    • Asset Smart Group: Select a Smart Group from the list.
    • Child Smart Rule: Select a Smart Rule you want to filter the child Smart Rules from.
    • Dedicated Account: Select an account filter from the list. Enter a keyword to search on.
    • Directory Query: Choose to Include or Exclude accounts from Directory Query.
      • Select a query from the list, or click Create New Directory Query to open the form and create a new query.
      • Provide the frequency for the query to run. Leave the entry as 0 for a one time run.
      • Enable the Discover accounts for Password Safe Management option to discover accounts when the Smart Rule processes.
      • Select a Domain from the list.
    • Managed Account Fields: This filter only applies to existing managed accounts.
      • Select a filter: Account Name, Create Date, Description, Domain Name, Last Change Date or Last Change Result.
      • Select an expression, and then enter a keyword to search on, for example, WIN for Windows.
    • Managed System Fields: The Smart Rule is filtered according to the managed system you select.
      • Select a filter: System Name, Create Date, Last Update Date.
      • Select an expression, and then enter a keyword to search on, for example, WIN for Windows.
    • Platforms: Select a platform or check Select All.
    • User Account Attribute: Select the attribute from the list, and then provide the filter condition and value for that attribute. For each attribute filter, select Yes for Discover accounts for Password Safe Management, and then select a Smart Group to search in.
      • Privilege: Select is one of or is not one of. Select All or one, or a combination of Administrator, Guest, or User.
      • SID: Select an expression, and then enter a keyword to search on.
      • Account Name: Select an expression, and then enter a keyword to search on.
      • Password Age: Select an expression, and then select age parameters to search on.
  8. Select Manage Account Settings under Actions to add the accounts that match on the criteria to Password Safe. The settings are the same when you add the accounts manually.
  9. Additional properties can be set under Actions:
    • Assign preferred Domain Controller on each Active Directory account: Select the Active Directory domain and Domain Controller from the lists.
    • Assign workgroup on each account: Used with agent workgroups in multi-active deployments, this action enables you to define groups of accounts that will be assigned to specific password change agents. Select a workgroup from the list, or select Any.
    • Link domain accounts to Managed Systems: When used with Directory Accounts filter criteria, this action creates a linked association between the directory accounts and the target asset Smart Groups for role-based access control.
    • Link managed accounts to Remote Applications: Assigns the application(s) to any managed accounts that match the Session Criteria.
    • Map Dedicated Accounts To: Use only when the Dedicated Accounts filter criteria is selected. This action identifies the group of user accounts that are used to match against the dedicated account mask condition.
    • Send an email Alert: Select to send an email alert when the Smart Rule processes. The email contains a summary of the results the managed accounts matched by the Smart Rule and any changes since its last execution.
    • Set attributes on each account: Select to assign an attribute to filter and sort managed accounts. When viewing the Smart Groups on the Managed Accounts page, the groups are organized based on the filters selected in the Smart Group. You can use the default attributes that are available or create an attribute on the Configuration page. When the Smart Rule runs, the attribute is applied to all managed accounts that match on the selected filter criteria.
  10. Click Add another action.
  11. Select Show managed account as Smart Group.
  12. Click Create Smart Rule.

Add Endpoint Privilege Management for Windows systems and local accounts into Password Safe

The integration between Password Safe and Endpoint Privilege Management for Windows (EPM) allows for agent-based local account password rotation and privileged account retrieval to run as actions for accounts on Windows systems where an EPM agent is running.

Prior to BeyondInsight 24.1, EPM agents could only use certificates to authenticate with BeyondInsight. You can download the certificate from Configuration > System > Downloads > Download Client Certificate in the BeyondInsight console. BeyondInsight configuration segments can be included in the EPM policy to enable policy management from one console and password policy from Password Safe.

Use installer activation keys to leverage OAuth authentication when configuring:

  • Endpoint Privilege Management (EPM) agents that support OAuth communications.
  • Discovery Scanner event client and central policy.

In Endpoint Privilege Management for Windows, features to support Password Safe integration include:

  • Off-network account management: The EPM agent contacts Password Safe for password tests or password changes.
  • Allow as Password Safe user: You can run an application using managed account credentials sourced from Password Safe.

Discover local accounts on EPM Windows systems

For 22.4 and later releases of Password Safe in conjunction with the Endpoint Privilege Management for Windows 22.9 EPM agent, discovery can be performed by the EPM agent on the EPM Windows system on a scheduled basis, eliminating the need to run a discovery scan in BeyondInsight. The EPM agent, running on a Windows system, publishes local user data to the Assets grid in BeyondInsight. You can then add the local accounts to Password Safe using a Smart Rule or add them manually.

For Password Safe releases prior to 22.4, you can add well-known local admin accounts into Password Safe using a Smart Rule, eliminating the need to run a discovery scan in BeyondInsight, as documented in the next section.

Add known local admin managed accounts using a Smart Rule

It can be useful in some cases to onboard well-known local admin accounts, such as the Windows administrator or the Linux root account, from endpoints into Password Safe without the need to run a discovery scan against the endpoints. You can create a managed system Smart Rule that uses the Create Managed Account on each system action to accomplish this.

One scenario in which this is useful is when you have Endpoint Privilege Management (EPM) clients in your environment. You can create a managed system Smart Rule to add local accounts as managed accounts from the EPM client endpoints so that a password rotation event exists when the EPM agent requests it. Having these preconfigured managed accounts saves time by not having to configure and run a discovery scan after the EPM agent makes the request.

Create the Smart Rule as follows:

  1. From the left menu, click .
    The Smart Rules page displays.
  2. From the Smart Rule type filter list, select Managed System.
  3. Click + Create Smart Rule.
  4. From the Category dropdown, select Managed Systems.
  5. Enter a name and description.
  6. Under Selection Criteria, select Asset Smart Group and All EPM Clients from the dropdowns.
  7. Under Actions, select Show managed system as Smart Group
  8. Click Add another action.
  9. Select Create Managed Account on each system.
  10. Leave the remaining settings for Actions as default or modify as required.
  11. Click Create Smart Rule.

ℹ️

  • Administrator is the default account name, because that is standard for Windows systems. You can modify the name if you have configured something other than default standard local admin account name in your environment. You can also add multiple Create Managed Account on each system actions if you have additional local admin accounts you wish to manage with Password Safe.
  • To view the contents of a Smart Rule when creating a new rule or editing an existing rule:
    • Once the rule is saved, click View Results.
    • You are taken to the associated grid, where the contents of the Smart Rule are listed.
    • If the rule is actively processing, a banner displays letting you know that.
  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show as Smart Group selected under Actions to view the results.
  • Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Configure Functional Account Requirements in Azure

Follow the steps below to set up Entra ID for use with BeyondTrust Password Safe.

ℹ️

Accounts can be managed with or without multifactor authentication enabled in Azure.

Create enterprise application

Create this enterprise application to map to the Application (Client) ID for the functional account.

  1. In Microsoft Azure, go to Enterprise Applications.
  2. Select New application.
  3. Select Create your own application.
  4. Name your application.
  5. Select the application type (App you're developing).
  6. Click Create.
  7. Update the name if necessary.
  8. Select the Supported Account Types (this directory only).
  9. Click Register.
  10. Under Properties, disable Assignment required and Visible to users.
  11. Click Save.

Configure app registration

  1. In Overview section, copy the Application (Client) ID and Directory (Tenant) ID. These are needed later to configure the Password Safe functional account.
  2. In the Authentication section, enable Allow public client flows.
  3. Click Save.
  4. In the Certificates and secrets section, click New client secret.
  5. Enter the Description and an expiration date.
  6. Click Add.
  7. Copy the secret Value. This is needed later to configure the Password Safe functional account.

ℹ️

The value is displayed only once, immediately after adding the new secret.

  1. In the API permissions section, add Microsoft Graph.
  2. Select type Application permissions.
  3. Add Microsoft Graph application permissions UserAuthenticationMethod.ReadWrite.All, Domain.Read.All, Group.Read.All, and User.EnableDisableAccount.All.
  4. If User.Read is not already added, select Delegated permissions and add it.
  5. Click Add Permissions.
  6. Click Grant admin consent for for your organization.
  7. Click Yes on the confirmation message.
  8. From the main menu, select Roles and administrators.
  9. Select the Helpdesk administrator role.
  10. Click Add assignments.
  11. Assign the application to the Helpdesk administrator role.

This completes configuration in Microsoft Azure. The remaining steps are done in BeyondTrust Password Safe.

BeyondTrust Password Safe configuration

  1. From the left menu, click .
    The Configuration page displays.

  2. Under Privileged Access Management select Functional Accounts.
    The Functional Accounts page displays.

  3. Click Create New Functional Account.

  4. For the Entity Type, select Directory.

  5. For the Platform, select Microsoft Entra ID.

  6. Select the Azure scope: Public or US Government (supports Azure GCC High).

  7. Enter the Username in UPN format.

  8. Enter the previously saved values for the Application (Client) ID, Tenant ID, and Client Secret.

  9. Set the Alias.

  10. Click Create Functional Account

  11. From the left menu, click .
    The Managed Systems page displays.

  12. Click Create New Managed System.

  13. For the Entity Type, select Directory.

  14. For the Platform, select Entra ID.

  15. Enter the Domain.

  16. Select the Functional Account created above, and select the Account Name Format.

  17. Click Create Managed System.

The Managed Account can be created manually or by using a Smart Rule.

Create the Managed Account manually.

  1. Select the Managed System created above.
  2. Click the the right of the Managed System.
  3. Select Create New Managed Account.
  4. Enter the Username in UPN format, and enter ObjectId for the User and UPN.
  5. Create the Managed Account using a Smart Rule.
    • Accounts can be onboarded by using Group Name or UPN (starts with/ends with) filters.

Updated 10 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.