DocumentationRelease Notes
Log In
Documentation

Configuration: User accounts

Suggest Edits

Create and manage user accounts

User accounts create the user identity that BeyondInsight uses to authenticate and authorize access to specific system resources. You can create local BeyondInsight users, as well as add Active Directory, Entra ID, and LDAP users into BeyondInsight.

You can also add application users, which are used to represent applications that interface with the public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API.

ℹ️

Note

A user account must be a member of a BeyondInsight user group because permissions to features are assigned at the group level. If a user is not a member of any groups in BeyondInsight, the user cannot log in to the console, and application users cannot authenticate with the public API.

Create a BeyondInsight local user account

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Create a New User.

  6. Provide a First Name, Last Name, Email, and Username for the new user. These fields are required.

ℹ️

Note

You may use an email address for the username.

  1. Provide a password and confirm it.

ℹ️

Note

The password must meet the complexity requirements as defined by your default password policy, defined at Configuration > Role Based Access > Password Policy.

  1. Optionally, enter the user’s contact information.
  2. Optionally, set an Activation Date and an Expiration Date for the user account.

ℹ️

Note

These dates are based on UTC time on the BeyondInsight server and are considered during the user's login attempt. The attempt fails if the user account is not yet active or if the expiration date has passed.

  1. Check User Active to activate the user account.
  2. Leave the Account Locked and Account Quarantined options unchecked.
  3. Check the two Authentication Options, if applicable:
    • Override Smart Card User Principal Name: When enabled, a BeyondInsight user with a smart card that has a different Subject Alternative Name is able to log in to BeyondInsight. The smart card is mapped to the user.
    • Disable Login Forms: When enabled, SAML users are prevented from using the standard BeyondInsight log in form and authenticate with a configured identity provider. Check this option only if SAML is configured in your environment.
  4. Select a Two-Factor Authentication method and mapping information, if applicable.
  5. Click Create User.
    The user is created and User Details > Groups displays.
  6. Filter the list of groups displayed by type, name, or description and select a group.
  7. Click Assign Group above the grid.

ℹ️

Note

The user must belong to at least one group

  1. To remove the user from a group:
  • Select Assigned Groups from the Show dropdown, and then select a group.
  • Click Remove Group above the grid.

Update default password policy for local users

The default password policy defines the password complexity requirements for local BeyondInsight users. This includes the minimum and maximum length of the password and the type of characters required and permitted in the password. Update the default password policy as follows:

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click Password Policy.
  3. Enter a name for the policy and an optional description.
  4. Set the minimum and maximum password length.
  5. Set the types of characters to be used: uppercase, lowercase, numeric, and non-alphanumeric.
  6. Toggle the Enforce Minimum Characters To Change option to enable it. This compares the previous password to the new password when a user is updating their password via their account settings change password function.
  7. Optionally, increase the Minimum Characters To Change. The default is 8 and cannot be decreased.
  8. Click Update Password Policy to save the policy.

Add an Active Directory user

Active Directory users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Note

Active Directory users must log in to the management console at least once to receive email notifications.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Add an Active Directory User.

  6. Select a credential from the list.

ℹ️

Note

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. If not automatically populated, enter the name of a domain or domain controller.
  2. After you enter the domain or domain controller credential information, click Search Active Directory. A list of users in the selected domain is displayed.

ℹ️

Note

For performance reasons, a maximum of 250 users from Active Directory is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all users. Filter by user name to refine the list.

Example

Sample filters:

  • a returns all group names that start with a.
  • _d returns all group names that end with d.
  • _sql returns all groups that contain sql in the name.

  1. Click Search Active Directory.
  2. Select a user, and then click Add User.
  3. Assign at least one group to the user.

Add an Entra ID user

Entra ID users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

ℹ️

Note

Entra ID users must log in to the management console at least once to receive email notifications.

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Add a Microsoft Entra ID User.

  6. Select a credential from the list.

ℹ️

Note

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

ℹ️

Note

For performance reasons, a maximum of 250 users from Entra ID is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all groups. Filter by user name to refine the list.

Example

Sample filters:

  • a returns all group names that start with a.
  • _d returns all group names that end with d.
  • _sql returns all groups that contain sql in the name.

  1. Click Search Microsoft Entra ID.
  2. Select a user, and then click Add User.
  3. Assign at least one group to the user.

Change the preferred domain controller for active directory user accounts

The preferred domain controller for a user is set by the group they are in, provided that the group was created with the propagate option turned on, and that this action happened before the user was set up.

If you want to change the preferred domain controller for a user, edit the user, select an appropriate credential, and then select a different preferred domain controller from the list.

ℹ️

Note

Any future change to the preferred domain controller at the group level can overwrite this setting if the propagate switch is turned on.

Add an LDAP user

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Add an LDAP User from the list.

  6. Select a credential from the list.

ℹ️

Note

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. Click Fetch to load the list Domain Controllers, and then select one.
  2. To filter the user search, enter keywords in the user filter or use a wild card.
  3. Click Search LDAP.
  4. Select a user, and then click Add User.
  5. Assign at least one group to the user.

Add an application user

Application users represent applications that interface with the BeyondInsight public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user, and is used for processing IP rules. To create an application user:

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Click Create New User above the grid.

  5. Select Add an Application User from the drop-down list. The Create New Application User screen displays.

  6. Add a username.  

  7. Under API Access Policy, select the policy.

  8. Copy the information from the Client ID and Client Secret fields for later use.

  9. Click Create User.

  10. Assign the user to a group that has the required permissions to access BeyondInsight and Password Safe features.

    • Click the vertical ellipsis for the user, and then select View User Details.
    • From the User Details pane, click Groups.
    • Locate the group, select it, and click Assign Group above the grid.

Recycle the client secret for an application user

When editing an application user, you have an option to recycle their secret. Once recycled, you can copy or view the new secret. When a secret is recycled and the user account is updated with this change, the previous client secret is no longer valid.

To recycle the secret for an application user:

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Click the Users tab.
  4. Locate the application user in the grid.
  5. Click the ellipsis to the right of the user, and then select Edit User Details.
  6. Click the Recycle icon to the right of the Client Secret.
  7. Click Recycle on the confirmation message that displays.
  8. Copy the new secret for later use.
  9. Click Update User.

View and update OAuth secret expiry

The user's secret will eventually expire. The Users grid has an OAuth Secret Expiry column, which you can use to view what is close to expiring. The default duration of a client secret is 365 days. You can adjust the lifetime of the secret from the Authentication Options configuration area in BeyondInsight. Updating this value only changes the secret expiry date for new application users and recycled client secrets. Older secrets cannot be updated.

To view the OAuth Secret Expiry for an application user:

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Click the Users tab.
  4. Locate the application user. The OAuth Secret Expiry column lists the date and time that a client secret for that user expires.

To update the duration for client secrets:

  1. From the left sidebar, click Configuration.
  2. Under Authentication Management click Authentication Options.
  3. Under Application User Authentication Settings, enter the new duration of the client secret in the Client Secret Expiry field.
  4. Click Update Application User Authentications Settings.

Edit a user account

Administrators can edit user details such as change the name, username, email, and password, update active status, lock and unlock the account, and update multi-factor authentication settings as follows:

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click Users to display the list of users in the grid.

  4. Optionally, filter the list of users displayed in the grid using the Filter By dropdown.

  5. Select a user, click the vertical ellipsis button, and then select Edit User Details.

  6. In the Edit User pane, update the details as required, and then click Update User.

Add user to groups

  1. From the User Management page, click the Users tab to display the list of users in the grid.
  2. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.
  3. Select a user or multiple users, and then click the Add User to Groups button above the grid.
  4. Search for the group or groups, and then select the group or groups to assign currently selected users to the selected groups.

ℹ️

Note

If a group already contains all of the selected users, a check mark is displayed next to the group name.

Delete a user account

Administrators can delete user accounts as follows:

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Users tab to display the list of users in the grid.

  4. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.

  5. For local accounts, select the user, click the Delete button above the grid, and then click Delete to confirm.

  6. For directory accounts, select the user, click the vertical ellipsis, select Delete User, and then click Delete to confirm.

ℹ️

Note

For auditing purposes, if a user account is linked to any Password Safe session recordings, you cannot delete the account; however, you may disable the account.

ℹ️

Note

Directory accounts may be deleted only if they do not belong to any groups.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.