DocumentationRelease Notes
Log In
Documentation

Role-based access

Suggest Edits

Creating groups gives you great flexibility in delegating access to managed systems. Permissions provide access to BeyondInsight system components, while Password Safe roles determine the scope of access to managed systems.

  • Group permissions: Permissions are assigned when you create a group. Permissions are system-wide and provide access to various components of the BeyondInsight infrastructure. There are permissions that are specific to accessing and using features of the Password Safe application.
  • Password Safe roles: The roles define the actions that Password Safe users can take when using the Password Safe web portal for password releases or access to applications.

Group features

The following table provides information on the Password Safe features that you can assign to your groups.

FeatureFull Control permission assigned
Password Safe Account ManagementGrants permissions to the following features on the Managed Accounts page:
  • Bulk delete accounts
  • Add accounts to a Quick Group
  • Remove accounts from a Quick Group
  • Add, edit, and delete accounts
Password Safe Admin SessionAllows non-ISA users access to the Admin Session feature in Password Safe.
Using an Admin Session allows administrators to open ad-hoc RDP / SSH sessions without going through the request process.
Password Safe Bulk Password ChangeUse the bulk password change feature on the Managed Accounts page.
Password Safe Agent ManagementGrant a user administrator permissions to the Configuration > Privileged Access Management Agents page.
Password Safe Configuration ManagementGrant a user administrator permissions to the Configuration > Privileged Access Management page.
Password Safe Policy ManagementGrant a user administrator permissions to the Configuration > Privileged Access Management Policies page.
Password Safe Role ManagementManage roles provided they have the following permissions: Password Safe Role Management and User Accounts Management.
Password Safe System ManagementUsers can manage systems on the Managed Systems page, including:
  • Create, change, and remove directory and cloud systems.
  • Link and unlink directory accounts to managed systems.
Password Safe Account Management is needed with Password Safe System Management to manage Password Safe accounts. Full Control is required for both.
Smart Rule Management - Managed AccountUsers can create and edit Managed Account Smart Rules.
Smart Rule Management - Managed SystemUsers can create and edit Managed System Smart Rules.
Secrets SafeUsers can access the Secrets Safe feature.

In addition to Password Safe features permissions, users need the following general permissions:

Asset ManagementRead, create, and delete assets and databases.
Management Console AccessAccess to log on to the management console.

Password Safe roles

In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role defines what the user or group can do with respect to that managed system. Roles are assigned to Smart Groups, and the roles that you can assign depend on the Smart Group type, as follows:

  • Asset Smart Group: The ISA and Auditor roles may be assigned.
  • Managed Account Smart Group: The Requestor, Approver, Credentials Manager, Recorded Session Viewer, and Active Session Reviewer roles may be assigned.
RoleDescription
RequesterAllows users to submit a request to retrieve managed passwords or remote session connection files. When assigning the Requester role, you must select an access policy.
ApproverAllows users to approve requests for the release of managed passwords or remote session connection files. Typically, system administrators and network engineers are assigned to this role.

In peer approval environments, users may be both approvers and requestors. In this case, a user cannot approve their own requests when dual control is enforced.
Information Security Administrator (ISA)Allows users to setup managed systems and accounts.The ISA role provides the functionality required for security help desk personnel. User with the ISA role can delegate limited authority to those responsible for resource management. This role enables a user to bypass every workflow and security measure, like approval workflows or checked out accounts.

If another user has an account checked out and the password is known by this user, an ISA user can view the password. ISA users are not permitted to use the Admin Session feature.
AuditorUsers with the Auditor role can:
  • Run reports in BeyondInsight Analytics & Reporting
  • Replay recorded sessions in the Password Safe web portal
The Auditor role can be assigned with other roles.
Credentials ManagerAllows users to set credentials using the PUT ManagedAccounts/{accountId}/Credentials API.
Recorded Session ReviewerAllows users to view and take action on completed recorded Password Safe sessions, including:
  • Add comments
  • Mark the session as reviewed
  • Archive sessions if configured on the U-Series Appliance
Active Session ReviewerAllows users to view and take action on active Password Safe sessions, including:
  • Lock session
  • Terminate the session
  • Cancel the request

On all systems where a user is granted the ISA role, the user can change the following system details:

  • Grant users/groups roles to the managed system.
  • Review password release and session requests.
  • Add and change accounts on managed systems.
  • Assign a system to a collection (provided the ISA role is granted to the user for both the system and the collection).
  • Remove their ISA role from a system.

Create a group and assign roles

ℹ️

Note

You cannot assign roles to the BeyondInsight administrator.

Roles are only available to BeyondInsight features.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. From the Groups tab, click + Create New Group.

  4. Select Create a New Group.

  5. Enter a name and description for the group.

  6. Click Create Group.

  7. Assign users to the group:

    • Under Group Details, select Users.
    • From the Show dropdown list, select Users not assigned.
    • Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.
    • Select the users you wish to add to the group, and then click Assign User above the grid.
    • Assign features permissions to the group:
      • Under Group Details, select Features.
      • Filter the list of features displayed in the grid using the Show and Filter by dropdown lists.
      • Select the features you wish to assign permissions to, and then click Assign Permissions.
      • Select Assign Permissions Read Only or Assign Permissions Full Control.
    • Assign Smart Groups permissions and roles to the group:
      • Under Group Details, select Smart Groups.
      • Filter the list of Smart Groups displayed in the grid using the Show and Filter by dropdown lists.
      • Select the Smart Group or groups you wish to assign permissions to, and then click Assign Permissions.
      • Select Assign Permissions Read Only or Assign Permissions Full Control.
  • Select the Smart Group you wish to assign Password Safe roles to, and then click the vertical ellipsis button.
  • Select Edit Password Safe Roles.
  • Select the role(s). If selecting Requestor, also select an access policy from the dropdown.
  • Click Save Roles.

Quarantine user accounts

You can turn on the quarantine feature as a preventative measure when suspicious activity is detected. When quarantine is turned on, the user account can no longer log in to the console or API, and any active sessions are terminated immediately.

The difference between account lockout and account quarantine is that account lockout cannot terminate sessions.

Turn on the setting at the user account level as follows:

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Select the Users tab.

  4. Click the vertical ellipsis for the user account.

  5. Select Edit User Details.

  6. Check the Account Quarantined option to enable it.

  7. Click Update User.

Set the refresh interval on the quarantine cache

You can set the length of time that passes before the cache is updated with the user accounts from the database. The quarantine is only applied to the user account after the cache is updated.

The user can remain logged in and sessions remain active up until the refresh interval time passes (and the cache is updated with the quarantine status).

  1. Go to Configuration > System > Site Options.

  2. Under Session, enter the number of seconds that pass before the cache is updated with the most recently discovered quarantined user accounts.

    The default value is 600 seconds (10 minutes). The maximum value is 1200 seconds (20 minutes).

  3. Click Update Session Options.

Configure API access

When using the Password Safe API, the group where the users are assigned must permit access to the API. Additionally, any managed accounts that must be accessible by the API must also be configured.

Configure group with API access

A BeyondInsight user has API access if at least one of the user groups they belong to has API access enabled.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. From the Groups tab, click the vertical ellipsis for the group.

  4. Select View Group Details.

  5. Under Group Details, select API Registrations.

  6. Select the API registrations for the group.

Enable API setting for managed account

You must turn on API access for a Password Safe managed account to be accessible to the API methods.

  1. Navigate to the Managed Accounts page.
  2. Click the vertical ellipsis for a managed account, and then select Edit Account.
  3. Scroll down and expand Account Settings.
  4. Click the toggle to turn on the API Enabled option.
  5. Click Update Account.

Restrict access to Password Safe Login page

When using SAML, smart card, or claims-aware authentication to access the Password Safe web portal, you might not want users to log in directly to the web portal URL. You can disable direct access to the Password Safe web portal URL for Active Directory, LDAP, and local BeyondInsight users by enabling the Disable Login Forms setting. Users must then always provide the SAML, smart card, or claims-aware credentials before gaining access to the web portal.

The following procedure assumes the group and user are already created.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. From the Users tab, click the vertical ellipsis for the user.

  4. Select Edit User Details.

  5. Check Disable Login Forms to enable it.

Configure approvals

You can control the number of approvers required for a requester. You can also control the number of approvers required for each access type: View Password, RDP, and SSH. This is configured in an access policy, which can then be assigned to a group when assigning Password Safe roles to the group.

ℹ️

Note

Any of the approvers in the group can approve the request. If other subsequent approvers click the link, they will see that the request has already been approved. Other approvers can, however, override the approval and deny the request. If a request is denied by one approver, no approvers can subsequently override and approve. It is not possible to deny the request once the schedule window has actually begun.

Use a managed account as a credential

You can use a managed account for the credential when you are configuring queries and user groups for Active Directory and LDAP.

ℹ️

Note

You cannot delete a managed account if it is used as a credential for a user group. You can delete a managed account used as a credential for a directory query; however, the query will no longer run. You must select another credential for the query to run again.

Configure the managed account

Before you configure the query or group, the managed account must be in place and specific settings must be selected.

When you configure the managed account settings, be sure to select the Allow this account to be used in BeyondInsight and Directory Queries option.

If there are several managed accounts organized in a Smart Group, select Enable Accounts for AD/LDAP queries in the Smart Rule.

⚠️

Important

Disable the Change Password After Release option on the managed account, because log files can grow significantly in a short time when using managed account credentials with a directory query.

Configure the query

Active Directory and LDAP queries can use a managed account as a credential.

An Active Directory or LDAP group can use a managed account as the credential. When you create the group, the managed account is listed as a credential.

Configure LDAP groups

Before logging in to Password Safe using LDAP, you must configure an LDAP group.

Real time authorization

Real time authorization allows administrators to remove users from groups while they are logged in with a directory account and use the registry key to perform an additional check to ensure that the user still has access to the password at the time they requested it. This puts the user through the log in process every time a password is requested.

Enable the following registry key to turn on this feature:

HKLM\SOFTWARE\BeyondTrust\PBPS\EnableCheckoutAuthorization

After the user is removed from the group, they receive the following error message when they request password access: Missing required Password Safe role.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.