Managed Accounts | BI On-prem

What are managed accounts?

Managed accounts are user accounts which are local or Active Directory accounts on the managed system.

How are managed accounts useful?

Managed accounts provide centralized control, security, and automation for user accounts on managed systems.

How to access managed accounts

1. Open a browser and enter the URL for your Password Safe instance: https:///WebConsole/index.html.
2. Enter your username and password.
3. From the left menu, click .
   The Managed Accounts page opens and displays.

The Managed Accounts page

1. Filters: Select an item in the filter dropdowns to filter information.
2. Managed System grid: Displays information based on filter selections.
3. Grid display preferences: Set display preferences on the Managed Systems grid using the following options represented by icons above the grid:
   • Click to refresh the list, to download the list to a .csv file, to select which columns to display on the page, to configure your page display, andto expand the grid.

View managed accounts

When viewing managed accounts, you can change the number of items displayed on the page using the Items per page dropdown at the bottom of the grid. You can use the filters above the grid to filter the list by smart group and the various attributes listed in the Filter by dropdown.

After the account is added to Password Safe management, you can:

• Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.
• View managed systems linked to the account.
• View Smart Groups associated with the account, as well as their last process date and processing status.
• See which accounts are synced to the managed account.
• View a list of password changes and the reason for each change.

View managed account details

To view details on a specific managed account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Managed account details, such as identification information, account settings, policies and attributes are displayed under Details & Attributes for quick access.
5. To see more granular details, click through the tabs in the Advanced Details pane to view details on each topic:
   • Smart Groups displays the groups that the user belongs to.
   • Synced Accounts allows you to sync managed accounts and their passwords with a managed primary account.
     • Locate the account you want to sync in the grid.
     • Check the box next to the account.
     • Click + Sync Accounts, located above the grid.
   • Events displays events of the managed account.
     • Filter by further narrows results in the grid.
   • Propagation Actions allows you to assign one or more propagation actions to the account.
     • Locate the action you want to assign in the grid.
     • Check the box next to the action.
     • Click Assign Propagation Action, located above the grid.
   • Password History displays all previously used passwords for the account.

ℹ️

Click the View Managed System link above the grid to view the advanced details for the managed system associated with the managed account. To return to the advanced details for the managed account, click the View Managed Account link.

Create and Manage User Accounts

User accounts create the user identity that BeyondInsight uses to authenticate and authorize access to specific system resources. You can create local BeyondInsight users, as well as add Active Directory, Entra ID, and LDAP users into BeyondInsight.

You can also add application users, which are used to represent applications that interface with the public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API.

ℹ️

A user account must be a member of a BeyondInsight user group because permissions to features are assigned at the group level. If a user is not a member of any groups in BeyondInsight, the user cannot log in to the console, and application users cannot authenticate with the public API.

Create a BeyondInsight local user account

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Click Create New User above the grid.
5. Select Create a New User.
6. Provide a First Name, Last Name, Email, and Username for the new user. These fields are required.

ℹ️

You may use an email address for the username.

7. Provide a password and confirm it.

ℹ️

The password must meet the complexity requirements as defined by your default password policy, defined at Configuration > Role Based Access > Password Policy.

8. Optionally, enter the user’s contact information.
9. Optionally, set an Activation Date and an Expiration Date for the user account.

ℹ️

These dates are based on UTC time on the BeyondInsight server and are considered during the user's login attempt. The attempt fails if the user account is not yet active or if the expiration date has passed.

10. Check User Active to activate the user account.
11. Leave the Account Locked and Account Quarantined options unchecked.
12. Check the two Authentication Options, if applicable:
    • Override Smart Card User Principal Name: When enabled, a BeyondInsight user with a smart card that has a different Subject Alternative Name is able to log in to BeyondInsight. The smart card is mapped to the user.
    • Disable Login Forms: When enabled, SAML users are prevented from using the standard BeyondInsight log in form and authenticate with a configured identity provider. Check this option only if SAML is configured in your environment.
13. Select a Two-Factor Authentication method and mapping information, if applicable.
14. Click Create User.
    The user is created and User Details > Groups displays.
15. Filter the list of groups displayed by type, name, or description and select a group.
16. Click Assign Group above the grid.

ℹ️

The user must belong to at least one group

17. To remove the user from a group:
    • Select Assigned Groups from the Show dropdown, and then select a group.
    • Click Remove Group above the grid.

Update default password policy for local users

The default password policy defines the password complexity requirements for local BeyondInsight users. This includes the minimum and maximum length of the password and the type of characters required and permitted in the password. Update the default password policy as follows:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click Password Policy.
3. Enter a name for the policy and an optional description.
4. Set the minimum and maximum password length.
5. Set the types of characters to be used: uppercase, lowercase, numeric, and non-alphanumeric.
6. Toggle the Enforce Minimum Characters To Change option to enable it. This compares the previous password to the new password when a user is updating their password via their account settings change password function.
7. Optionally, increase the Minimum Characters To Change. The default is 8 and cannot be decreased.
8. Click Update Password Policy to save the policy.

Add an active directory user

Active Directory users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Active Directory users must log in to the management console at least once to receive email notifications.

1. From the left menu, click .
   The Configurationpage opens and displays.

2. Under Role Based Access, click User Management.

3. Click the Users tab to display the list of users in the grid.

4. Click Create New User above the grid.

5. Select Add an Active Directory User.

6. Select a credential from the list.

ℹ️

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

7. If not automatically populated, enter the name of a domain or domain controller.
8. After you enter the domain or domain controller credential information, click Search Active Directory. A list of users in the selected domain is displayed.

ℹ️

For performance reasons, a maximum of 250 users from Active Directory is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all users. Filter by user name to refine the list.

✅

Example

Sample filters:

• a returns all group names that start with a.
• _d returns all group names that end with d.
• _sql returns all groups that contain sql in the name.

9. Click Search Active Directory.
10. Select a user, and then click Add User.
11. Assign at least one group to the user.

Add an Entra ID user

Entra ID users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Entra ID users must log in to the management console at least once to receive email notifications.

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Click Create New User above the grid.
5. Select Add a Microsoft Entra ID User.
6. Select a credential from the list.

ℹ️

• If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.
• For performance reasons, a maximum of 250 users from Entra ID is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all groups. Filter by user name to refine the list.

✅

Example

Sample filters:

• a returns all group names that start with a.
• _d returns all group names that end with d.
• _sql returns all groups that contain sql in the name.

7. Click Search Microsoft Entra ID.
8. Select a user, and then click Add User.
9. Assign at least one group to the user.

Change the preferred domain controller for active directory user accounts

The preferred domain controller for a user is set by the group they are in, provided that the group was created with the propagate option turned on, and that this action happened before the user was set up.

If you want to change the preferred domain controller for a user, edit the user, select an appropriate credential, and then select a different preferred domain controller from the list.

ℹ️

Any future change to the preferred domain controller at the group level can overwrite this setting if the propagate switch is turned on.

Add an LDAP user

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Click Create New User above the grid.
5. Select Add an LDAP User from the list.
6. Select a credential from the list.

ℹ️

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

7. Click Fetch to load the list Domain Controllers, and then select one.
8. To filter the user search, enter keywords in the user filter or use a wild card.
9. Click Search LDAP.
10. Select a user, and then click Add User.
11. Assign at least one group to the user.

Add an application user

Application users represent applications that interface with the BeyondInsight public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user, and is used for processing IP rules. To create an application user:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Click Create New User above the grid.
5. Select Add an Application User from the drop-down list. The Create New Application User screen displays.
6. Add a username.  
7. Under API Access Policy, select the policy.
8. Copy the information from the Client ID and Client Secret fields for later use.
9. Click Create User.
10. Assign the user to a group that has the required permissions to access BeyondInsight and Password Safe features.
    • Click the vertical ellipsis for the user, and then select View User Details.
    • From the User Details pane, click Groups.
    • Locate the group, select it, and click Assign Group above the grid.

Recycle the client secret for an application user

When editing an application user, you have an option to recycle their secret. Once recycled, you can copy or view the new secret. When a secret is recycled and the user account is updated with this change, the previous client secret is no longer valid.

To recycle the secret for an application user:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab.
4. Locate the application user in the grid.
5. Click > Edit User Details.
6. Click to the right of the Client Secret.
7. Click Recycle on the confirmation message that displays.
8. Copy the new secret for later use.
9. Click Update User.

View and update OAuth secret expiry

The user's secret will eventually expire. The Users grid has an OAuth Secret Expiry column, which you can use to view what is close to expiring. The default duration of a client secret is 365 days. You can adjust the lifetime of the secret from the Authentication Options configuration area in BeyondInsight. Updating this value only changes the secret expiry date for new application users and recycled client secrets. Older secrets cannot be updated.

To view the OAuth Secret Expiry for an application user:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab.
4. Locate the application user. The OAuth Secret Expiry column lists the date and time that a client secret for that user expires.

To update the duration for client secrets:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Authentication Management click Authentication Options.
3. Under Application User Authentication Settings, enter the new duration of the client secret in the Client Secret Expiry field.
4. Click Update Application User Authentications Settings.

Edit a user account

Administrators can edit user details such as change the name, username, email, and password, update active status, lock and unlock the account, and update multi-factor authentication settings as follows:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Optionally, filter the list of users displayed in the grid using the Filter By dropdown.
5. Select a user, click the vertical ellipsis button, and then select Edit User Details.
6. In the Edit User pane, update the details as required, and then click Update User.

Add user to groups

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. Click the Users tab to display the list of users in the grid.
4. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.
5. Select a user or multiple users, and then click the Add User to Groups button above the grid.
6. Search for the group or groups, and then select the group or groups to assign currently selected users to the selected groups.

ℹ️

If a group already contains all of the selected users, a check mark is displayed next to the group name.

Delete a user account

Administrators can delete user accounts as follows:

1. From the left menu, click .
   The Configurationpage opens and displays.
2. From the left sidebar, click Configuration.
3. Under Role Based Access, click User Management.
4. Click the Users tab to display the list of users in the grid.
5. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.
6. For local accounts, select the user.
7. Click above the grid, and then click Delete on the confirmation message.
8. For directory accounts, select the user.
9. Click > Delete User, and then click Delete on the confirmation message.

ℹ️

• For auditing purposes, if a user account is linked to any Password Safe session recordings, you cannot delete the account; however, you may disable the account.
• Directory accounts may be deleted only if they do not belong to any groups.

Work with managed accounts

Managed accounts are user accounts which are local or active directory accounts on the managed system.

View managed accounts

When viewing managed accounts, you can change the number of items displayed on the page using the Items per page dropdown at the bottom of the grid. You can use the filters above the grid to filter the list by smart group and the various attributes listed in the Filter by dropdown.

View managed account details

After the account is added to Password Safe management, you can:

• Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.
• View managed systems linked to the account.
• View Smart Groups associated with the account, as well as their last process date and processing status.
• See which accounts are synced to the managed account.
• View a list of password changes and the reason for each change.

To view details on a specific managed account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Managed account details, such as identification information, account settings, policies and attributes are displayed under Details & Attributes for quick access.
5. To see more granular details, click through the tabs in the Advanced Details pane to view details on each topic.

ℹ️

Click the View Managed System link above the grid to view the advanced details for the managed system associated with the managed account. To return to the advanced details for the managed account, click the View Managed Account link.

Delete managed accounts

Managed accounts can be deleted, except for synced accounts. A message is displayed if an account cannot be deleted.

1. From the left menu, click .
   The Managed Accounts page displays.
2. Select the account or multiple accounts.
3. Click above the grid, and then click Delete on the confirmation message.

Unlink managed accounts

You can unlink managed accounts from managed systems; however, this applies to Active Directory accounts only. If accounts included in the unlink selection are not domain accounts, no action is taken on those accounts.

1. From the left menu, click .
   The Managed Accounts page displays.
2. Select the account or multiple accounts.
3. Click above the grid, and then click Unlink on the confirmation message.

Change passwords for managed accounts

1. From the left menu, click .
   The Managed Accounts page displays.
2. Select the account or multiple accounts.
3. Click above the grid
4. Click Change Password on the confirmation message.

Configure subscriber accounts

ℹ️

Subscriber Accounts vs. Synced Accounts

• A parent account can have one or more synced accounts connected to it.
• A child account is considered a subscriber account of its parent.

You can view synced accounts in the Managed Account Details section of the parent account.

In the Managed Accounts API, child accounts are labeled as subscriber accounts, and include the ID of their parent account.

To enable Password Safe to update the account automatically, Automatic Password Management must be turned on for both the subscriber account and the associated managed system.

Any managed account can be synced to multiple accounts. These synced accounts become subscribers to the managed account. The managed account and all of its subscribers always share an identical password. When the password of the managed account or any of the subscriber accounts is changed, Password Safe automatically changes the password of the primary managed account and all of its subscribers to a new password.

ℹ️

To allow Password Safe to update the account, Automatic Password Management must be enabled for both the subscriber account and its associated Managed System

Once an account is synchronized as a subscriber account, settings modifications are limited to:

• Enable API
• Allow for scanning
• Application

To sync an account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Go to Advanced Details.
   The Advanced Details page displays.
4. Under Advanced Details, click Synced Accounts.
5. Select the account or multiple accounts that you want to sync.
6. Click Sync Accounts above the grid.
7. To remove a synced account, select the account, and then click the Unsync Accounts button above the grid.

Configure password reset for managed account users

You can grant managed account users permission to reset the password on their own managed account, without granting them permission to reset passwords on other managed accounts. You can do this by creating a group, adding the managed account to the group, and then assigning permissions and the Credential Manager role to the group.

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Role Based Access, click User Management.
3. From the Groups tab, click Create New Group.
4. Select Create a New Group.
5. Provide a name and description for the group, and then click Create Group.
6. From the Group Details pane, select Users.
7. Select users to add to the group, and then click Assign User above the grid.
8. From the Group Details pane, select Features.
9. Select the Management Console Access and Password Safe Account Management features, and then click Assign Permissions.
10. Select Assign Permissions Read Only. Do not grant Full Control.
11. From the Group Details pane, select Smart Groups.
12. Filter the list of Smart Groups by Type > Managed Account.
13. Select the Smart Group that contains the applicable managed accounts.
14. Click the vertical ellipsis button for the Smart Group, and then select Edit Password Safe Roles.
15. Select the Credentials Manager role, and then click Save Roles.

The managed account user can now log in to the console and reset the password for the managed account:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Change Password.

Use a managed account as a Discovery Scan credential

A managed account can be used as a credential when configuring a Discovery Scan.

ℹ️

Once the Scanner option is enabled, the key must be specified again if the account is edited. It may be the same key or a new one.

The following credential types are supported:

• Windows,
• SSH
• MySQL
• Microsoft SQL Server.

The following platforms are supported:

• Windows
• MySQL
• Microsoft SQL Server
• Active Directory
• Any platform with the IsUnix flag (AIX, HP UX, DRAC, etc.)

To add the managed account as a scan credential:

1. From the left menu, click .
   The Managed Accounts page displays.
2. Locate the managed account you want to view the details for.
3. Click > Edit Account.
4. Expand Scanner Settings.
5. Click the toggle to enable the scanner.
6. For the Scanner Credential Description, enter a name for the account that can be selected as the credential when setting up the scan details. The name is displayed on the Credentials Management dialog box when setting up the scan.
7. Assign and confirm a key so that only users that know the key can use the credential for scanning.
8. Click Update Account.

✅

The Managed Account password can be up to 256 characters, however the password is limited to the length supported by the target platform. With scan credentials, keep in mind the password length limitations on that endpoint.

ℹ️

For more information on configuring credentials, see Add Credentials for Use in Scans.

Managed account aliasing

Aliases are accessible using the API only. Account mappings can be changed without affecting the alias name. At least one managed account is required to be mapped for the alias to be active; when an alias has two or more managed accounts mapped, it is considered to be highly available. An account can only be mapped to one alias. Managed account aliases can be accessed from Configuration > Privileged Access Management > Managed Account Aliases.

Create a new alias

1. From the left menu, click .
   The Configurationpage opens and displays.
2. Under Privileged Access Management, click Managed Account Aliases.
3. Click Create New Alias +.
4. Enter a name, and then click Create Alias.

The new alias appears in the grid under Account Mappings, which displays all aliases ready to be mapped. New aliases show as Unmapped until they are associated with accounts.

ℹ️

Each managed account can only be mapped to a single alias.

You can use the dropdown to select which accounts to display: All Accounts, Mapped, or Unmapped Accounts only.

The Filter-by allows you to filter accounts by System, Account Name, Account Status, or Last Changed Date.

To unmap an account, select the account and click the broken link icon.

Mapped accounts have three status values:

• Active: The account credentials are current and can be requested.
• Pending: The account credentials are current but the password is queued to change.
• Inactive: The account password is changing.

The list of mapped accounts is rotated in a round-robin fashion, typically in order of last password change date. The preferred account, or the account whose status is active and has the oldest change date, is returned on the Alias API model.