DocumentationRelease Notes
Log In
Documentation

Configuration

Suggest Edits

Configure Functional Account Requirements in Entra ID

Follow the steps below to set up Entra ID for use with BeyondTrust Password Safe.

  • Create enterprise application
  • Configure app registration
  • BeyondTrust Password Safe configuration
  • Create a second enterprise application

ℹ️

Note

Accounts can be managed with or without multifactor authentication enabled in Azure.

Create enterprise application

Create this enterprise application to map to the Application (Client) ID for the functional account.

  1. In Microsoft Azure, go to Enterprise Applications and select New application.
  2. Select Create your own application.
  3. Name your application, select the application type (App you're developing) and click Create.
  4. Update the name if necessary, select the Supported Account Types (this directory only) and click Register.
  5. Under Properties, disable Assignment required and Visible to users, and click Save.

Configure app registration

  1. In Overview section, copy the Application (Client) ID and Directory (Tenant) ID. These are needed later to configure the Password Safe functional account.
  2. In the Authentication section, enable Allow public client flows, and click Save.
  3. In the Certificates and secrets section, click New client secret. Enter the Description, an expiration date, and click Add.
  4. Copy the secret Value. This is needed later to configure the Password Safe functional account.

ℹ️

Note

The value is displayed only once, immediately after adding the new secret.

  1. In the API permissions section, add Microsoft Graph, and select type Application permissions.
  2. Add Microsoft Graph application permission UserAuthenticationMethod.ReadWrite.All, Domain.Read.All, Group.Read.All, and User.EnableDisableAccount.All.
  3. If User.Read is not already added, select Delegated permissions and add it.
  4. Click Add Permissions.
  5. Click Grant admin consent for for your organization, and click Yes on the confirmation message.
  6. From the main menu, select Roles and administrators, then select the Helpdesk administrator role.
  7. Click Add assignments, then assign the application to the Helpdesk administrator role.

This completes configuration in Microsoft Azure. The remaining steps are done in BeyondTrust Password Safe.

BeyondTrust Password Safe configuration

  1. Go to Configuration > Privileged Access Management > Functional Accounts.
  2. Click Create New Functional Account.
  3. For the Entity Type, select Directory.
  4. For the Platform, select Microsoft Entra ID.
  5. Select the Azure scope: Public or US Government (supports Azure GCC High).
  6. Enter the Username in UPN format.
  7. Enter the previously saved values for the Application (Client) ID, Tenant ID, and Client Secret.
  8. Set the Alias.
  9. Click Create Functional Account.
  10. Go to Managed Systems.
  11. Click Create New Managed System.
  12. For the Entity Type, select Directory.
  13. For the Platform, select Entra ID.
  14. Enter the Domain, select the Functional Account created above, and select the Account Name Format.
  15. Click Create Managed System.

The Managed Account can be created manually or by using a Smart Rule.

Create managed account manually

  • Select the Managed System created above.
  • Click the vertical ellipsis at the right end of the row.
  • Select Create New Managed Account.
  • Enter the Username in UPN format, and enter ObjectId for the User and UPN.

Create managed account using a Smart Rule

  • Accounts can be onboarded by using Group Name or UPN (starts with/ends with) filters.

Create a second enterprise application

Create a second enterprise application to test the Password Safe managed account. The managed account must be a user of the application you create in this section.

Ensure the following properties are set when creating this enterprise application:

  • Assignment required: Set to Yes or No. The test application can either have assignment required (all managed accounts must be assigned to test passwords) or it can have assignment not required.
  • In Advanced settings, Allow public client flows is set to Yes.
  • API permissions, Microsoft Graph User.Read(delegated permission) with the status set to Grant admin consent.
  • Create or use an existing Key Vault. Assign Key Vault Readers access to the Password Safe applications.
  • Create a secret in Key Vault. You can also use the existing secret from the Functional Account.

In Password Safe, edit the functional account:

  • Update the functional account with the new Client ID in the Test Application (Client) ID field.
  • Update the secret if a new one was created.

Set account lockout options

You can set lockout options, such as lockout threshold and duration.

  1. Select Configuration.
  2. Under Role Based Access, select Local Account Settings.
  3. Under Account Lockout, set the following options:
    • Account Lockout Duration: Sets the number of minutes that the user is locked out after they hit the account lockout threshold. Once this time has elapsed, an attempt will be made to unlock the account during the user's next log in. Setting this value to 0 (zero) requires the account to be manually unlocked by an administrator.
    • Account Lockout Threshold: Sets the number of times a user can try their password before the account is locked out.
    • Account Lockout Reset Interval: Sets the number of minutes after an account is locked due to unsuccessful entry attempts before resetting the lockout counter.
    • Unlock account upon password reset request: When set to Yes, unlocks the account when the Forgot Your Password process is followed by the user. When set to No, the user may reset their password using the Forgot Your Password process, but the account remains locked until an administrator unlocks it.
    • Send lockout notification: When set to Yes, sends a notification to the email address configured in the Lockout Notification Recipients when any account becomes locked out.
    • Lockout notification recipients: Sets the email address where the lockout notification is sent. The Send Lockout Notification switch must be set to Yes for this to be relevant.
  4. Click Update Account Lockout Options.

Set account password history

To set the account password history option:

  1. Select Configuration.
  2. Under Role Based Access, select Local Account Settings.
  3. Under Account Password, set the following option:
    • Enforce Password History: Enter the number of passwords a user must create before an old password can be reused. Enter 0 to not enforce a password history. There are no restrictions on using past passwords when 0 is entered.
  4. Click Update Account Password Options.

Configure email notifications

The email notification functionality allows BeyondInsight to send email under certain circumstances. This includes, but is not limited to, emails sent upon ticket assignment, password reset, user lockout notifications, smart rule actions, or API authentication failures.

ℹ️

Note

Email SMTP settings are initially set in the BeyondInsight configuration tool. Verify these settings are accurate and that you use the same information. Changes made here will be reflected in the configuration tool.

  1. Select Configuration.
  2. Under System, select Email Notifications.
  3. Enter an email address in the From email address box. This sets the email address that appears in the From and Reply-To fields for email notifications sent by BeyondInsight.
  4. Optionally, enable the Notify administrator on cloud connector failure setting. When enabled, this option sends an email if an error occurs while collecting cloud data using a connector configured in BeyondInsight.
  5. Click Update Email Notification Options.

ℹ️

Note

An email is sent every 24 hours.

Set support options

You can use the following support options to assist with troubleshooting issues with BeyondInsight:

  • Select log levels for BeyondInsight services log files.
  • Enable and configure system event recording. This feature consolidates selected events from multiple log files to the BeyondInsight database and displays this data in the System Event Viewer grid.
  • View recorded system events.

Select file log levels

  1. In BeyondInsight go to Configuration > Support > File Log Levels.
  2. For each service, select the desired logging level:
    • The options are Verbose, Debug, Information, Warning, and Error.
    • The default for all services is Information.
    • Verbose and Debug create a large volume of entries and should be used only when necessary.
  3. Click Update Settings.
  4. Changes take effect in about 30 seconds. Services do not need to be restarted.

Enable system event recording

  1. In BeyondInsight go to Configuration > Support > System Event Settings.
  2. Click the toggle to Enable System Event Database Recording.
  3. From the System Events Severity Level to Record dropdown, select:
    • Warning, to record warnings and errors
    • Error, to record errors only
  4. Set the number of days to retain recorded events in the field Purge System Events Older Than.

ℹ️

Note

Once events are purged, they are not available in the System Event Viewer.

System event viewer

ℹ️

Note

System event recording must be enabled (as above) to view events in the System Event Viewer.

  1. In BeyondInsight go to Configuration > Support > System Event Viewer.
    • This screen shows the events recorded and retained as per the System Event Settings.
    • The list of events can be filtered by Event Time and additional filters can be added.
    • On the right, above the column headings, there are icons to refresh and download the list of events, and to modify the appearance of the list, including adding or removing columns.
    • You can sort any column by clicking on the heading. An arrow appears to indicate whether the sort is ascending or descending. Click again to reverse the sort.
    • At the bottom of the list, you can page through the events and set the number to display per page.
  2. To view the full log file entry for any event, click the i at the right end of the event row.

Set Data Retention and Advanced Purging Options

When data is initially collected, it is stored as unprocessed data in the BeyondInsight database. After the data is processed and made available in the management console and reports, the unprocessed data is no longer needed. To maintain a manageable database size, the unprocessed data is purged at regular intervals. Go to Configuration > System > Data Retention to manage BeyondInsight's data retention.

Data retention

Maintenance

To maintain a manageable database size, the unprocessed data is purged at regular intervals. These intervals are for the purging of Discovery Management data and can be configured here.

Purge general events older thanSets the number of days to keep the data sent by the agents.
General events can include events like checking in and trying to connect to assets, and firewall events which might indicate that the scan cannot process because of a firewall blocking the connection.
The default number of days is 7.
Purge attacks older thanSets the number of days to keep attack data that was discovered by the protection agent.
Recommended: 90 days.
Purge application events older thanSets the number of days to keep the application events sent by the agents.
The default value is 7.
Purge scans older thanSets the number of days to keep the information defined in the scan settings.
Recommended: 7 days .
Purge scan events older thanSets the number of days to keep the data collected in scans.
Recommended: 7 days.
Purge attack events older thanSets the number of days to keep the data sent by the protection agents.
Recommended: 7 days.
Purge discovery agent jobs every N daysWhen enabled, sets the number of days to keep the discovery data collected by the agents.
Recommended: 1 day.

Click Update Maintenance Options to save your option settings.

Privileged access management

To maintain a manageable database size, older event data is purged at regular intervals. The intervals for the purging of privileged access management event data can be configured here.

Purge Windows events older thanPurges the information sent by the protection agents.
The default value is 90 days.
Purge Endpoint Privilege Management events older thanSets the number of days to keep Endpoint Privilege Management's unprocessed event data.
The default is 30 days.
Purge Privilege Management for Unix & Linux events older thanSets the number of days to keep events sent by Privilege Management for Unix & Linux Servers.
Purge file integrity events older thanSets the number of days to keep File Integrity events captured by Endpoint Privilege Management.
Purge Endpoint Privilege Management Session Monitor events older thanSets the number of days to keep the events collected when session monitoring is being used.
Purge Identity Services events older thanSets the number of days to keep Identity Services unprocessed event data.

Click Update Privileged Access Management Maintenance Options to save your option settings.

Asset maintenance

To maintain a manageable database size, the unprocessed data is purged at regular intervals. The intervals for the purging of asset data can be configured here.

Purge assetsWhen enabled, Purge assets older than sets the number of days to keep asset data for assets that were discovered once, but are never discovered again.
Recommended: 30 days.
Purge asset attributesWhen enabled, Purge asset attributes older than sets the number of days to keep asset attribute data, such as ports, services, hardware, and attack events.
Recommended: 7 days.
Purge Cloud assetsWhen enabled, Purge Cloud assets older than sets the number of days to keep cloud asset data.
Cloud asset purging does not run unless Purge Assets is also enabled. The Purge cloud assets older than setting must always be equal to or less than the Purge assets older than setting.
Recommended: 30 days.

Click Update Asset Maintenance Options to save your option settings.

Application maintenance

To maintain a manageable database size, the unprocessed data is purged at regular intervals. The intervals for the purging of application data can be configured here.

Purge reports older thanSets the number of days to keep report files that are stored on the file system and corresponding database.
The default value is 90 days.
Purge application user audits older thanSets the number of days to keep user application audit data. Audit data is the record of user activities in the BeyondInsight system.
The default and recommended value is 120 days.
Purge closed tickets older thanSets the number of days before closed or inactive tickets are deleted.
The calculation for purging ensures the ticket is closed and uses the date the ticket was last updated, not the due date.
For example, a ticket has a due date 60 days in the future but the ticket was closed and not edited for over a week. If the purge setting is set to 7, then the ticket is purged even though the due date is in the future.

Click Update Application Maintenance Options to save your option settings.

Third-party integration maintenance

To maintain a manageable database size, the temporary data is purged at regular intervals. The interval for the purging of Third Party Integration temporary data can be configured here.

Purge third-party uploads older thanSets the number of days to keep the information about the scan files that you upload.
The default is 90 days.

ℹ️

Note

The data in the scan file is not purged.

Click Update Third-Party Integration Maintenance Options to save your option settings.

Purging options

In addition to purging data according to the data retention settings, the nightly purge can be configured with these advanced options. Go to Configuration > Support > Purging Options to set the following advanced options:

  • Database Index Maintenance: (Disabled by default) Rebuilds or reorganizes the indexes depending on what would be better for that index.
  • Nightly Database Statistics Maintenance: (Enabled by default) Updates the statistics on any that are out of date.
  • Batch Purging: (Disabled by default) Enable this option to purge multiple assets at one time in a batch. When this option is enabled, the complete asset, including all asset attributes is purged (all older data is removed from the asset). When this option is disabled, one asset is purged at a time, as opposed to a batch of assets.
  • Loop Based Purging: (Disabled by default) When this option is enabled, after a round of purging is complete, the purge window is checked and if still in the purge window AND there are more than 1000 items left to purge, another round of purging begins. This looping cycle repeats until the purge window expires or there is not enough data worth deleting. The default purge window begins at 1:00 AM and is two hours long. When this option is disabled, only one round of purging is performed each day.

Configure proxy settings

You can configure a proxy server if your BeyondInsight server does not have direct internet access.

  1. In the BeyondInsight console, go to Configuration > System > Proxy Settings.
  2. Check Enable proxy support.
  3. Enter the IP address (including the prefix http://) or the FQDN (for example, somehost.example.com) of the proxy server, username, and password for the proxy server.

ℹ️

Note

The HTTPS protocol is not supported for the IP address or the fully qualified domain name.

  1. Check Local proxy override.
  2. Click Update Proxy Settings.

Configure discovery management options

Set job refresh options

You can set a refresh interval, which changes job refresh logic to avoid polling third party credentials. Instead, the jobs refresh a number of minutes before scan. You can set refresh intervals for scan jobs and Smart Rules. Scans can run more efficiently when Smart Rules are set to refresh at longer intervals.

  1. in the BeyondInsight console, go to Configuration > Discovery Management > Options.
  2. Under Job Refresh, set the following options:
    • Maximum job refresh frequency:BeyondInsight jobs are refreshed at the interval set. When the refresh occurs, updates to schedules, scanners, and Smart Rules are updated for the job. The default value is 360 minutes.
    • Time to refresh before scan for third party credentials: Sets a refresh interval which changes job refresh logic to avoid polling third party credentials. Instead, the jobs will refresh a number of minutes before scan.

Set scan and event processing options

  1. Go to Configuration > Support > Processing Options to set the number of threads for scan and event processing. The following options are available:
    • Scan Threads: The number of scans that can be processed at one time. The default is 16.
    • Asset Threads: The number of assets per scan that can be processed at one time. The default is 1.
    • Agent Event Threads: These are threads used for Discovery Scan data processing.
    • Interleave Purging: When set to yes, uses idle threads to work on purging assets one at a time, if there are any assets queued up to be purged. If set to no (default), all purging activity is restricted to the dedicated purge window.
    • Importer seconds: The number of seconds between each attempt to purge; only applies if Interleave Purging is set to yes.
  2. Click Update Settings when done.

Configure global site options

You can configure global website settings from the Configuration > System > Site Options page, including:

  • Changing the Login page to include lists of domains and LDAP servers
  • Displaying the Forgot Password link on the Login page
  • Displaying social media links on the Login and About pages
  • Changing the refresh interval for Smart Rules
  • Configuring a pre-login banner to appear to users before logging into the site
  • Configuring session options
  • Enabling and disabling Endpoint Privilege Management options
  • Enforcing certificate validation during communication for LDAPS managed account tasks and LDAPS / AD user authentication and directory queries
  • Turning on language selection
  • Enabling and disabling the requirement to provide an access key when creating, editing, or using discovery scan credentials
  • Creating a global access key to be used for all discovery scan credentials
  • Configuring the maximum number of accounts to display in the Password Safe Accounts grid

List domains and LDAP servers on the Login page

Users can log in to the management console using Active Directory or LDAP credentials. When this site setting is enabled, the user can select a domain or LDAP server from the Log in to list. Domain and LDAP server information is based on the Active Directory and LDAP user group information.

ℹ️

Note

The Log in to list is only displayed on the Login page when there are either Active Directory or LDAP user groups created in the management console.

ℹ️

Note

By default, the setting is enabled. If you do not want to display domains or LDAP severs on the Login page, disable the setting.

  1. Under Login Page, uncheck the box to disable Show list of domains/LDAP servers on login page.
  2. Click Update Login Page Options.

You must log out and log back in for the change to take effect.

Disable forgot password link

Users logging into the console using Active Directory credentials cannot use the Forgot Password feature. In this scenario, you can disable the setting so the link is no longer displayed on the Login page.

  1. Under Login Page, uncheck the box to disable Show Forgot Password link on login page.
  2. Click Update Login Page Options.

You must log out and log back in for the change to take effect.

Disable social media links on the Login and About pages

By default, links for Facebook, Twitter, LinkedIn, and YouTube are available at the bottom of the Login page and also on the About page.

  1. Under Login Page, uncheck the box to turn off Show social media links on login and about pages.
  2. Click Update Login Page Options.

You must log out and log back in for the change to take effect.

Change the refresh interval for Smart Rules

Scans can run more efficiently when Smart Rules are set to refresh at longer intervals.

  1. Under General, set the number of minutes for Maximum Smart Rule refresh frequency for asset updates. The default is 60.
  2. Click Update General Options.

Configure a pre-login banner

You can configure a banner to appear to all users upon access to the site.

  1. Under Pre-Login Banner, check the Show banner option to enable it.
  2. Provide a title and message, and then click Update Pre-login Banner Options.

Configure session options

You can configure the following session related options:

  • Session timeout
  • Notification time before session timeout
  • Minimum interval between session extension requests
  • User Quarantine Cache refresh interval

ℹ️

Note

Changes to the Session Timeout value take effect the next time an Internet Information Services (IIS) reset is performed. Changes to Notification Time, Minimum Interval, and User Quarantine Cache Refresh Interval do not require an IIS reset.

Enable language selection (localization)

The management console can be viewed in the following languages:

  • German
  • English (US)
  • Spanish (LA)
  • French (FR)
  • French (CA)
  • Korean
  • Japanese
  • Portuguese (BR)

By default, the Language list is not displayed in the BeyondInsight console. Once localization is enabled, the Language list may be accessed from the Profile and preferences icon in the top right corner of the console and also from the bottom of the Login page.

  1. Under Localization, check the box to enable the Show language picker option.
  2. Click Update Localization Options.

You must log out and log back in for the change to take effect.

Enable Endpoint Privilege Management options

Endpoint Privilege Management options are not enabled by default. You can enable the following options:

  • Include arguments when creating rules
  • Suppress events where rule has been applied
  • Automatically retrieve initial grid data

Enable certificate validation

Certificate validation helps enforce the validity of a given certificate during communication. You can enforce the validation for LDAPS managed account tasks and LDAPS / AD user authentication and directory queries. Turning these options on will mean that valid certificates are required and Certificate Authorities must be installed on the server.

Configure global discovery credential access keys

When the Require a Discovery Credential Key option is enabled, all discovery credentials require the global credential access key. Enable the option, and then enter a Global Credential Key.

ℹ️

Note

You may still set a custom key on individual credentials to something other than the default.

When the Require a Discovery Credential Key option is disabled, all discovery credentials do not require an access key and all previously configured credential keys (including custom keys) are deleted.

ℹ️

Note

These settings apply to ALL discovery credentials for ALL tenants.

Configure the number of accounts to display in the Password Safe Accounts grid

You can set the number of accounts to display in the Password Safe Accounts grid search results. The default value of this option is 1,000 accounts , with a minimum limit of 100 accounts and a maximum of 10,000.

  1. Under Password Safe Portal, select the maximum number of accounts to display in the grid.
  2. Click Update Password Safe Portal Options.

Integrate the BeyondInsight API into Other Applications

You can integrate part of BeyondInsight's API into your applications using an API key.

ℹ️

Note

The API Registration page is only available to BeyondInsight administrators.

The ID and key are generated by BeyondInsight.

  1. Select Configuration > General > API Registrations.
  2. Enter a name for the registration.
  3. Click Create New API Registration to create a new application registration.

BeyondInsight generates a unique identifier (API Key) that the calling application provides in the authorization header of the web request. The API Key is masked and can be shown in plain text by clicking the Show Key icon next to the Key field. The API Key can also be manually rotated, or changed, by clicking the circular arrow.

ℹ️

Note

Once the key has been changed, any script using the old key receives a "401 unauthorized" error until the new key is used in its place. Read access and rotation of the key are audited.

  1. To configure a new registration or modify an existing one, select the registration, and then set the Authentication Rule Options.
  • Client Certificate Required: If enabled, a client certificate is required with the web request. If not, client certificates are ignored and do not need to be present. A valid client certificate is any client certificate signed by a certificate authority trusted by the server on which BeyondInsight resides.
  • User Password Required: If enabled, an additional authorization header value containing the RunAs user password is required with the web request. If not enabled, this header value does not need to be present and is ignored if provided. Square brackets surround the password in the header. 
    Authorization=PS-Auth key=c479a66f…c9484d; runas=doe-main\johndoe; pwd=[un1qu3];
  • Verify PSRUN Signature: The PSRUN signature is an extra level of authentication. It is computed from the factors using a shared secret between the client and server. PSRUN sends the signature as part of the header during its API request. If enabled, the server recomputes the signature during factor validation and compares it against the one sent by the client. If the signatures match, the client’s identity is considered verified. The signature effectively keeps the client in sync with the server. Changing the secret on the server requires the client to be rebuilt and guarantees that out-of-date clients cannot authenticate.
  1. On the Details page, click Add Authentication Rule to create authentication rules. At least one IP rule, PSRUN rule, valid source IP address (IPv4 or IPv6), IP range, or CIDR from which requests can be sent for this API Key is required. Enter one IP address, IP Range, or CIDR per line.

X-Forwarded-For rules can also be created by providing a valid source IP address (IPv4 or IPv6), an IP range, or CIDR. In a load-balanced scenario, IP Authentication rules are used to validate the load balancer IP(s), and the X-Forwarded-For header is used to validate the originating client IP. Existing rules cannot be changed from an IP Rule to a X-Forwarded-For Rule or vice-versa. If an X-Forwarded-For rule is configured, it is required for the HTTP Request . If the X-Forwarded-For header is missing, the request fails with a 401 unauthorized error.

  1. Click Create Rule.

View Privileged Remote Access data

If you have a licensed instance of Privileged Remote Access configured in your environment, you can export session data to an export database. You can then review Privileged Remote Access session data in the BeyondInsight Console, using the Privileged Remote Access Dashboard.

Configure the Privileged Remote Access database connection

  1. In the  BeyondInsight console, go to Configuration > Secure Remote Access > Database Configuration.
  2. Provide the settings to connect to your Privileged Remote Access export database, and then click Test Connection.
  3. Click Update Settings.

View the Privileged Remote Access dashboard

  1. From the left menu in the console, click Privileged Remote Access.
  2. In the Dashboard you can quickly view a summary of Privileged Remote Access session data in each card.
  3. You can click the items within each card to review the specific records for that item in a grid view that can be sorted, filtered, and exported as required.

Configure OAuth authentication for agents

Use installer activation keys to leverage OAuth authentication when configuring:

  • Endpoint Privilege Management (EPM) agents that support OAuth communications.
  • Discovery Scanner event client and central policy.

A maximum of 10 installer activation keys can be present at any one time, including the system generated key. Keys can be deleted and new ones can be created as long as no more than 10 keys exist at once.

  1. From the left sidebar, click Configuration.
  2. Under Authentication Management, click Installer Activation Keys.
  3. To use the key generated by the system:
    • Select System Generated Key.
    • Select an Installer Type: Discovery Agent or Endpoint Privilege Management Agent.
    • Copy the installation command, make any necessary edits, and use it when deploying the agent.
  4. To create a new installer key:
    • Click Create New Installer Activation Key +.
    • Enter a name for the key.
    • Click Create Activation Key.
    • Select an Installer Type: Discovery Agent or Endpoint Privilege Management Agent.
    • Copy the installation command, make any necessary edits, and use it when deploying the agent.

When creating an installer activation key for Endpoint Privilege Management:

  • Confirm the exact file name of the MSI (x86 vs x64).
  • Include BEYONDINSIGHTCERTNAME="" if they differ from eEyeEmsClient.

ℹ️

Note

Once the endpoint communication is established with BeyondInsight, the activation key is no longer required. We recommend deleting it.

If you delete the key and an endpoint stops working and must be reconfigured, create a new installer activation key before uninstalling and reinstalling the client.

Activation keys and IDs are stored in the credential vault. When upgrading the endpoint in the future, the values are not required.

For example, if you initially run the Endpoint Privilege Management install using this command:

msiexec.exe /I PriviliegeManagementForWindows.msi /qn /norestart BI_MODE=1 BEYONDINSIGHTURL=”test” ActivationId=”test” ActivationKey=”test”

Then run the upgrade using this command:

msiexec.exe /I PriviliegeManagementForWindows.msi /qn /norestart BI_MODE=1 BEYONDINSIGHTURL=”test”

Configure a claims-aware website to authenticate against SAML

You can configure a claims-aware website to bypass the current BeyondInsight login page and authenticate against any configured Federated Service that uses SAML to issue claims.

The claims-aware website is configured to redirect to a defined Federation Service through the web.config. Upon receiving the required set of claims, the user is redirected to the existing BeyondInsight website. At that point, it is determined if the user has the appropriate group membership to log in, given the claims associated with them.

If users attempting to access BeyondInsight have group claims matching a group defined in BeyondInsight, and the group has the Full Control permission to the Management Console Access feature, the user bypasses the BeyondInsight login screen. If the user is new to BeyondInsight, they are created in the system using the same claims information. The user is also added to all groups they are not already a member of that match in BeyondInsight, and as defined in the group claim information.

If the user is not a member of at least one group defined in BeyondInsight or that group does not have the Full Control permission to the Management Console Access feature, they are redirected to the BeyondInsight login page.

Create a BeyondInsight group

Create a BeyondInsight group and ensure the group is assigned the Full Control permission to the Management Console Access feature.

Add relying party trust

After BeyondInsight is installed, metadata is created for the claims-aware website. Use the metadata to configure the relying party trust on the Federation Services instance.

The metadata is located in the following directory:

\eEye Digital Security\Retina CS\WebSiteClaimsAware\FederationMetadata\2007-06\

When selecting a Data Source in the Add Relying Party Trust Wizard, select the FederationMetadata.xml generated during the install.

Set up claim rules

ℹ️

Note

Claims rules can be defined in a number of different ways. The example provided is simply one way of pushing claims to BeyondInsight. As long as the claims rules are configured to include at least one claim of outgoing type Group (with Group claim matching exactly what is in BeyondInsight) and a single outgoing claim of type Name, then BeyondInsight has enough information to potentially grant access to the site to the user.

Supported federation service claim types

Outgoing Claim TypeOutgoing Claim TypeMapping to BeyondInsight User Detail
http://schemas.xmlsoap.org/claims/GroupRequiredGroup membership
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRequiredUser name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameOptionalSurname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameOptionalFirst name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressOptionalEmail address

Claims-aware SAML

The following procedure demonstrates how to set up a claims-aware website using the Windows Identity Foundation (WIF) SDK.

  1. Start the Windows Identity Foundation Federation Utility.
  2. On the Welcome page, browse to and select the web.config file for BeyondInsight Claims Aware site. The application URI automatically populates.
  3. Click Next.
  4. Select Using an existing STS.
  5. Enter Root URL of Claims Issuer or STS.
  6. Select Test location. FederationMetadata.xml is downloaded.
  7. Click Next.
  8. Select a STS signing certificate option, and then click Next.
  9. Select an encryption option, and then click Next.
  10. Select the appropriate claims, and then click Next.
  11. Review the settings on the Summary page, and then click Finish.

Disable forms login

In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight.

To disable forms login for existing users, enable this option directly on a user account as follows:

  1. Click the vertical ellipsis for the user account, and then click Edit User Details.
  2. Under Authentication Options, check Disable Forms Login to enable the option.

ℹ️

Note

Please contact BeyondTrust Support for assistance if you need to bulk-apply this setting to existing accounts.

To disable forms login globally for newly created directory accounts:

  1. From the left sidebar, click Configuration
  2. Under Authentication Management, click Authentication Options.
  3. Under Forms Login Options, check the Disable Forms Login for new directory accounts option to enable it.

Work with the multi-tenant feature (Organizations) in BeyondInsight

The multi-tenant feature in BeyondInsight allows you to define multiple organizations (or tenants) where each organization’s asset data is kept isolated from all other organizations. Only Smart Rules marked as Global can combine asset data across multiple organizations.

Most BeyondInsight features are available with multi-tenant, including Smart Rules and connectors.

Features not available include exclusions, tickets, and report templates.

Use the Organization drop-down filter

When working with more than one customer, use the Organization drop-down filter to see assets and Discovery Scanner agents associated only with a particular customer.

The Organization drop-down filter is displayed only if more than one active organization is available to the currently logged-on user.

Many pages in the console are organization-aware and reflect the organization chosen in your profile. However, other pages may still require you to select an organization on that page. If there is no saved value for the organization in your profile, the Global organization is default.

Select Organization (tenant) on the Smart Rules page

All of the pre-packaged Smart Rules are part of the Global Rules. When a pre-packaged Smart Rule is turned on, the Smart Rule applies to all assets in every organization. You can use the Organization dropdown located at the top right corner of the page header, next to the Profile and preferences icon, to easily switch the Smart Rules displayed in the grid from the Global rules to rules for specific tenants.

ℹ️

Note

When you initially create an organization, both the default and the new organization is provisioned with the All Assets Smart Rule. Also, all active built-in Smart Rules are copied from the default organization to the new organization; inactive built-in Smart Rules are not copied from the default to the new organization. Once you change the organization, you can create Smart Rules as usual.

Select an Organization in quick rules

When you create a quick rule from the Address Group, you can select the organization.

Select an Organization for address groups

You can organize address groups by organization. When working in the Address Groups configuration area, you can select an organization and see the address groups specific to that organization.

Move items to a different Organization

To migrate existing organization-aware items to a different organization:

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the Organizations pane, click the vertical ellipsis for the organization for which you wish to migrate items, and then select Reassign related items.
  3. Check the items you wish to migrate:
    • Address Groups
    • Credentials
    • Policy Users
    • Workgroups
  4. From the Select an organization dropdown, select the organization you wish to migrate the items to.
  5. Click Reassign Items.

Select a workgroup for unknown (not scanned) assets

For unknown assets (assets not scanned by BeyondInsight), you must select a workgroup associated with the organization. Assets might be unknown when using the settings:

  • Single IP address
  • IP range
  • CIDR notation
  • Named hosts

For known assets (assets detected and in the BeyondInsight database), a workgroup does not need to be selected. The assets are already associated with a workgroup. Assets are known when using the following settings:

  • Currently selected Smart Group
  • Currently selected Assets

Create a new workgroup

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the details pane for an organization, under Workgroups, click Create New Workgroup.
  3. In the Create New Workgroup pane, enter a Workgroup Name, and then click Create Workgroup.

Set up Organizations

Create a workgroup for the Discovery Scanner

The Users Accounts Management feature is required to assign workgroups to an organization.

Each Discovery Scanner must be assigned a workgroup. A workgroup is typically created when the agent is initially deployed.

You can add and delete workgroups. However, you cannot rename workgroups.

You can delete a workgroup only if it is not associated with an organization, mobility connector, or Discovery Scanner.

Use the Events Client Configuration tool to create a workgroup.

  1. Log on to the asset where the agent resides.
  2. Start the Events Client Configuration Tool.
  3. Select the Enabled Application tab, and check the box for the agent.
  4. Select the Workgroup tab and enter a name and description.
  5. Click OK.

Add an Organization

An organization is automatically populated with an All Assets Smart Group.

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the Organizations pane, click Create New Organization.
  3. Enter the name of the organization, and then click Create Organization.
  4. The Active option is enabled by default and must be enabled to successfully run scans on the tenant's assets.
  5. Click Create New Workgroup.
  6. Create a new workgroup or add an existing workgroup.
  7. Click Save Changes.

Create a group for a tenant to run BeyondInsight reports

You can optionally create a user group for a tenant to allow the tenant's users to log in to BeyondInsight and run reports. When creating the user group, ensure that you assign Read only permissions to the Analytics and Reporting and Management Console Access features. Additionally, assign Read only permissions to the tenant's Smart Rules. The users can then run reports based on the Smart Rules.

As a security measure, a tenant cannot log in to BeyondInsight by default.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.