Managed accounts | BI Cloud

What are managed accounts?

Managed accounts are local or Active Directory user accounts on the managed system.

How are managed accounts useful?

Managed accounts provide centralized control, security, and automation for user accounts on managed systems. With managed accounts, access policies can be enforced and the risk of unauthorized access is reduced.

How do I access managed accounts?

1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
   This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
2. From the left menu, click .
   The Managed Accounts page displays.

The Managed Accounts page

1. Left menu: Easy access to all pages in BeyondInsight/Password Safe, including the Home, Assets, Smart Rules, Discovery Scanner, Management Systems, Managed Accounts, Password Safe, Secrets Safe , Analytics and Reporting, Configuration, and About pages.
2. Header: Navigate to your favorite pages, view your notifications, access your connected apps, and set your account preferences.

3. Select to Manage Smart Rules.
4. Filter dropdowns: Select a filter to refine your results.

   Filter types

   • Smart Group filter: Filter by Smart Group.

   • Filter by: Filter by Account, Description, System, Domain, Platform, Last Changed Date, Last Changed Result, Next Change Date, Auto Managed, Disabled at Rest, API Enabled, Mapped to User, Change Agent, Change Password After Release, Check Password, Instance Name, Release Notification Email, Reset Password on Mismatch, Use Self, Use for Scanning, Workgroup, or AD/LDAP Queries.

5. Grid display preferences: Set display preferences on the Managed Accounts grid using the following options represented by icons above the grid:
   • Click to refresh the list, to download the list to a .csv file, to select which columns to display on the page, to configure your page display, andto expand the grid.
6. Managed Accounts list columns:

   Column Names

   • Account
   • Description
   • System
   • Domain
   • Platform
   • Last Changed Date
   • Last Changed Result
   • Next Change Date
   • Auto Managed
   • Disabled at Rest
   • API Enabled
   • Mapped to User
   • Change Agent
   • Change Password After Release
   • Check Password
   • Instance Name
   • Release Notification Email
   • Reset Password on Mismatch
   • Use Self
   • Use for Scanning
   • Workgroup
   • AD/LDAP Queries

7. Managed Accounts grid: Displays information based on filter selections.
8. List navigation options: Navigate in the Managed Accounts list.

View managed accounts

When viewing managed accounts, you can change the number of items displayed on the page using the Items per page dropdown at the bottom of the grid. You can use the filters above the grid to filter the list by smart group and the various attributes listed in the Filter by dropdown.

After the account is added to Password Safe management, you can:

• Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.
• View managed systems linked to the account.
• View Smart Groups associated with the account, as well as their last process date and processing status.
• See which accounts are synced to the managed account.
• View a list of password changes and the reason for each change.

View managed account details

To view details on a specific managed account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Managed account details, such as identification information, account settings, policies and attributes are displayed under Details & Attributes for quick access.
5. To see more granular details, click through the tabs in the Advanced Details pane to view details on each topic:
   • Smart Groups displays the groups that the user belongs to.
   • Synced Accounts allows you to sync managed accounts and their passwords with a managed primary account.
     • Locate the account you want to sync in the grid.
     • Check the box next to the account.
     • Click + Sync Accounts, located above the grid.
   • Events displays events of the managed account.
     • Filter by further narrows results in the grid.
   • Propagation Actions allows you to assign one or more propagation actions to the account.
     • Locate the action you want to assign in the grid.
     • Check the box next to the action.
     • Click Assign Propagation Action, located above the grid.
   • Password History displays all previously used passwords for the account.

ℹ️

Click the View Managed System link above the grid to view the advanced details for the managed system associated with the managed account. To return to the advanced details for the managed account, click the View Managed Account link.

Edit managed accounts.

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to delete.
3. Click > Edit Account.
4. Make any necessary changes, and then click Update Account.

Delete managed accounts

Managed accounts can be deleted, except for synced accounts. A message is displayed if an account cannot be deleted.

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to delete.
3. Click > Delete Account.
4. Click Delete on the confirmation message.

Test passwords for managed accounts

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to test the password for.
3. Click > Test Password.

Change passwords for managed accounts

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to change the password for.
3. Click > Change Password.
4. Click Change Password on the confirmation message.

View password history for managed accounts

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the password history for.
3. Click > Password History.
   The Password History page displays.

Unlink managed accounts

You can unlink managed accounts from managed systems; however, this applies to Active Directory accounts only. If accounts included in the unlink selection are not domain accounts, no action is taken on those accounts.

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to unlink.
3. Check the box next to the account.
4. Click above the grid.
5. Click Unlink on the confirmation message.

Configure subscriber accounts

ℹ️

Subscriber Accounts vs. Synced Accounts

• A parent account can have one or more synced accounts connected to it.
• A child account is considered a subscriber account of its parent.

You can view synced accounts in the Managed Account Details section of the parent account.

In the Managed Accounts API, child accounts are labeled as subscriber accounts, and include the ID of their parent account.

To enable Password Safe to update the account automatically, Automatic Password Management must be turned on for both the subscriber account and the associated managed system.

Any managed account can be synced to multiple accounts. These synced accounts become subscribers to the managed account. The managed account and all of its subscribers always share an identical password. When the password of the managed account or any of the subscriber accounts is changed, Password Safe automatically changes the password of the primary managed account and all of its subscribers to a new password.

ℹ️

To allow Password Safe to update the account, Automatic Password Management must be enabled for both the subscriber account and its associated Managed System

Once an account is synchronized as a subscriber account, settings modifications are limited to:

• Enable API
• Allow for scanning
• Application

Sync an account

To sync an account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to sync.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Under Advanced Details, click Synced Accounts.
5. Select the account or multiple accounts that you want to sync to the managed account.
6. Click + Sync Accounts above the grid.

Remove a synced account

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to change the password for.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Under Advanced Details, click Synced Accounts.
5. Select the account or multiple accounts that you want to unsync from the managed account.
6. Click above the grid.

Configure password reset for managed account users

You can grant managed account users permission to reset the password on their own managed account, without granting them permission to reset passwords on other managed accounts. You can do this by creating a group, adding the managed account to the group, and then assigning permissions and the Credential Manager role to the group.

1. From the left menu, click .
   The Configuration page displays.

2. Under Role Based Access select User Management.
   The User Management page displays.

3. From the Groups tab, click + Create New Group.

4. Select Create a New Group.

5. Provide a name and description for the group.

6. Click Create Group.

7. From the Group Details pane, select Users.

8. Select users to add to the group, and then click + Assign User above the grid.

9. From the Group Details pane, select Features.

10. Select the Management Console Access and Password Safe Account Management features.

11. Click Assign Permissions above the grid.

12. Select Assign Permissions Read Only. Do not grant Full Control.

13. From the Group Details pane, select Smart Groups.

14. Filter the list of Smart Groups by Type > Managed Account.

15. Select the Smart Group that contains the applicable managed accounts.

16. Click > Edit Password Safe Roles.
    The Password Safe Roles pane displays.

17. Select the Credentials Manager role.

18. Click Save Roles.

Reset password for managed accounts

The managed account user can now log in to the console and reset the password for the managed account as follows:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to change the password for.
3. Click > Change Password.
   The Advanced Details page displays.

Use a managed account as a discovery scan credential

A managed account can be used as a credential when configuring a Discovery Scan.

ℹ️

Once the Scanner option is enabled, the key must be specified again if the account is edited. It may be the same key or a new one.

The following credential types are supported:

• Windows,
• SSH
• MySQL
• Microsoft SQL Server.

The following platforms are supported:

• Windows
• MySQL
• Microsoft SQL Server
• Active Directory
• Any platform with the IsUnix flag (AIX, HP UX, DRAC, etc.)

To add the managed account as a scan credential:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to edit.
3. Click > Edit Account.
   The Edit pane displays.
4. Expand Scanner Settings.
5. Click the toggle to enable the scanner.
6. Enter a name in Scanner Credential Description for the account that can be selected as the credential when setting up the scan details. The name is displayed on the Credentials Management dialog box when setting up the scan.
7. Assign and confirm a key so that only users that know the key can use the credential for scanning.
8. Click Update Account.

✅

The Managed Account password can be up to 256 characters, however the password is limited to the length supported by the target platform. With scan credentials, keep in mind the password length limitations on that endpoint.

Managed account aliasing

Aliases are accessible using the API only. Account mappings can be changed without affecting the alias name. At least one managed account is required to be mapped for the alias to be active; when an alias has two or more managed accounts mapped, it is considered to be highly available. An account can only be mapped to one alias. Managed account aliases can be accessed from Configuration > Privileged Access Management > Managed Account Aliases.

Create a new alias

1. From the left menu, click .
   The Configuration page displays.

2. Under Privileged Access Management select Managed Account Aliases.
   The Managed Account Aliases page displays.

3. Click Create New Alias +.

4. Enter a name, and then click Create Alias.

The new alias appears in the grid under Account Mappings, which displays all aliases ready to be mapped. New aliases show as Unmapped until they are associated with accounts.

ℹ️

Each managed account can only be mapped to a single alias.

You can use the Show dropdown to select which accounts to display: All Accounts, Mapped, or Unmapped Accounts only.

The Filter-by allows you to filter accounts by System, Account Name, Account Status, or Last Changed Date.

Unmap an account

1. From the left menu, click .
   The Configuration page displays.

2. Under Privileged Access Management select Managed Account Aliases.
   The Managed Account Aliases page displays.

3. Select the account that you want to unmap from the Account Mappings grid.

4. Click above the grid.

Mapped accounts have three status values:

• Active: The account credentials are current and can be requested.
• Pending: The account credentials are current but the password is queued to change.
• Inactive: The account password is changing.

The list of mapped accounts is rotated in a round-robin fashion, typically in order of last password change date. The preferred account, or the account whose status is active and has the oldest change date, is returned on the Alias API model.