Disabled at Rest managed accounts
Just-in-Time (JIT) is a critical aspect of controlling access to assets and identities within an organization. When flagged by a Password Safe administrator, Active Directory and Entra ID accounts can leverage JIT capabilities by disabling these accounts when checked in to Password Safe. When a requestor checks out an account, a workflow is initiated that re-enables the account for use. Once checked back in, the account is disabled again.
When enabling or disabling an account, Password Safe uses the Preferred Domain Controller (DC), if set, for the managed account.
The Disabled at Rest feature is only available for Active Directory (AD) and Entra ID accounts.
Enable the Disabled at Rest setting
The Disabled at Rest setting can be activated by using a toggle switch, located in Managed Accounts > Account Settings, or by creating a Smart Rule.
Enable Disabled at Rest with toggle switch
- From the left hand menu in the BeyondInsight console, click Managed Accounts.
- Select a managed account and then click the vertical ellipsis to the right of the account.
- From the menu, select Edit Account.
- Under Account Settings, click the Disabled at Rest toggle switch to enable the setting.
- Click Update Account.
Create a Smart Rule for Disabled at Rest accounts
In addition to setting the Disabled at Rest option in an individual managed account, you can also set the Disabled at Rest flag by creating a smart rule. The flag automatically turns on the Disabled at Rest setting for all matching accounts included in the smart rule, as follows:
- From the left menu in the BeyondInsight console, click Smart Rules.
- Select Managed Account from theSmart Rule Type Filter dropdown.
- Click Create Smart Rule.
- Select Managed Account Settings for Disabled at Rest Accounts from the first dropdown under Actions.
- Under Platform, select either Active Directory or Microsoft Entra ID.
- Complete the smart rule, and then select Create Smart Rule.
If the Disabled At Rest setting is set at the account level, it is overwritten by the Manage Account Settings action in a Smart Rule, which sets Disabled at Rest for all affected accounts to No. You must use the Manage Account Settings for Disabled At Rest Accounts action instead, which sets Disabled at Rest for all affected accounts to Yes.
- Concurrent accounts, those that are used by multiple users, are disabled only after the account is no longer in use by anyone.
- The Disabled at Rest feature is not supported with Password Cache. This service checks out the account it is configured for and keeps a cache locally. The cache is an active request, meaning the cached account is enabled, and it will stay enabled.
Verify Disabled at Rest setting
Verify that the Disabled at Rest setting is enabled, as follows:
- Click the vertical ellipsis to the right of the account that was updated.
- From the menu, select Go to Advanced Details.
- Under Details & Attributes > Account Settings, Disabled at Rest should be set to Yes.
Changes can also be viewed under User Audits, as follows:
- Go to Configuration > General > User Audits.
- Click the information icon to the right of the updated item. The Edit Details pane displays the action that was taken and the changes made.
Sample Disabled At Rest workflow description
Disabled accounts are temporarily enabled when a new Password Safe request is made. Using the View Password request as an example, view the workflow, as follows:
- Click the left menu in the BeyondInsight console and click Password Safe.
- Go to Accounts > Directory Linked Accounts.
- Click Access (key icon) to the right of the request.
- In the Access pane, under Quick Launch, set the time length of the session.
- Click Retrieve Password.
- The account is now enabled.
- It remains enabled for the duration of the session. If the user checks-in the request or the request expiry time is reached (whichever comes first), the account is queued to be disabled.
When enabling the Disable at Rest feature on a managed account, the account is set to disabled in AD or Entra ID. If the account does not become disabled, a check out/check in may be required.
Affected settings
When your account is set to Disabled at Rest, the following settings are not available:
- Account Settings > Use Own Credentials.
- Account Settings > Directory Query Enabled
- Scanner Settings > Scanner Enabled
- Managed Account > Advanced Details > Propagation Actions
- Test Password is not available in the ellipsis menu.
For more information about site replication considerations when leveraging the Disable at Rest feature, please refer to your Active Directory administrators.
Updated 14 days ago