DocumentationRelease Notes
Log In
Documentation

Secrets Safe

Suggest Edits

⚠️

Important

Upon upgrade to BeyondInsight/Password Safe 24.3:

  • Ownership: Secrets can now be owned by both users and groups simultaneously. Ownership takes precedence over safe-level permissions, provided the user has read access to the safe.
  • Safes: Root folders are now called safes. They are no longer created or removed by assigning the "Secrets Safe" feature permission.
  • Admin Access: BeyondInsight Administrators no longer have default access to all safes. They must be explicitly assigned permissions to safes and can only see safes they are part of via the team folder group.
  • Show All Safes: A new toggle allows administrators to view all safes.
  • Permissions Management: Only BeyondInsight Administrators can manage migrated safe permissions by default. Users and groups can manage safes once granted "Manage Safe" permissions.
  • Read Access: Users can only view safes and their contents if they have read access.
  • Team Folder Group: On upgrade, the group that created a team folder is automatically granted "Create" and "Read" permissions to the new safe. This does not apply to safes created post-upgrade.

What is Secrets Safe?

Secrets Safe is a secure solution for storing and managing secrets in a controlled, auditable environment. Password Safe administrators can assign groups in BeyondInsight to safes. Each safe operates as an isolated space where users can securely manage secrets within that safe.

Key features include:

  • Ownership and Access Control: Ownership of secrets can be managed by anyone who is a current owner of the secret or has the Manage Safe permission. Assignment of permissions is safe-wide and can not be done on individual secrets.
  • Permissions: Safes provide granular control over permissions, allowing users or groups to be assigned specific permissions that define how they can interact with secrets they do not own.
  • Read-only access: Users can view, retrieve, and organize secrets into folders but cannot modify them.
  • Ease of Access: Secrets can be quickly found and accessed using search and filtering tools.

How is Secrets Safe useful?

Secrets Safe minimizes the risk of unauthorized access to secrets. Each safe ensures that secrets are stored securely and accessed only by authorized users. Secrets Safe supports three different types of secrets: credential, file, and text.

How do I access Secrets Safe?

On the main BeyondInsight dashboard, select Secrets Safe from the left sidebar.

The Secrets Safe page

Use the Secrets Safe page to view at-a-glance data about your secrets.

  1. Sidebar: Easy access to all pages in BeyondInsight.
  2. Header: Navigate to your favorite pages, view your notifications, access your connected apps, and set your account preferences.
  3. Safes: View and create safes.
  4. Secrets: View and create secrets in the selected safe. Use filters to narrow the grid display.
  5. Secrets grid options: Click the icon to refresh the secrets grid, to download the displayed secrets to a .csv file, to select which columns to display, to reset the list to the default settings and to condense or expand the height of the rows in the list, and to hide the filters and expand the list.
  6. Secrets grid: Displays information about secrets.
  7. Grid navigation options: Navigate between pages in the secrets grid.

Assign the Secrets Safe feature to a group

Access to Secrets Safe is granted to users by assigning permissions for the Secrets Safe feature to a group in which the users are members.

  1. In BeyondInsight, go to Configuration > Role Based Access > User Management.
  2. Click the vertical ellipsis for the group you want to assign the Secrets Safe feature to, and then select View Group Details.
  3. Under Group Details, select Features.
  4. Under Features, select the Secrets Safe feature.

ℹ️

Note

You can filter the list of features by All Features or Disabled Features, and Feature Name to quickly locate the Secrets Safe feature.

  1. Click Assign Permissions, and then select the appropriate permissions:
  2. Read-only
  3. Full control (read and write) – users with full control can create safes.
  4. Disable permissions

Users who are members of the group are granted access to the Secrets Safe page. They must have read+ access in order to view safes.

Create, rename, and delete a Safe

ℹ️

Note

By default, administrators do not automatically see all safes. They can only see safes they have read+ access to. To view all safes, toggle Show All Safes to on. Safes they don’t have access to are greyed out.

Any user assigned the Secrets Safe feature with full control permissions can create safes. Users that create a safe are automatically granted the Manage Safe permission.

ℹ️

Note

The Manage Safe permission can be removed by other users with the same permission on that safe, or by BeyondInsight administrators.

To create a new safe:

  1. Under Safes, click Create New Safe.
  2. Give the safe a name, and then click Create Safe.

To rename a safe:

  1. Click the ellipsis next to the safe, and then select Rename.
  2. Enter a new name for the safe, and then click Save Changes.

To delete a safe:

  1. Click the ellipsis next to the safe, and then select Delete.
  2. Click Delete in the confirmation dialog.

ℹ️

Note

Users must have the Manage Safe permission assigned to them directly, or to a group they’re a member of, to delete or rename a safe.

Add users and groups to a safe, and assign permissions

Any user who is assigned the Manage Safe permission, either directly or through a group, can assign access and permissions to a safe. BeyondInsight administrators can always manage safe permissions regardless of their current access level.

  1. Click the ellipsis next to the safe, and then select Go to Advanced Details. The Access Management grid displays users and groups already added to the safe.
  2. Select All Users & Groups from the Show dropdown list:
    1. For individual users or groups, click the ellipsis to the right of the user, and then select Assign Permissions.
    2. For multiple users or groups, check the boxes next to the user or group. Assign Permissions and Remove Permissions buttons display above the grid. Click Assign Permissions.

ℹ️

Note

If the selected user/group has no permissions assigned, the bulk delete permissions button is not available

  1. In the Assign Permissions side panel, check the appropriate permissions. Permissions available are:
    • Read Secrets and Folders (Required) – this is assigned by default
    • Create Secrets and Folders
    • Update Secrets and Folders
    • Delete Secrets and Folders
    • Share Secrets
    • Manage Safe (selecting this permissions automatically checks all permissions).
    • You can also set an expiration date for permissions
  2. If required, toggle Set an expiration date to on, and enter an expiry date and time. Expiration defaults to one week from the current date.

ℹ️

Note

When an expiry occurs, expired permissions remain listed in the Access Management grid until a scheduled job, which runs at midnight, removes them.

  1. If multiple users or groups are selected, you can remove them prior to saving by clicking X next to the user/group. If all users/groups are removed, the Assign Permissions side panel closes.
  2. Click Assign Permissions to save selections.

Manage folders

Users can organize their secrets into subfolders within a safe to make locating a secret more efficient.

To create a new folder:

  1. Select a safe or one of its subfolders.
  2. Click the ellipsis next to the safe or subfolder, and then select Create Folder.
  3. Enter a name for the folder, and then click Create Folder.
  4. To edit a folder name or to delete a folder, click the vertical ellipsis next to the folder, and then select Rename or Delete.

Add Secrets to a safe or folder

Permissions are a combination of all permissions given to a user, as well as the permissions they inherit from the groups they belong to.

  • Users with full permissions to a safe can create secrets in that safe or in any of the safe’s subfolders.
  • Users and Groups with read access to a safe can be assigned ownership to a secret within that safe.
  • Owners of a secret have update, share, and delete permissions to that secret.
  • Users that own a secret in a safe they do not have read access to will not be able to access that secret.

To add a secret:

  1. Select a safe or one of its subfolders.
  2. In the Secrets pane, click Add Secret.
  3. Select your secret type: Add Credential, Add File, Add Text, or Import Secrets, and then fill out the information for each type of secret.

Add Credential

  1. Enter a Title, Description, Username, and URL (if required).
  2. Set the password:
    1. Select Manual Input to manually enter a password.
    2. Select Auto Generate and select a Password Policy from the list to have the password created based on the defined policy.
    3. Click Generate Password.
  3. Add a note if you require additional information to display for this credential other than its description. You can add Notes as a column when viewing the list of credentials in the grid, and you can also filter the grid by Notes.
  4. Click Create Secret.

Add File

  1. Enter a Title, Description, and URL (if required).
  2. Drag the file into the Upload File box or click the box to select a file to upload.
  3. Click Create Secret.

ℹ️

Note

There are no restrictions on file type; however, files must be 5MB or less.

Add text

  1. Enter a Title, Description, and URL (if required).
  2. Enter the body of the text.
  3. Add a note if you require additional information to display for this credential other than its description. You can add Notes as a column when viewing the list of credentials in the grid, and you can also filter the grid by Notes.
  4. Click Create Secret.

Import secrets

  1. If a confirmation dialog appears, click Continue.
  2. Drag the file into the Import CSV File box or click the box to select a file to upload.
  3. Select a folder or create a new folder to save the imported secret to.
  4. Click Import Secrets.

Import requirements

  • Import Secret file type must be CSV
  • CSV import functionality is only available if Workforce Passwords is enabled for the user.
  • Files must be 200KB or less.
  • CSV files must contain the following:
    • CSV (comma is the only supported field separator)
    • Header row (the first row in the file is skipped and seconds are processed starting on line two
    • Eight columns are required (not all columns are used)
      • Username
      • Password
      • TOTP (not used)
      • Extra (not used)
      • Grouping (not used)
      • Fav (not used)

Example

CSV File - url,username,password,totp,extra,name,grouping,fav

URLUsernamePasswordTOTPExtraNameGroupFavorite
https://www.testsite00001.comTestUser01password01TestName001
https://www.testsite00002.comTestUser02password02TestName002

View, copy, edit, and delete a secret

Users can view details for their safe’s secrets, such as who owns the secret, when the secret was created and modified, and the folder path for the secret. Users can also copy the username and password for a team secret so they may use it. Secret owners can edit the properties and delete secrets they own. Administrators are limited by their current access level. For example they cannot edit a secret that they are not the owner of if they do not have the update permission. However, administrators can manage user and group access to a safe to change permissions as needed. Any modifications to permissions are audited.

  1. Select a safe or one of its subfolders.
  2. In the Secrets grid, click the vertical ellipsis for the secret.
  3. Each secret type, as indicated by its Type icon, has specific actions available from the options menu. Depending on your permissions:
    • For credential secrets, you can Copy Username, Copy Password, Copy Notes, View Details, Edit Secret, Share Secret, Remove Share, and Delete Secret.
    • For file secrets, you can Download File, Copy Notes, View Details, Edit Secret, Share Secret, Remove Share, and Delete Secret.
    • For text secrets, you can Copy Text, Copy Notes, View Details, Edit Secret, Share Secret, Remove Share, and Delete Secret.
    • For imported secrets, you can Copy Username, Copy Password, Copy Notes, View Details, Edit Secret, Share Secret, Remove Share, and Delete Secret.

Share a secret

Secrets can be shared between safes and folders. Shared secrets inherit the destination safe’s permissions. When secrets are shared, a shared icon displays in the type column in addition to the original type icon.

To share a secret:

  1. Select a safe or one of its subfolders.
  2. In the Secrets grid, click the vertical ellipsis for the secret.
  3. Select Share Secret.
  4. The Share to Folders side panel displays all safes and folders where you have the Create permission assigned. Select a safe or folder.
  5. Click Share. The secret displays in the secrets grid for the associated safe or folder.

ℹ️

Note

Secrets can be shared from the Personal folder. It is not possible to manage ownership of shared personal secrets.

Remove a shared secret

You can remove a shared secret. The Remove Share option is only available on the original copy of a secret. If selected it removes all shared instances of that secret, while the original copy remains. This requires the Share permission to that secret or ownership of the secret.

Additionally, you can delete individual shared copies of a secret from the safe they were shared to. This is done by selecting the Delete Share option . This requires the Delete permission to that secret or ownership of the secret. You can bulk delete original secrets and shared copies at the same time with multi-select.

ℹ️

Note

Shared secrets cannot be moved. When editing a shared instance of the secret the option to move that secret is not available.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.