DocumentationRelease Notes
Documentation

Configuration: User accounts | BI Cloud

Suggest Edits

What is a user account?

A user account represents an identity that BeyondInsight uses to authenticate and authorize access to system resources. User accounts can be created locally within BeyondInsight or imported from external directories such as Active Directory, Entra ID, or LDAP.

Application user accounts can be created to represent applications that interact with the BeyondInsight public API. These accounts cannot log in to the console but can authenticate and perform API-based operations.

How are they useful?

User accounts enable secure authentication and authorization within BeyondInsight. By assigning each person or application a unique identity, administrators can control who can access specific system resources and track their actions. This ensures proper access management, supports integration with external directories like Active Directory or Entra ID, and allows applications to safely interact with the system through the public API.

ℹ️

A user account must be a member of a BeyondInsight user group because permissions to features are assigned at the group level. If a user is not a member of any groups in BeyondInsight, the user cannot log in to the console, and application users cannot authenticate with the public API.

Create a BeyondInsight local user account

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Click + Create New User.
  6. Select Create a New User.
  7. Provide a First Name, Last Name, Email, and Username for the new user. These fields are required.

ℹ️

You may use an email address for the username.

  1. Provide a password and confirm it.

ℹ️

The password must meet the complexity requirements as defined by your default password policy, defined at Configuration > Role Based Access > Password Policy.

  1. Enter the user’s contact information if required.
  2. Set an Activation Date and an Expiration Date for the user account if required.

ℹ️

These dates are based on UTC time on the BeyondInsight server and are considered during the user's login attempt. The attempt fails if the user account is not yet active or if the expiration date has passed.

  1. Check User Active to activate the user account.
  2. Leave the Account Locked and Account Quarantined options unchecked.
  3. Check the two Authentication Options, if applicable:
    • Override Smart Card User Principal Name: When enabled, a BeyondInsight user with a smart card that has a different Subject Alternative Name is able to log in to BeyondInsight. The smart card is mapped to the user.
    • Disable Login Forms: When enabled, SAML users are prevented from using the standard BeyondInsight log in form and authenticate with a configured identity provider. Check this option only if SAML is configured in your environment.
  4. Select a Two-Factor Authentication method and mapping information, if applicable.
  5. Click Create User.
    The user is created and User Details > Groups displays.
  6. Filter the list of groups displayed by type, name, or description and select a group.
  7. Click Assign Group above the grid.

ℹ️

The user must belong to at least one group.

  1. To remove the user from a group:
    • Select Assigned Groups from the Show dropdown, and then select a group.
    • Click Remove Group above the grid.

Update default password policy for local users

The default password policy defines the password complexity requirements for local BeyondInsight users. This includes the minimum and maximum length of the password and the type of characters required and permitted in the password. Update the default password policy as follows:

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click Password Policy.
  3. Enter a name for the policy and an optional description.
  4. Set the minimum and maximum password length.
  5. Set the types of characters to be used: uppercase, lowercase, numeric, and non-alphanumeric.
  6. Toggle the Enforce Minimum Characters To Change option to enable it. This compares the previous password to the new password when a user is updating their password via their account settings change password function.
  7. Optionally, increase the Minimum Characters To Change. The default is 8 and cannot be decreased.
  8. Click Update Password Policy to save the policy.

Add an Active Directory user

Active Directory users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Active Directory users must log in to the management console at least once to receive email notifications.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Add an Active Directory User.

  6. Select a credential from the list.

ℹ️

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. If not automatically populated, enter the name of a domain or domain controller.
  2. After you enter the domain or domain controller credential information, click Search Active Directory. A list of users in the selected domain is displayed.

ℹ️

For performance reasons, a maximum of 250 users from Active Directory is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all users. Filter by user name to refine the list.

Example

Sample filters:

  • a returns all group names that start with a.
  • _d returns all group names that end with d.
  • _sql returns all groups that contain sql in the name.

  1. Click Search Active Directory.
  2. Select a user, and then click Add User.
  3. Assign at least one group to the user.

Add an Entra ID user

Entra ID users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Entra ID users must log in to the management console at least once to receive email notifications.

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Click + Create New User above the grid.
  6. Select Add a Microsoft Entra ID User.
  7. Select a credential from the list.

ℹ️

  • If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.
  • For performance reasons, a maximum of 250 users from Entra ID is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all groups. Filter by user name to refine the list.

Example

Sample filters:

  • a returns all group names that start with a.
  • _d returns all group names that end with d.
  • _sql returns all groups that contain sql in the name.

  1. Click Search Microsoft Entra ID.
  2. Select a user, and then click Add User.
  3. Assign at least one group to the user.

Change the preferred domain controller for active directory user accounts

The preferred domain controller for a user is set by the group they are in, provided that the group was created with the propagate option turned on, and that this action happened before the user was set up.

If you want to change the preferred domain controller for a user, edit the user, select an appropriate credential, and then select a different preferred domain controller from the list.

ℹ️

Any future change to the preferred domain controller at the group level can overwrite this setting if the propagate switch is turned on.

Add an LDAP user

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Click + Create New User above the grid.
  6. Select Add an LDAP User from the list.
  7. Select a credential from the list.

ℹ️

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. Click Fetch to load the list Domain Controllers, and then select one.
  2. To filter the user search, enter keywords in the user filter or use a wild card.
  3. Click Search LDAP.
  4. Select a user, and then click Add User.
  5. Assign at least one group to the user.

Add an application user

Application users represent applications that interface with the BeyondInsight public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user, and is used for processing IP rules. To create an application user:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Click + Create New User above the grid.
  6. Select Add an Application User from the drop-down list.
    The Create New Application User panel displays.
  7. Add a username.  
  8. Under API Access Policy, select the policy.
  9. Copy the information from the Client ID and Client Secret fields for later use.
  10. Click Create User.
  11. Assign the user to a group that has the required permissions to access BeyondInsight and Password Safe features.
    • Locate the user account in the grid.
    • Click > View User Details.
    • From the User Details pane, click Groups.
    • Select the group.
    • Click Assign Group above the grid.

Recycle the client secret for an application user

When editing an application user, you have an option to recycle their secret. Once recycled, you can copy or view the new secret. When a secret is recycled and the user account is updated with this change, the previous client secret is no longer valid.

To recycle the secret for an application user:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Locate the application user in the grid.
  6. Click > Edit User Details.
  7. Click to the right of the Client Secret.
  8. Click Recycle on the confirmation message.
  9. Copy the new secret for later use.
  10. Click Update User.

View and update OAuth secret expiry

The user's secret will eventually expire. The Users grid has an OAuth Secret Expiry column, which you can use to view what is close to expiring. The default duration of a client secret is 365 days. You can adjust the lifetime of the secret from the Authentication Options configuration area in BeyondInsight. Updating this value only changes the secret expiry date for new application users and recycled client secrets. Older secrets cannot be updated.

To view the OAuth Secret Expiry for an application user:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Locate the application user. The OAuth Secret Expiry column lists the date and time that a client secret for that user expires.

To update the duration for client secrets:

  1. From the left menu, click .
    The Configuration page displays.
  2. Under Authentication Management click Authentication Options.
  3. Under Application User Authentication Settings, enter the new duration of the client secret in the Client Secret Expiry field.
  4. Click Save.

Edit a user account

Administrators can edit user details such as change the name, username, email, and password, update active status, lock and unlock the account, and update multi-factor authentication settings:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Locate the user in the grid.
  6. Click > Edit User Details.
  7. In the Edit User pane, update the details as required.
  8. Click Update User.

Add user to groups

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. Select a user or multiple users.
  6. Click above the grid.
    The Add Users To Groups panel displays.
  7. Search for the group or groups, and then select the group or groups to assign currently selected users to the selected groups.

ℹ️

If a group already contains all of the selected users, a check mark is displayed next to the group name.

Delete a user account

Administrators can delete user accounts:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
    • For local accounts:
      • Select the user
      • Click above the grid
      • Click Delete on the confirmation message
    • For directory accounts:
      • Select the user
      • Click > Delete User
      • Click Delete on the confirmation message

ℹ️

  • For auditing purposes, if a user account is linked to any Password Safe session recordings, you cannot delete the account; however, you may disable the account.
  • Directory accounts may be deleted only if they do not belong to any groups.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.