DocumentationRelease Notes
Documentation

Secrets Safe: Overview | BI Cloud

Suggest Edits

What is Secrets Safe?

Secrets Safe is a secure solution for storing and managing secrets in a controlled, auditable environment. Password Safe administrators can assign groups in BeyondInsight to safes. Each safe operates as an isolated space where users can securely manage secrets within that safe.

Key features include:

  • Ownership and Access Control: Ownership of secrets can be managed by anyone who is a current owner of the secret or has the Manage Safe permission. Assignment of permissions is safe-wide and can not be done on individual secrets.
  • Permissions: Safes provide granular control over permissions, allowing users or groups to be assigned specific permissions that define how they can interact with secrets they do not own.
  • Read-only access: Users can view, retrieve, and organize secrets into folders but cannot modify them.
  • Ease of Access: Secrets can be quickly found and accessed using search and filtering tools.

How is Secrets Safe useful?

Secrets Safe minimizes the risk of unauthorized access to secrets. Each safe ensures that secrets are stored securely and accessed only by authorized users. Secrets Safe supports three different types of secrets: credential, file, and text.

How do I access Secrets Safe?

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Secrets Safe page displays.

The Secrets Safe page

Use the Secrets Safe page to view at-a-glance data about your secrets.

Secrets Safe for Cloud Home Page
  1. Left menu: Easy access to all pages in BeyondInsight/Password Safe, including the Home, Assets, Smart Rules, Discovery Scanner, Management Systems, Managed Accounts, Password Safe, Secrets Safe , Analytics and Reporting, Configuration, and About pages.
  2. Header: Navigate to your favorite pages, view your notifications, access your connected apps, and set your account preferences.
  1. Safes > Search: View and search for safes.
  2. Create New Safe: click to create a new safe.
  3. Secrets > Filter By: Filter by ID, Title, Type, Description, URL, Username, File Name, Owner(s), Folder, or Notes.
  4. Add Secret: Click to add a new secret.
  5. Grid display preferences: Set display preferences on the Secrets grid using the following options represented by icons above the grid:
    • Click to refresh the list, to download the list to a .csv file, to select which columns to display on the page, to configure your page display, andto expand the grid.
  6. Secrets Safe list columns:
    Column Names
    • ID
    • Title
    • Type
    • Description
    • URL
    • Username
    • File Name
    • Owner(s)
    • Folder
    • Notes

  7. Secrets Safe grid: Displays information based on filter selections.
  8. List navigation options: Navigate in the Secrets Safe secrets list.

🚧

Important information

Upon upgrade to BeyondInsight/Password Safe 24.3:

  • Ownership: Secrets can now be owned by both users and groups simultaneously. Ownership takes precedence over safe-level permissions, provided the user has read access to the safe.
  • Safes: Root folders are now called safes. They are no longer created or removed by assigning the "Secrets Safe" feature permission.
  • Admin Access: BeyondInsight Administrators no longer have default access to all safes. They must be explicitly assigned permissions to safes and can only see safes they are part of via the team folder group.
    • Any existing API script that rely on administrators having full access to safes will fail unless they are assigned access to the safes.
  • Show All Safes: A new toggle allows administrators to view all safes.
  • Permissions Management: Only BeyondInsight Administrators can manage migrated safe permissions by default. Users and groups can manage safes once granted "Manage Safe" permissions.
  • Read Access: Users can only view safes and their contents if they have read access.
  • Team Folder Group: On upgrade, the group that created a team folder is automatically granted "Create" and "Read" permissions to the new safe. This does not apply to safes created post-upgrade.

Updated 10 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.