Configuration: Access

Access policies

An access policy defines the time frame and frequency that users can request passwords, remote access sessions, or access applications under Password Safe management.

An access policy is selected when you are configuring the Requester role.

Create an access policy

Go to Configuration > Privileged Access Management Policies > Access Policies.
In the Access Policies pane, click Create New Access Policy.
Enter a name for the policy, and then click Create Access Policy.
On the Basic Details tab:
- Enter a description for the policy.
- Optionally, enable the Email Notifications option to send emails when a request is received for the policy.

ℹ️
Note
Recipients may receive a large number of email notifications. Selective use of this option is strongly advised. Multiple addresses cannot be added at once. Each email address must be added one at time by clicking Add Another Email.

Select the Schedule tab, and then click Create Schedule.
Configure the recurrence, time, and date settings for the policy. If you select a daily recurrence, you can optionally select Allow multi-day check-outs of accounts. This option allows the user continuous access to a granted request over a span of days.
Optionally, enable the Enable Location Restrictions option, and then select a location from the list.
If applicable, select an address from the X-Forwarded-For list. This field is an allowed value of X-Forwarded-For header, which was added by an F5 load balancer or proxy. It uses address groups to verify if the IP address is to be in that list. The URL and named host will be ignored. If the X-Forwarded-For field has a value of Any, then no X-Forwarded-For header is required or verified. In the case where it is configured, the X-Forwarded-For header is required and its value should be in the list of IPs in the address group.

ℹ️
Note
In the case of a new configuration, this error message can be found in the log:

CheckLocationAllowed: XForwardedForHeaderValue 1.1.1.1 is not registered/trusted.  Add this XForwardedForHeaderValue to the TestGroupName Address group

Select the type of access to permit: View Password, RDP, SSH, or Application.
For each type of access selected, configure the parameters as required. Descriptions for each parameter are as follows:

Parameter	Description
Approvers	Select the number of approvers required to permit access. Check Auto Approve if the requests do not require any approvers.
Allow API Rotation Override	Check this option for View Password access, to allow API callers such as Password Safe Cache to override the Change Password After Any Release managed account setting for view-type requests.
API Only Access	Check this option for View Password access to enable API callers, such as Password Safe Cache or Privileged Remote Access, to retrieve passwords through the API, while restricting requestors from viewing these passwords through the web console.
Record	Check the box to record the session.
Keystroke Logging	Keystrokes can be logged during RDP, SSH, and application sessions. Uncheck the boxes for each policy type to disable keystroke logging for that type.
Enhanced Session Auditing	Enhanced session auditing applies to RDP and application sessions and is on by default. Click the toggle to turn off enhanced session auditing.
Concurrent	Set the number of sessions permitted at a time. Check Unlimited to permit the user any number of connections to occur at the same time.
Log off on Disconnect	Check this box to automatically log off the user when the connection to the session disconnects or the session window closes. This option applies only to RDP and RDP application sessions, and is active only when Enhanced Session Auditing is enabled. If the session has been terminated by an Active Sessions reviewer, the logoff on disconnect occurs regardless of the access policy setting.
Force Termination	Check this box to close the session when the time period expires. When Log off on Disconnect is also selected, the user is logged off the session. This check box applies to RDP, SSH, and application sessions. When the Requested Duration (as entered by the user on the Requests page in the web portal) is exceeded, the session ends if the Force Termination box is checked for the access policy. The default and maximum release durations are configured on the Managed Accounts page and Managed System Settings page.
RDP Admin Console	Select this option to show the RDP Admin Console check box on RDP-based requests. This option allows administration of a Remote Desktop Session host server in console mode (mstsc /admin). This can be useful if the number of remote sessions is maxed out on the host. Using the RDP Admin Console allows you to use a remote session without requiring other sessions to disconnect. Running a remote session using the RDP Admin Console disables certain services and functionality, such as, but not limited to: Remote Desktop Services client access licensing Time zone redirection Remote Desktop Connection Broker redirection Remote Desktop Easy Print
Connection Profile	Select a profile from the list or click Manage Connection Profiles to be taken to the Connection Profiles page to create a new profile.

Under Policy Options:

If you want users to provide a reason when making requests in Password Safe, click the toggle for the Reason is required for new requests option to enable it.
If you want users to provide a ticket number for a ticketing system when making requests in Password Safe, click the toggle for the Require a ticket system and a ticket number for requests option to enable it.
- Once enabled, select the Ticket System from the dropdown. If you leave the Ticket System as User Selected, the user can select any ticket system from the list when making their request. If you select a specific ticket system for this option, the user is unable to change the ticket system when making their request.

Click Create Schedule. If the access policy is not yet marked as available, you are prompted to activate it now.
Assign the access policy to a user group as follows:
- Select the Assignees tab.
- Click Manage Assignees. You are taken to the User Management page.
- Click the vertical ellipsis for a group, and then select View Group Details.
- From the Group Details pane, click Smart Groups.
- Click the vertical ellipsis for a managed account Smart Group, and then select Edit Password Safe Roles.
- Check Requestor, and then select the access policy you just created from the dropdown.
- Click Save Roles.
Confirm the group is now listed as an assignee on the Assignees tab for the access policy you just created.

Create a connection profile

Connection profiles allow administrators to create a deny list of keywords, host names, and IP addresses. Each deny listed item can be given a separate action which is triggered when requesters type a deny listed item in an active SSH session.

Administrators can choose to have Password Safe perform the following actions when a match occurs:

No Action: Select to be alerted only if a match occurs.
Block: Blocks the transmission of the command to the remote machine.
Lock: Locks the session for the requester.
Block and Lock: Performs both a block and lock as described above.
Terminate: Ends the remote session.

ℹ️
Note
Connection policies apply to SSH and SSH application sessions.

Go to Configuration > Privileged Access Management Policies > Connection Profiles.
From the Connection Profiles pane, click Create New Connection Profile.
Enter a name for the profile, and then click Create Connection Profile.
Optionally, to send email notifications when a deny listed item is triggered, click Email Notification Settings to expand it and add an email recipient

ℹ️
Note
Recipients may receive a large number of email notifications. Selective use of this option is strongly advised.

Click Save Changes.
Click Create Match Condition.
To add a deny listed item, select one of the following from the Match dropdown: Keyword, Hostname, or IP Address.
Enter the match criteria in the Value box.
From the Session Control dropdown, select the action to take when the deny listed item is triggered.
Click Create Condition. Each deny listed item is displayed on a separate line.
Apply the connection profile to an access policy schedule, as follows:
- Go to Configuration > Privileged Access Management Policies > Access Policies.
- Select the policy.
- From the Edit Policy pane, click the Schedule tab.
- Double-click a schedule to open it, or create a new schedule.
- Scroll down to the Connection Profile dropdown, and then select the newly created profile from the list.

Use a predefined connection profile

The following predefined connection profiles are available for an access policy: Lateral Movement and Suspicious Activity.

The profiles are configured to match on keywords that might indicate suspicious behavior occurring on your network. If a match is detected on any of the keyword values then the session is blocked.

You can add or delete keywords in the predefined connection profiles.

Role-based access

BeyondInsight offers a role-based delegation model so that you can explicitly assign permissions to groups on specific product features based on their role. Users are provisioned based on the permissions of their assigned groups.

A user must always belong to at least one group that has permissions assigned to be able to log in to BeyondInsight and Password Safe.

You can create BeyondInsight local groups, or you can use existing Active Directory, Entra ID, or LDAP groups.

ℹ️
Note
By default, an Administrators user group is created. The permissions assigned to the group cannot be changed. The user account you created when you configured BeyondInsight is a member of the group.

Create and edit directory credentials

A directory credential is required for querying Active Directory (AD), Entra ID, and LDAP. It is also required for adding AD, Entra ID, and LDAP groups and users in BeyondInsight. Follow the steps below for creating each type of directory credential.

To create a directory credential in BeyondInsight:

From the left sidebar, click Configuration.
Under Role Based Access, click Directory Credentials.
Click + Create New Directory Credential.
Select the Directory Type and follow the steps below that are applicable for that type.

Create an Active Directory credential

Select Active Directory for the Directory Type.
Provide a name for the credential.
Enter the name of the domain where the directory and user credentials reside.
Enable the Use SSL option to use a secure connection when accessing the directory.

ℹ️
Note
If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.

Enter the credentials for the account that has permissions to query the directory.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential can be set for group resolution per domain or server.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Create Credential.

Create an LDAP credential

Select LDAP for the Directory Type.
Provide a name for the credential.
Enter the name of the LDAP server where the directory and user credentials reside.
Enable the Use SSL option to use a secure connection when accessing the directory.

ℹ️
Note
If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.

Enter the credentials for the account that has permissions to query the directory.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential can be set for group resolution per LDAP server.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Create Credential.

Create an Entra ID credential

Select Microsoft Entra ID for the Directory Type.
Select a credential scope: Public or US Government (supports Azure GCC High). The scope cannot be changed after the directory credential is created.
Provide a name for the credential.
Paste the Client ID, Tenant ID, and Client Secret that you copied when registering the application in your Entra ID tenant.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential is supported per Entra ID tenant.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Save Credential.

Edit a directory credential

From the Directory Credentials grid, click the vertical ellipsis for the credential, and then select Edit.
Make the changes required.

ℹ️
Note
For AD or LDAP credentials, if you change the Domain or LDAP Server, enable or disable the Use SSL option, or update the Username or Bind DN, you must change the password. Click Change Password to display fields to enter and confirm the new password.

Click Test Credential to ensure the edited credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Save Credential.

ℹ️
Note
To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

Map directory credentials to a domain

Domain management allows you to map a default primary directory credential and an optional fallback credential as preferred binding credentials used for account resolution against domains in your environment when logging in to BeyondInsight.

ℹ️
Note
If credentials are not mapped, or both mapped credentials fail, BeyondInsight attempts login following the legacy process of not using mapped credentials.

Follow these steps to add or edit primary and secondary credentials for a domain:

From the left sidebar, click Configuration.
Under Role Based Access, click Domain Management.
Click Create New Domain + to create a new one.
Provide the name of the domain or LDAP server.
Select the type of platform.
Select a Primary Credential from the dropdown.
Select a Fallback Credential from the dropdown.
Click Create Domain.
To edit credentials for an existing domain, select the domain from the left pane, make your edits, and then click Save Domain.

ℹ️
Note
Primary and fallback credentials can include Password Safe managed accounts.

When domain management is configured for a domain and user selects the domain when logging into BeyondInsight, the specified primary and fallback credentials are used to resolve their account. The credentials used for authentication are shown in the Login Details for the specific login activity on the Configuration > General > User Audits page.

Create and configure groups

Create user groups and user accounts so that your BeyondInsight administrators can log in to BeyondInsight.

When a user is added to a group, the user is assigned the permissions assigned to the group.

You can create BeyondInsight local groups, as well as add Active Directory groups, add Entra ID groups , and add LDAP groups in BeyondInsight from the Configuration > Role Based Access > User Management page.

You can filter the groups displayed in the grid by type of group, name of the group, group description, and the date the group was last synchronized.

ℹ️
Note
By default, the first 100 groups are displayed per page. You can change this by selecting a different number from the Items per page dropdown at the bottom of the grid.

Create a BeyondInsight local group

To create a local group in BeyondInsight, follow the below steps:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Create a New Group.
Enter a Group Name and Description for the group.
The group is set to Active by default. Check the box to deactivate it, if you prefer to activate it later.
Click Create Group.
Assign users to the group:
- Under Group Details, select Users.
- From the Show dropdown list, select Users not assigned.
- Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.
- Select the users you wish to add to the group, and then click Assign User above the grid.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group.

ℹ️
Note
When a local user logs in to BeyondInsight for the first time using SAML authentication, BeyondInsight provisions their account by mapping it to the groups assigned to their account.
For releases prior to 21.3, and for upgrades to the 21.3 release, if the user account's group membership has changed (in the SAML claims provided) upon subsequent logins, BeyondInsight does not deprovision the user by removing them from the groups that were initially mapped to their account. Instead, BeyondInsight maps the user to any newly assigned groups, in addition to the groups their account is already mapped to.
You can configure BeyondInsight to synchronize group membership each time a local user logs in using SAML, as follows:
Navigate to Configuration > Authentication Management > Authentication Options.
Under SAML Logon for Local Users, toggle the Enable Group Resync option to enable it.
For new installs of release 21.3 and later releases, this option is enabled by default.

Add an Active Directory group

Active Directory (AD) group members can log in to the management console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
AD users must log in to the management console at least once to receive email notifications.

To create an Active Directory group in BeyondInsight:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add an Active Directory Group.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create New Credential to create one. The new credential is added to the list of available credentials.

If the Domain field is not automatically populated, enter the name of a domain or domain controller.
After you enter the domain or domain controller credential information, click Search Active Directory. A list of security groups in the selected domain is displayed.

ℹ️
Note
The default filter is an asterisk (*), which is a wild card filter that returns all groups. For performance reasons, a maximum of 250 groups from Active Directory is retrieved.

Set a filter on the groups to refine the list, and then click Search Active Directory.

✅
Example
Sample filters:
a returns all group names that start with "a"
_d returns all group names that end with "d"
_sql returns all groups that contain "sql" in the name

Select a group, and then click Add Group.
The group is added and set to Active but not provisioned or synchronized with AD. Synchronization with AD to retrieve users begins immediately.
Once the group has been synced with AD, you can view the users assigned to the group by selecting Users from the Group Details pane.

ℹ️
Note
Use the filters above the grid to narrow down the list of users displayed in the grid by Type, Username, Name, Email, or Domain, or to show users not assigned to the group.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group.

Configure Active Directory group synchronization

Create and enable a recurring schedule for AD groups to automatically synchronize at a specified time and frequency. This ensures your AD groups are up to date with the latest users added to that group in Active Directory. This schedule applies globally to all AD groups in your BeyondInsight instance; however, the global schedule can be overridden at the group level and a group can be configured to be excluded from the synchronization process.

To enable Active Directory Group Synchronization:

Navigate to Configuration > Role Based Access > Active Directory Group Synchronization.
Check the Enable AD Group Synchronization option.
Specify a Start Time.
Select your desired frequency of Daily, Weekly, or Monthly.
Click Save Configuration.

Add an Entra ID group

Entra ID group members can log in to the management console using SAML authentication and perform tasks based on the permissions assigned to the group. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
AD users must log in to the management console at least once to receive email notifications.
Direct Connect does not support using SAML as an authentication method. Therefore, Direct Connect is not available with Entra ID accounts.

Create an Entra ID group in BeyondInsight, as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add a Microsoft Entra ID Group.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

Click Search Microsoft Entra ID. A list of security groups displays.

ℹ️
Note
For performance reasons, a maximum of 250 groups from Entra ID is retrieved. The default filter is an asterisk (*), which is a wildcard filter that returns all groups. Use the group filter to refine the list.

Set a filter on the groups that are to be retrieved, and then click Search Microsoft Entra ID.

✅
Example
Sample filters:
a returns all group names that start with a.
_d returns all group names that end with d.
_sql returns all groups that contain sql in the name.

Select a group, and then click Add Group.
The group is added and set to Active but not provisioned or synchronized with Entra ID. Synchronization with Entra ID to retrieve users begins immediately.
Once the group has been synced with Entra ID, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section and then using the filters.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group.

ℹ️
Note
To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

Configure Entra ID group synchronization

Create and enable a recurring schedule for Entra ID groups to automatically synchronize at a specified time and frequency. This ensures your Entra ID groups are up to date with the latest users added to that group in Entra ID. This schedule applies globally to all Entra ID groups in your BeyondInsight instance; however, the global schedule can be overridden at the group level and a group can be configured to be excluded from the synchronization process.

To enable Entra ID Group Synchronization:

Navigate to Configuration > Role Based Access > Entra ID Group Synchronization.
Check the Enable Microsoft Entra ID Group Synchronization option.
Specify a Start Time.
Select your desired frequency of Daily, Weekly, or Monthly.
Click Save Configuration.

Add an LDAP group

LDAP group members can log in to the BeyondInsight console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging in to BeyondInsight, users can select a domain or LDAP server from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
LDAP users must log in to the BeyondInsight console at least once to receive email notifications.

Create an LDAP group in BeyondInsight, as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add an LDAP Group from the list.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create a New Credential to create a new one. The new credential is added to the list of available credentials.

Enter the name or IP address for the LDAP server.
Click Fetch to load the list of Base DNs.
If the Base DN list does not populate, manually enter the details and click Add as New Option to populate the list.
Select the Base DN.
To filter the group search, enter keywords in the group filter or use a wild card.
Click Search LDAP.

✅
Example
Sample filters:
a returns all group names that start with a.
_d returns all group names that end with d.
_sql returns all groups that contain sql in the name.

Select a group, and then click Continue to Add Group.
Select the Group Membership Attribute and Account Naming Attribute.
Enter a Base Distinguished Name, if not automatically populated.
Click Add Group.
The group is added and set to Active but is not provisioned or synchronized with LDAP. Synchronization with LDAP to retrieve users begins immediately.
Once the group has been synced with LDAP, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section, and then using the filters.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group.

Assign group permissions

The following permissions may be assigned to user groups in BeyondInsight for each feature and Smart Group.

Permission	Description
No Access	Users cannot access the selected feature or Smart Group. In most cases, the feature is not visible to the users.
Read Only	Users can view selected areas, but cannot change information.
Full Control	Users can view and change information for the selected feature.

Permissions for a BeyondInsight user must be assigned cumulatively and at the group level. You must assign permissions on features and Smart Groups after creating a new group in order for users in that group to be able to access features in the product. For example, if you want a BeyondInsight administrator to manage discovery scans only, then you must assign full control for the following features:

Management Console Access
Asset Management
Reports Management
Scan – Job Management
Scan Management

ℹ️
Note
In addition to the group permissions noted, for the group to be provisioned, there must be at least one enabled Smart Group for the group. This sets the scope for the features.

Assign features permissions

ℹ️
Note
The features listed are based upon your BeyondInsight license. Only features relevant to your licensed installation are listed.

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click the vertical ellipsis for the group.
Select View Group Details.
Under Group Details, click Features.
Filter the list of features displayed in the grid using the Show and Filter by dropdowns.
Select the features you wish to assign permissions to.
Click Assign Permissions above the grid.
Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

The following table provides information on the features permissions you can assign to your groups.

Feature	Provides Permissions To:
Analytics & Reporting	Log in to the console and access Analytics & Reporting to generate and subscribe to reports.
API Registration Management	Grants permission to read or write API Registrations.
Appliance (U-Series) Access	Grant access to manage the U-Series Appliance as a BeyondInsight user.
Asset Management	Create Smart Rules. Edit and delete buttons on the Asset Details window. Create Active Directory queries. Create address groups.
Attribute Management	Add, rename, and delete attributes when managing user groups.
Credential Management	Add and change credentials when running scans and deploying policies.
Directory Credential Management	Grant access to the configuration area where directory credentials are managed. This feature must be enabled to support access to directory queries as well.
Directory Query Management	Grant access to the configuration area where directory queries are managed.Access to Directory Credential Management must also be granted.
Domain Management	Grants the user permission to configure mappings of bind credentials to domains for account resolution.
Endpoint Privilege Management	Grant access to the Endpoint Privilege Management features, excluding Policy Editor and Reporting.
Endpoint Privilege Management Policy Editor	Grant access to the Endpoint Privilege Management Policy Editor feature.
Endpoint Privilege Management Reporting	Grant access to the Endpoint Privilege Management Reporting feature.
Endpoint Privilege Management for Unix & Linux	Grant access to the Endpoint Privilege Management for Unix & Linux features.
File Integrity Monitoring	Work with File Integrity rules.
License Reporting	View the Licensing folder in Analytics & Reporting (MSP reports, Endpoint Privilege Management for Windows, Endpoint Privilege Management for Mac true-up reports, and Assets Scanned report).
Management Console Access	Access the BeyondInsight management console.
Manual Range Entry	Allow the user to manually enter ranges for scans and deployments rather than being restricted to smart groups. The specified ranges must be within the selected smart group.
Option Management	Change the application options settings (for example, account lockout and account password settings).
Options - Connectors	Access the configuration area where connectors are managed.
Options - Scan Options	Access the configuration area where scan options are managed.
Password Safe Account Management	Grant read or write permissions to the following features on the Managed Accounts page and through the public API: Bulk delete accounts Add accounts to a Quick Group Remove accounts from a Quick Group Add, edit, and delete accounts
Password Safe Admin Session	Password Safe web portal admin sessions.
Password Safe Admin Session Reviewer	Grant a user admin session reviewer permissions only.
Password Safe Global API Quarantine	Access to the Quarantine APIs.
Password Safe Bulk Password Change	Change more than one password at a time.
Password Safe Agent Management	Grant a user administrator permissions to the Configuration > Privileged Access Management Agents page.
Password Safe Configuration Management	Grant a user administrator permissions to the Configuration > Privileged Access Management page.
Password Safe Domain Management	Check the Read and Write boxes to permit users to manage domains.
Password Safe Policy Management	Grant a user administrator permissions to the Configuration > Privileged Access Management Policies page.
Password Safe Role Management	Allows a user to manage roles, provided they have the following permissions: Password Safe Role Management and User Account Management.
Password Safe System Management	Read and write managed systems through the public API.
Password Safe Ticket System Management	This feature is not presently used.
Reports Management	Run scans, create reports, and create report categories.
Scan - Job Management	Activate Scan and Start Scan buttons. Activate Abort, Resume, Pause, and Delete on the Job Details page.
Scan - Report Delivery	Allow a user to set report delivery options when running a scan: Export Type Notify when complete Email report to Include scan metrics in email (only available for All Audits Scan)
Scan Management	Delete, edit, duplicate, and rename reports on the Manage Report Templates page. Activate New Report and New Report Category. Activate the Update button on the Edit Scan Settings view.
Secrets Safe	Provides access to Secrets Safe for all members of the selected group.
Session Monitoring	Use the session monitoring features.
Smart Rule Management – Asset	Grants permission to view, create, and edit asset Smart Rules; editing is limited to Smart Rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Managed Account	Grants permission to view, create, and edit managed account Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Managed System	Grants permission to view, create, and edit managed system Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Policy User	Grants permission to view, create, and edit policy user Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Ticket System	View and use the ticket system.
Ticket System Management	Mark a ticket as inactive. The ticket no longer exists when Inactive is selected.
User Accounts Management	Add, delete, or change user groups and user accounts. A minimum of read access to Directory Credential Management must also be granted to enable creation of AD and LDAP Groups.
User Audits	View audit details for management console users on the User Audits page.
U-Series Appliance Administrator	Provides access to manage all aspects of the U-Series Appliance.
U-Series Appliance Backups	Provides access to manage the Backup and Restore options of the U-Series Appliance.
U-Series Appliance High Availability	Provides access to manage the High Availability features of the U-Series Appliance.
U-Series Appliance Login	Provides access to manage the U-Series Appliance as a BeyondInsight user.
U-Series Appliance Manage RDP	Provides access to manage Remote Desktop Protocol to the U-Series Appliance.
U-Series Appliance Patching	Provides access to manage updates to the U-Series Appliance.
Workforce Passwords	Enables secure enterprise credential storage. In order to leverage Workforce Passwords, an additional license is required.

ℹ️
Note
For more information, see the managed accounts API documentation.

Features permissions required for configuration options

Configuration Option	Feature and Permission
Active Directory Queries	Asset Management - Full Control.
Address Groups	Asset Management - Full Control.
Attributes	Asset Management - Full Control.
Connectors	Asset Management and Management Console Access - Full Control.
Password Safe Connections	Member of the Built-In Administrators group.
Endpoint Privilege Management Module	Management Console Access and Endpoint Privilege Management - Full Control.
Scan Options	Scan Management - Full Control.
Services	Member of the Built-In Administrators group.
User Audits	User Audits - Full Control.
User Management	Everyone can access. Users without the Full Control permission to User Account Management feature can edit only their user record.
Workgroups	User Accounts Management - Full Control.

Assign Smart Groups permissions

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click the vertical ellipsis for the group.
Select View Group Details.
Under Group Details, select Smart Groups.
Filter the list of Smart Groups displayed in the grid using the Show and Filter by dropdowns.
Select the Smart Groups you wish to assign permissions to.
Click Assign Permissions above the grid.
Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Edit and delete groups

The below sections detail how to make basic edits to the settings and options of BeyondInsight local groups, Active Directory groups, Entra ID groups, and LDAP groups using the Edit Group functionality, as well as how to update more advanced group details such as assigning permissions, updating group members, and managing API registrations.

Edit basic group details

Administrators can edit the following basic details for groups in BeyondInsight:

BeyondInsight local groups

For BeyondInsight local groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
- Modify the Group Name.
- Modify the Description.

Active directory groups

For Active Directory groups, administrators can update the following:

Deactivate or activate a group by enabling or disabling the Active status.
Change the credential used to query the group in Active Directory.
Select a new domain or domain controller used for accessing the group in Active Directory.
Enable or disable the option to propagate domain changes to all members of the group.
Select Sync Schedule Options to control how the user accounts in this group are automatically synchronized on a periodic schedule. The following options are available:
- Global: This is the default setting which uses the schedule settings specified in the Active Directory Group Synchronization configuration section.
- Custom: Select Custom to ignore the global synchronization schedule and specify a unique synchronization schedule for this group instead.
- No scheduled synchronization: Select this option to omit this group from any automatic synchronization. The group can still be synchronized manually.

Entra ID groups

For Entra ID groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
Select Sync Schedule Options to control how the user accounts in this group are automatically synchronized on a periodic schedule. The following options are available:
- Global: This is the default setting which uses the schedule settings specified in the Microsoft Entra ID Group Synchronization configuration section.
- Custom: Select Custom to ignore the global synchronization schedule and specify a unique synchronization schedule for this group instead.
- No scheduled synchronization: Select this option to omit this group from any automatic synchronization. The group can still be synchronized manually.

LDAP groups

For LDAP groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
- Change the credential used to query the group in LDAP.
- Select a new Group Membership attribute from the list. The following options are available:
  - member
  - uniqueMember (default)
  - memberUID
- Select a new Account Naming attribute from the list. The following options are available:
  - mail
  - cn
  - sAMAccountName
  - uid
  - userPrincipalName
- Edit the Base Distinguished Name.

To edit a group:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the vertical ellipsis for the group, and then select Edit Group.
In the Edit Group pane, update the details as required, and then click Update Group.

Edit advanced group details

Administrators can edit the following advanced details for groups:

Update the group permissions for specific BeyondInsight and Password Safe features.
Update the group permissions for specific Smart Groups.
Edit Password Safe roles for Smart Groups
Add and remove users from local groups.
Manually synchronize group users for Active Directory and LDAP groups.
Enable and disable API Registrations for the group.

Follow these steps to access advanced details for a group:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the vertical ellipsis for the group, and then select View Group Details.
From the Group Details pane, you can select Features, Smart Groups, Users, and API Registrations to make updates for the group. Specific updates you can make for each of these options are detailed in the below sections.

Update group permissions for features

Permissions provide the members of the group access to BeyondInsight system components and Password Safe features. Assign permissions to groups for specific features, as follows:

From the Group Details pane, click Features.
From the Features grid, select the feature.
Click Assign Permissions above the grid.
Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Update group permissions for Smart Groups

Assign permissions to groups to provide members of the group access to Smart Groups as follows:

From the Group Details pane, click Smart Groups.
From the Smart Groups grid, select the Smart Group.
Click Assign Permissions above the grid.
Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Edit Password Safe roles for Smart Groups

Password Safe roles define the actions users can take when using the Password Safe web portal for password releases or access to applications. Assign Password Safe roles to groups as follows:

From the Group Details pane, click Smart Groups.
From the Smart Groups grid, click the vertical ellipsis for the Smart Group.
Select Edit Password Safe Roles.
Check or uncheck each role, as required.
Click Save Roles.

Add users to local BeyondInsight groups

Manually add users to local groups in BeyondInsight as follows:

From the Group Details pane, click Users.
Filter the Users grid to show users not assigned.
Select the user or users, and then click Assign User above the grid.

Sync group users for Active Directory and LDAP groups

To ensure your AD and LDAP groups contain the most recent group members, you can manually synchronize with AD and LDAP to retrieve the group's users. There are two methods for manually synchronizing group users, as follows:

From the group header, above the Group Details pane, click the Sync group users icon.
From the User Management page, click the vertical ellipsis for the group and select Sync group users.

Manage group API registrations

API Registrations provide a way to integrate part of the BeyondInsight and Password Safe functionality into your applications using an API key. Manage API registrations for groups as follows:

From the Group Details pane, click API Registrations.
Check or uncheck the API registrations to enable or disable them for this group or click Select All to enable all of them. Changes are automatically saved.

ℹ️
Note
Use the filter above the list to narrow down the list of API registrations or to quickly find a specific registration by its name. If you need to create a new API registration, click the Manage API Registrations link above the filter box to go to the API Registrations page where you can create a new one.

Delete a group

ℹ️
Note
Groups associated with a secret or credential in Secrets Safe cannot be deleted. Users attempting this action receive the following warning:

Administrators can delete groups as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the Delete button above the grid.
- Alternatively, click the vertical ellipsis for the group, and then select Delete Group.

Audit Console Users

You can track the following activities of users logging into the console:

Login and logout times
IP address from where the user logged in
Password change events
Other actions taken such as configuring user settings

To view user audit data:

Go to Configuration > General > User Audits.
User the filters above the grid to easily locate specific items listed. You can filter grid items by the following criteria:
- Date the user took the action
- Type of action taken
- Which section of the application the action was taken
- Username
- IP Address
- Key words of the item
- Key words in the item details
Click the i icon for the item to view more specific details about the action taken.

ℹ️
Note
You can export all of the data in the grid to a CSV file by clicking the Download all (downward arrow) button above the grid.

ℹ️
Note
User audits older than 120 days are purged from the database. Data retention for user audits is not configurable for BeyondInsight and Password Safe Cloud deployments.

Access policies

Create an access policy

ℹ️Note

ℹ️Note

Create a connection profile

ℹ️Note

ℹ️Note

Use a predefined connection profile

Role-based access

ℹ️Note

Create and edit directory credentials

Create an Active Directory credential

ℹ️Note

ℹ️Note

Create an LDAP credential

ℹ️Note

ℹ️Note

Create an Entra ID credential

ℹ️Note

Edit a directory credential

ℹ️Note

ℹ️Note

Map directory credentials to a domain

ℹ️Note

ℹ️Note

Create and configure groups

ℹ️Note

Create a BeyondInsight local group

ℹ️Note

ℹ️Note

Add an Active Directory group

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

ℹ️Note

Configure Active Directory group synchronization

Add an Entra ID group

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

ℹ️Note

Configure Entra ID group synchronization

Add an LDAP group

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

Assign group permissions

ℹ️Note

Assign features permissions

ℹ️Note

ℹ️Note

Features permissions required for configuration options

Assign Smart Groups permissions

Edit and delete groups

Edit basic group details

BeyondInsight local groups

Active directory groups

Entra ID groups

LDAP groups

To edit a group:

Edit advanced group details

Update group permissions for features

Update group permissions for Smart Groups

Edit Password Safe roles for Smart Groups

Add users to local BeyondInsight groups

Sync group users for Active Directory and LDAP groups

Manage group API registrations

ℹ️Note

Delete a group

ℹ️Note

Audit Console Users

ℹ️Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note