DocumentationRelease Notes
Log In
Documentation

Assets

Suggest Edits

Manage assets

The Assets page allows you to review details about your assets quickly by filtering your assets by last update time, type of asset, domain, operating system, technical solutions applied to the asset (for example, an asset is a scanned host or database host), DNS name, Workgroup, and IP address.

ℹ️

Note

To maintain a manageable database size, assets and scan data is purged every 30 days. We recommend running discovery scans at least every 30 days to refresh asset data.

You can modify which columns to display in the Assets grid by clicking the Column Chooser icon above the grid. From here you can add or remove columns.

Review asset details

ℹ️

Note

Depending on the scan settings, information might not be detected and included in the scan results. If the following scan settings are turned on, more accurate scan results can be expected:

  • Perform Local Scanning
  • Enable WMI Service
  • Enable Remote Registry Service

You can review the advanced details information for assets by clicking the vertical ellipsis button for an asset, and then selecting Go to Advanced Details.

General data

  • Details & Attributes: Displays details about the asset such as: IP address, DNS name, domain, system name, system description, Workgroup, date the asset was added and updated, the operation system, etc.
  • Accounts: If the asset is linked to a managed system, the managed accounts on that system are listed in the grid.

ℹ️

Note

Click the View Managed System link above the grid to view the advanced details for the managed system that is linked to the asset. To return to the advanced details for the asset, click the View Asset link.

  • IIS Application Pools: Displays IIS Application Pools discovered on the asset on the last successful scan of the system.
  • Databases: Displays the databases that are on the asset and allows you to add a database.
  • Smart Groups: Displays the Smart Groups that the asset is associated with.

Scan data

ℹ️

Note

By default, the current snapshot of scan data is selected. You can select other available snapshots to load the data for that date. Scan snapshots are purged from the database every 30 days.

  • Ports: Displays the open port number, protocol, and description.
  • Scheduled Tasks: Displays information about scheduled tasks for a particular asset, including task name, task to run, last time the task ran, schedule type, etc.
  • Services: Displays discovered services, including name, description, state, logon details, startup type, and dependencies.
  • Software: Lists all software discovered on the asset, including version.
  • Users: Includes several attributes for user accounts, including: name, privileges, password age, last logon date, password expiry status, group membership, and status of the account, and allows you to filter by these attributes.

Create assets manually

Assets are added to BeyondInsight through discovery scans. Assets can also be manually added from the Assets page, as follows:

  1. From the Assets page, select All Assets from the Smart Group filter dropdown.
  2. Click + Create New Asset.
  3. Complete the Create Asset form, and then click Create Asset.

ℹ️

Note

New assets created in any Smart Group other than All Assets might not appear under the selected Smart Group if the Smart Rule criteria is not met or until the Smart Rule processes. We recommend that you create new assets using the All Assets Smart Group.

ℹ️

Note

A manually added asset can have its basic information edited, such as Name, DNS Name, Domain, Asset Type, IP Address,, and Workgroup. Asset attributes cannot be edited at the individual asset level at this time. If this is necessary, Smart Rules can be used to modify the attributes associated with an asset.

Delete assets

You can remove assets from the Assets grid immediately. Assets removed from the grid are deleted from the BeyondInsight database during the nightly data purge.

  1. From the Assets page, select an asset or multiple assets.

ℹ️

Note

You can use the filters above the grid to narrow down your list of assets to those targeted for deletion, and then press ctrl + A to select all assets in the grid to delete at once.

  1. Click the Delete button above the grid.
  2. Click Delete on the confirm deletion message.

Asset tools

BeyondInsight provides a set of tools to help you organize assets for scanning.

Depending on the number of assets that you want to scan or the critical nature of some of your assets, consider organizing the assets using address groups or Active Directory queries which can be part of a Smart Rule.

The following list provides examples on ways you can use these tools:

  • Create an IP address group that organizes assets by a range of IP addresses, including CIDR notation and named hosts.
  • Use an Active Directory query that will organize assets by organizational unit. Create a Smart Rule and use the query as your selection criteria.
  • Change the properties for assets, and then use the attributes as the selection criteria in the Smart Rule.

Scans can return a lot of information. To help you review scan results, you can create filters and set preferences on the Assets page to easily review scan results.

Create an address group

When creating a Smart Rule, you can create an address group to use as an IP address filter. An address group can contain included or excluded IP addresses. IP addresses are entered as a

  • Single IP address
  • IP range
  • CIDR Notation
  • Named host

ℹ️

Note

  • The BeyondInsight user must be a member of the Administrators group or be assigned the Full Control permission on the Asset Management and the applicable Smart Rule Management feature(s) to be able to create and edit Smart Rules.
  • Users assigned Read Only permissions on these features may only view the details of Smart Rules.

Create an Always address group

You can create an address group and name it Always. The Discovery Scanner is designed to recognize this address group name and includes the group in every scan, regardless if the group is selected in the scan job. The address group can include and exclude IP addresses.

The next time a scan runs, the address group is synchronized with the Discovery Scanner. The IP addresses, whether they are included or omitted, are considered part of the running scan.

Example

If the Always address group is configured with 10.10.10.60 and buffett-laptop (omitted), it scans 10.10.10.50 and buffett-laptop. The results are as follows:

  • The scan includes 10.10.10.60 since this IP address was added to the Always address group.
  • The scan excludes buffett-laptop since this asset was explicitly omitted in the Always address group.
  • 10.10.10.50 is scanned as usual.

ℹ️

Note

If an asset was scanned and later added to the Always address group as Omit, the asset is not scanned but might be displayed in the report. This only occurs with some reports.

  1. Go to Configuration > Discovery Management > Address Groups.
  2. Click Create New Address Group.
  3. Enter a name for the address group, and then click Create Address Group.
  4. Select the address group, and then from the right pane, click Create New Address to manually add the IP addresses. Or, click Import Addresses to import them into the group using a file.
  5. If manually adding the addresses:
    • Select the type from the list: Single IP Address, IP Range, CIDR Notation, or Named Host.
    • Enter the IP addresses, CIDR Notation, or host name, depending on which type you selected.
    • Enable Omit this entry to excluded addresses.
    • Click Create Address.
  6. If importing the addresses:
    • Enable the Overwrite all existing addresses option, if desired.
    • Click Drop File to upload the import file.
    • Click Upload File.

ℹ️

Note

The list in your import file depends on your particular needs. The list can contain all IP addresses that you wish to exclude. To exclude IP addresses, use the format: 192.x.x.x (1).

The image shows an example of how a CIDR Notation, an excluded IP address, and excluded named hosts are displayed after importing.

Create a Smart Rule based on an address group

When configuring an address group, you can choose to create a Smart Rule based on the address group.

  1. From the Address Groups pane, click the vertical ellipsis for the address group.
  2. Select Create Smart Rule.
  3. Leave the default name, or name the Smart Rule as desired.
  4. Select the option to make the Smart Rule available to all user groups or the option to make the Smart Rule available to administrators only.
  5. Click Create Smart Rule.
  6. A message stating Smart Rule has been created for this Address Group appears.
  7. The group is displayed on the Configuration > Smart Rules page.

Create a directory query

You can create an Active Directory or LDAP query to retrieve information from Active Directory or LDAP to populate a Smart Rule. To work with directory queries, the BeyondInsight user must be a member of the Administrators group or assigned the Asset Management permission.

Create a new directory query or clone an existing query as follows:

  1. In BeyondInsight, navigate to Configuration > Role Based Access > Directory Queries.
  2. Click Create New Directory Query or click the vertical ellipsis for an existing query and select Clone.
  3. Select Active Directory or LDAP from the Directory Type list.

ℹ️

Note

Cloned queries keep the same directory type as the query being cloned.

  1. Enter a name for the query in the Title field.
  2. Select a stored credential for running this query or click Create New Credential to be taken to the Directory Credentials page where you can add a new one.

ℹ️

Note

At minimum, the credential must have Read permissions on the computer assets you are enumerating.

  1. Enter the directory path for the Query Target, or click Browse to search for a path and add it.
  2. Select a scope to apply to the container: This Object and All Child Objects or Immediate Children Only.
  3. Select an object type: Computer Objects or User Objects.
  4. Enter the directory path for the Query Target, or click Browse to search for a path and add it.
  5. Select a scope to apply to the container: This Object and All Child Objects or Immediate Children Only.
  6. Select an object type: Computer Objects or User Objects.
  7. Enable or disable the Dynamically refresh results each use option.
  8. Provide a Name and Description or use the * wild card character to match multiple values for the Basic Filter.
  9. Optionally, click Advanced Filterto provide an LDAP Query.
  10. Click Test to ensure the query returns expected results. We recommend you preview results before saving the query.
  11. Click Create Directory Query.
  12. A warning message displays the following: Creating or modifying Directory Queries can have a significant impact to the onboarding Smart Rules that use this query. Are you sure you want to save this Directory Query?
*   Click **Confirm** to create the query.
*   Click **Cancel** to return to the query form to make changes.
  1. If you did not test the query (step 15), a warning message displays the following: Are you sure you want to save this Directory Query without previewing the results?
*   Click **Confirm** to create the query without testing it.
*   Click **Cancel** to return to the query form to make changes or test the query before saving it.

Update a directory query

Update an existing directory query as follows:

  1. In BeyondInsight, navigate to Configuration > Role Based Access > Directory Queries.
  2. Locate the query in the grid and click the vertical ellipsis to the right of it.
  3. Select Edit from the menu.
  4. Modify query details as necessary, and then click Test to ensure the query returns expected results. We recommend you preview results before saving the query.
  5. Click Update Directory Query.
  6. A warning message displays the following: Creating or modifying Directory Queries can have a significant impact to the onboarding Smart Rules that use this query. Are you sure you want to save this Directory Query?
    • Click Confirm to update the query.
    • Click Cancel to return to the query form if wish to make changes.
  7. If you did not test the query after making changes, a warning message displays the following: Are you sure you want to save this Directory Query without previewing the results?
    • Click Confirm to save the updated query without testing it.
    • Click Cancel to return to the query form if you wish to make changes or test the query before saving it.

ℹ️

Note

If you’re changing the Query Target, we recommend testing the query before saving the changes to ensure the changes are working the way you expect. Any Smart Rules using that query will use the new target list the next time the rule processes.

Attributes and attribute types

Attributes can be used to label assets, and you can set attributes for each asset in a group using a Smart Rule. BeyondInsight ships with a default set of attributes that can be customized, except for the Criticality type, and you can also add new attribute types and attributes to meet your requirements.

Add a new attribute type

  1. In the BeyondInsight Console go to Configuration > General > Attributes.
  2. Click + Add New Attribute Type.
  3. Type a name for the attribute type, and then press Enter.

Add a new attribute

  1. Click the plus sign for the desired attribute type to expand its attributes.
  2. Click + Add New Attribute.
  3. Type a name for the attribute, and then press Enter.

Add Assets to Password Safe Cloud

This chapter provides a high-level overview of adding systems and accounts to be managed by Password Safe. Once assets are managed by Password Safe, selected users can request access to them. For details on adding specific systems, please refer to the chapter for the particular system in this guide.

A system and the associated account can be added to Password Safe in any of the following ways:

  • Manually: After an asset is added to the management console, you can add the asset to Password Safe.
  • Smart Rules: You can create a Smart Rule with selected filter criteria, to match on the systems that you want to add to Password Safe.
  • Discovery Scanning: You can run a Discovery Scan in BeyondInsight on a selected range of IP addresses.

ℹ️

Note

To maintain a manageable database size, assets and scan data is purged every 30 days. We recommend running discovery scans at least every 30 days to refresh asset data.

Add managed systems and accounts to Password Safe

There are three ways to add systems and accounts to Password Safe:

  • Add the asset manually.
  • Run a Discovery Scan and then import the assets using an address group or directory query.
  • Use API scripts.

The following is a high-level overview of the steps required to add systems and accounts to be managed in Password Safe.

  1. Add the functional account: A functional account is one that can access the system with the privileges required to manage and change passwords for shared accounts on the system.
  2. Add the managed system: A managed system is a computer or device where one or more account passwords are to be maintained by Password Safe. Managed systems can be Windows machines, Unix/Linux machines, network devices, databases, firewalls, routers, iLO machines, and LDAP or Active Directory domains.
  3. Add the managed account: A managed account is an account on the managed system whose password is being stored and maintained through Password Safe. Typically, managed accounts are privileged accounts that can perform administrative tasks on the managed system.
  4. Configure managed system settings: After a system is added to Password Safe, configure settings that apply to the managed system.
  5. Set up role based access: Create user groups that permit users to:
    • Log in to the Password Safe web portal.
    • Assign Password Safe roles, such as Requester or Approver.
    • Create access policies to permit accounts to access the systems, applications, and sessions, and to request password releases.

Create a functional account

A functional account on a managed system is required to manage passwords for accounts on that managed system. The passwords for functional accounts cannot be retrieved through the Password Safe web portal.

⚠️

Important

Do not set up a functional account as a managed account. Functional accounts have built-in management capabilities and passwords might fail to synchronize, causing issues.

ℹ️

Note

The settings vary, depending on the type and platform chosen.

  1. From the left sidebar in BeyondInsight, click Configuration.
    The Configuration page displays.

  2. Under Privileged Access Management, click Functional Accounts.
    The Functional Accounts page displays.

  3. Click + Create New Functional Account.
    The Create New Functional Account form displays in the right panel.

  4. Select a type from the list.

  5. Select a platform from the list.

ℹ️

Note

The DSS authentication and Automatic password management settings are not supported if you are using the elevated credential pbrun jumphost.

  1. Provide credentials and a description for the account.
  2. Provide an alias. The Alias value is shown in the selectors throughout Password Safe where you must select a functional account to use.
  3. Select a Workgroup, if applicable.
  4. If desired, enable Automatic Password Management, and then select the password policy and change frequency. This option enables automatic password changes for each managed system that this functional account is associated with at the designated frequency.

ℹ️

Note

If the Automatic Password Management option is enabled, passwords are set immediately when a new functional account is added to Password Safe.They are changed during the next scheduled rotation.

  1. Click Create Functional Account.

Override a functional account password

Every managed system that uses a specific functional account has a unique password associated with that functional account. The password on the managed system might be out of sync with the password in Password Safe. You can override a functional account password from the Functional Account section in the Advanced Details of a managed system.

Add a managed system manually

ℹ️

Note

Settings vary depending on the platform type. When an account is manually added to a managed system, the default configuration of the account is set to what is configured on the managed system.

There are two ways to add a managed system to Password Safe manually:

  • From the Managed Systems page, click Create New Managed System, and then complete the Create New Managed System form.
  • From the Assets page, click the vertical ellipsis for an asset, then select Add to Password Safe, and then complete the Create New Managed Systemform.

Below are the fields and settings with their descriptions that are available when creating a new managed system. The available fields change depending on the Entity Type and Platform for the system.

Field / SettingDescription or Action
Entity TypeType of system: Asset, Database, Directory, or Cloud.
PlatformThe platform for the system based on the Entity Type.
NameUnique name for the system.
PortDefault RDP port for new managed systems.
Instance Number (SAP only)If you have added your System Application Products (SAP) environment to Password Safe management, provide the instance number.
Domain (Directory types only)Name of the Domain where the directory resides.
DescriptionDescription for the system.
DNS NameDNS name for the system.
IP AddressIP address for the system.
Allow Managed System to be an Application Host (non-Windows systems only)Toggle on or off to allow the system to be an application host.
NetBIOS Name (Windows, Active Directory, and LDAP systems only)Unique NetBIOS name for the system.
WorkgroupSelect a pre-defined workgroup from the list.
PortEnter a port number.
Automatic Password Change OptionsToggle Enabled to automatically check and update managed account passwords at a set frequency or after password releases.
Password PolicySelect a Password Safe password policy or use the default policy. The policy provides the requirements used by Password Safe to create passwords, such as password length and permitted characters.
Change Agent (available only when Endpoint Privilege Management is installed)Select Password Safe or Endpoint Privilege Management client from the list.
Elevation Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.
If you are using pbrun jumpost, enter the IP address for the Privilege Management for Unix & Linux policy server that you want to connect to.
SSH Key Enforcement Mode is not available if you are using pbrun jumphost.
Change Agent (available only when Endpoint Privilege Management is installed)Select Password Safe or Endpoint Privilege ManagementClient from the list.
Functional AccountSelect a functional account from the list. If a functional account is not available, click the Create New Functional Account link. The link is located in two places, below the dropdown and within the dropdown list. This allows you to create a functional account without leaving the Managed Systems page.
The Create New Functional Account link is available to users with the Password Safe Configuration Management feature permission.
Use Login Account for SSH SessionsCreate a login account to allow the user to open an SSH session in environments where remote shell access is not permitted, for instance the root account.
Login Account: Select the account name.
Account Name Format (For Windows, Linux, Oracle, MS SQL Server, and Active Directory only)Select a format for the account name from the list: Domain\Account, UPN: accountName@domainName, or sAMAccountName: Account Name only.
TimeoutThe timeout value determines the amount of time in seconds that a connection attempt to the managed system remains active before being aborted. In most cases, we recommend you use the default value (30 seconds). If there are problems with connection failures with the system, this value can be increased.
SSH Key Enforcement ModeVerifies SSH host keys from a known host. You can import SSH keys from a host using a Smart Rule.
Auto Accept Initial Key: The first key imported is automatically accepted. Any new key imported after the initial key must be manually accepted.
Manually Accept Keys: SSH connections to the host are permitted for accepted keys only. If a new key is detected from the host, the key is stored in the database and an email is sent to the Administrators user group. The key must then be accepted or denied.
Default DSS Key PolicyIf you are using DSS authentication for the system, select a key policy or use the default.
Release DurationThe duration that can be requested during the request process. The default value is 2 hours. When the Requested Duration (as entered by the user on the Requests page in the web portal) is exceeded, the session ends if the Force Termination option is enabled for the access policy.
Max Release DurationThe maximum length of time the requester is permitted to enter on the Requests page. Applies to password and session requests. The maximum length that can be set is 365 days.
Contact e-mailEnter the email address where you want Password Safe system notifications to be sent.

Add managed systems and accounts using Smart Rules

You can add assets to Password Safe using an asset-based Smart Rule.

ℹ️

Note

Before proceeding, consider the selection criteria to use to add the assets. There are several options available, including Operating System and Directory Query.

ℹ️

Note

SSH key enforcement is not supported when using the pbrun jumphost elevated credential. The settings display as available after pbrun jumphost is selected. However, the settings will not work with the elevated credential.

  1. From the left menu, click Smart Rules.
  2. Leave Asset selected as the Smart Rule type filter.
  3. Click + Create Smart Rule.
  4. Select a Category from the dropdown.
  5. Enter a Name and Description for the Smart Rule.
  6. Select a Reprocessing Limit from the dropdown to limit how often the Smart Rule processes. Default means the Smart Rule processes when necessary. This is the preferred setting for less intensive processing. For more intensive processing select another option to restrict the Smart Rule to run once per selection.

ℹ️

Note

A Smart Rule always processes when first saved or updated.

  1. Set the Selection Criteria by selecting ALL or ANY from the Include Items that match the following dropdown and selecting the filter criteria from the list. Address Group is a very useful filter and more than once condition may be added.
  2. In the Actions section, select Manage Assets Using Password Safe from the list.
  3. Select the Platform, Functional Account, and Account Name Format. Other settings may be left as defaults or changed as required.

ℹ️

Note

The Managed System Descriptions setting is available for Active Directory only.

ℹ️

Note

These settings are the same settings available when adding the system manually by creating a new managed system.

  1. In the Actions section, click Add another action.
  2. Select Show asset as Smart Group from the list. This is helpful for grouping assets and accounts by their type.
  3. Click Create Smart Rule.

ℹ️

Note

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

  • Once the rule is saved, click View Results.
  • You are taken to the associated grid, where the contents of the Smart Rule are listed.
  • If the rule is actively processing, a banner displays letting you know that.

ℹ️

Note

  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

ℹ️

Note

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Add Active Directory managed accounts using a Smart Rule

You can create a Smart Rule that discovers and adds Active Directory accounts to Password Safe, using the below procedure. The procedure also shows how to link domain accounts to the system.

ℹ️

Note

A directory query and a domain should be created prior to creating a Smart Rule.

  1. From the left menu, select Smart Rules.
  2. From the Smart Rule type filter list, select Managed Account.
  3. Click + Create Smart Rule.
  4. Select the Selection Criteria as applicable:
    • Asset Smart Group: Select a Smart Group from the list.
    • Child Smart Rule: Select a Smart Rule you want to filter the child Smart Rules from.
    • Dedicated Account: Select an account filter from the list. Enter a keyword to search on.
    • Directory Query: Choose to Include or Exclude accounts from Directory Query.
      • Select a query from the list, or click Create New Directory Query to open the form and create a new query.
      • Provide the frequency for the query to run. Leave the entry as 0 for a one time run.
      • Enable the Discover accounts for Password Safe Management option to discover accounts when the Smart Rule processes.
      • Select a Domain from the list.
    • Managed Account Fields: This filter only applies to existing managed accounts.
      • Select a filter: Account Name, Create Date, Description, Domain Name, Last Change Date or Last Change Result.
      • Select an expression, and then enter a keyword to search on, for example, WIN for Windows.
    • Managed System Fields: The Smart Rule is filtered according to the managed system you select.
      • Select a filter: System Name, Create Date, Last Update Date.
      • Select an expression, and then enter a keyword to search on, for example, WIN for Windows.
    • Platforms: Select a platform or check Select All.
    • User Account Attribute: Select the attribute from the list, and then provide the filter condition and value for that attribute. For each attribute filter, select Yes for Discover accounts for Password Safe Management, and then select a Smart Group to search in.
      • Privilege: Select is one of or is not one of. Select All or one, or a combination of Administrator, Guest, or User.
      • SID: Select an expression, and then enter a keyword to search on.
      • Account Name: Select an expression, and then enter a keyword to search on.
      • Password Age: Select an expression, and then select age parameters to search on.
  5. In the Actions section, select Manage Account Settings to add the accounts that match on the criteria to Password Safe. The settings are the same as when you add the accounts manually.
  6. Additional properties can be set under Actions:
    • Assign preferred Domain Controller on each Active Directory account: Select the Active Directory domain and Domain Controller from the lists.
    • Assign workgroup on each account: Used with agent workgroups in multi-active deployments, this action enables you to define groups of accounts that will be assigned to specific password change agents. Select a workgroup from the list, or select Any.
    • Link domain accounts to Managed Systems: When used with Directory Accounts filter criteria, this action creates a linked association between the directory accounts and the target asset Smart Groups for role-based access control.
    • Link managed accounts to Remote Applications: Assigns the application(s) to any managed accounts that match the Session Criteria.
    • Map Dedicated Accounts To: Use only when the Dedicated Accounts filter criteria is selected. This action identifies the group of user accounts that are used to match against the dedicated account mask condition.
    • Send an email Alert: Select to send an email alert when the Smart Rule processes. The email contains a summary of the results the managed accounts matched by the Smart Rule and any changes since its last execution.
    • Set attributes on each account: Select to assign an attribute to filter and sort managed accounts. When viewing the Smart Groups on the Managed Accounts page, the groups are organized based on the filters selected in the Smart Group. You can use the default attributes that are available or create an attribute on the Configuration page. When the Smart Rule runs, the attribute is applied to all managed accounts that match on the selected filter criteria.
  7. Under Actions, click the link to Add another action, and then select Show managed account as Smart Group.
  8. Click Create Smart Rule.

Add Endpoint Privilege Management for Windows systems and local accounts into Password Safe

The integration between Password Safe and Endpoint Privilege Management for Windows (EPM) allows for agent-based local account password rotation and privileged account retrieval to run as actions for accounts on Windows systems where an EPM agent is running.

Prior to BeyondInsight 24.1, EPM agents could only use certificates to authenticate with BeyondInsight. You can download the certificate from Configuration > System > Downloads > Download Client Certificate in the BeyondInsight console. BeyondInsight configuration segments can be included in the EPM policy to enable policy management from one console and password policy from Password Safe.

Use installer activation keys to leverage OAuth authentication when configuring:

  • Endpoint Privilege Management (EPM) agents that support OAuth communications.
  • Discovery Scanner event client and central policy.

In Endpoint Privilege Management for Windows, features to support Password Safe integration include:

  • Off-network account management: The EPM agent contacts Password Safe for password tests or password changes.
  • Allow as Password Safe user: You can run an application using managed account credentials sourced from Password Safe.

Discover local accounts on EPM Windows systems

For 22.4 and later releases of Password Safe in conjunction with the Endpoint Privilege Management for Windows 22.9 EPM agent, discovery can be performed by the EPM agent on the EPM Windows system on a scheduled basis, eliminating the need to run a discovery scan in BeyondInsight. The EPM agent, running on a Windows system, publishes local user data to the Assets grid in BeyondInsight. You can then add the local accounts to Password Safe using a Smart Rule or add them manually.

For Password Safe releases prior to 22.4, you can add well-known local admin accounts into Password Safe using a Smart Rule, eliminating the need to run a discovery scan in BeyondInsight, as documented in the next section.

Add known local admin managed accounts using a Smart Rule

It can be useful in some cases to onboard well-known local admin accounts, such as the Windows administrator or the Linux root account, from endpoints into Password Safe without the need to run a discovery scan against the endpoints. You can create a managed system Smart Rule that uses the Create Managed Account on each system action to accomplish this.

One scenario in which this is useful is when you have Endpoint Privilege Management (EPM) clients in your environment. You can create a managed system Smart Rule to add local accounts as managed accounts from the EPM client endpoints so that a password rotation event exists when the EPM agent requests it. Having these preconfigured managed accounts saves time by not having to configure and run a discovery scan after the EPM agent makes the request.

Create the Smart Rule as follows:

  1. From the left menu, click Smart Rules.
  2. From the Smart Rule type filter list, select Managed System.
  3. Click + Create Smart Rule.
  4. From the Category dropdown, select Managed Systems.
  5. Provide a name and description.
  6. For the Selection Criteria, select Asset Smart Group and Endpoint Privilege Management Clients from the dropdowns.
  7. For Actions, select Show managed system as Smart Group and Create Managed Account on each system from the dropdowns.
  8. Leave the remaining settings for Actions as default or modify as required.

ℹ️

Note

Administrator is the default account name, because that is standard for Windows systems. You can modify the name if you have configured something other than default standard local admin account name in your environment. You can also add multiple Create Managed Account on each system actions if you have additional local admin accounts you wish to manage with Password Safe.

  1. Click Create Smart Rule.

ℹ️

Note

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

  • Once the rule is saved, click View Results.
  • You are taken to the associated grid, where the contents of the Smart Rule are listed.
  • If the rule is actively processing, a banner displays letting you know that.

ℹ️

Note

  • View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.
  • The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

ℹ️

Note

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Configure Functional Account Requirements in Azure

Follow the steps below to set up Entra ID for use with BeyondTrust Password Safe.

  • Create enterprise application
  • Configure app registration
  • BeyondTrustPassword Safe configuration
  • Create a second enterprise application

ℹ️

Note

Accounts can be managed with or without multifactor authentication enabled in Azure.

Create enterprise application

Create this enterprise application to map to the Application (Client) ID for the functional account.

  1. In Microsoft Azure, go to Enterprise Applications and select New application.
  2. Select Create your own application.
  3. Name your application, select the application type (App you're developing) and click Create.
  4. Update the name if necessary, select the Supported Account Types (this directory only) and click Register.
  5. Under Properties, disable Assignment required and Visible to users, and click Save.

Configure app registration

  1. In Overview section, copy the Application (Client) ID and Directory (Tenant) ID. These are needed later to configure the Password Safe functional account.
  2. In the Authentication section, enable Allow public client flows, and click Save.
  3. In the Certificates and secrets section, click New client secret. Enter the Description, an expiration date, and click Add.
  4. Copy the secret Value. This is needed later to configure the Password Safe functional account.

ℹ️

Note

The value is displayed only once, immediately after adding the new secret.

  1. In the API permissions section, add Microsoft Graph, and select type Application permissions.
  2. Add Microsoft Graph application permission UserAuthenticationMethod.ReadWrite.All, Domain.Read.All, Group.Read.All, and User.EnableDisableAccount.All.
  3. If User.Read is not already added, select Delegated permissions and add it.
  4. Click Add Permissions.
  5. Click Grant admin consent for for your organization, and click Yes on the confirmation message.
  6. From the main menu, select Roles and administrators, then select the Helpdesk administrator role.
  7. Click Add assignments, then assign the application to the Helpdesk administrator role.

This completes configuration in Microsoft Azure. The remaining steps are done in BeyondTrust Password Safe.

BeyondTrust Password Safe configuration

  1. Go to Configuration > Privileged Access Management > Functional Accounts.
  2. Click Create New Functional Account.
  3. For the Entity Type, select Directory.
  4. For the Platform, select Microsoft Entra ID.
  5. Select the Azure scope: Public or US Government (supports Azure GCC High).
  6. Enter the Username in UPN format.
  7. Enter the previously saved values for the Application (Client) ID, Tenant ID, and Client Secret.
  8. Set the Alias.
  9. Click Create Functional Account
  10. Go to Managed Systems.
  11. Click Create New Managed System.
  12. For the Entity Type, select Directory.
  13. For the Platform, select Entra ID.
  14. Enter the Domain, select the Functional Account created above, and select the Account Name Format.
  15. Click Create Managed System.

The Managed Account can be created manually or by using a Smart Rule.

Create the Managed Account manually.

  1. Select the Managed System created above.
  2. Click the vertical ellipsis at the right end of the row.
  3. Select Create New Managed Account.
  4. Enter the Username in UPN format, and enter ObjectId for the User and UPN.
  5. Create the Managed Account using a Smart Rule.
    • Accounts can be onboarded by using Group Name or UPN (starts with/ends with) filters.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.