Password Safe administrator essentials

What you need to know to use Password Safe as an administrator.

Secrets Safe and Smart Rules

Password Safe administrators use Secrets Safe to store sensitive data and use Smart Rules and Smart Groups to automate how the platform organizes and governs that data. This guide explains both capabilities at an intermediate level.

Understanding Secrets Safe

Secrets Safe gives you a secure, auditable place to store credentials, files, and text outside of Password Safe's managed-account workflow. Each safe works as an isolated container: you assign group permissions at the safe level, and only authorized users can view or manage what's inside. Owners and users with the Manage Safe permission control access, while read-only users can view, retrieve, and organize secrets into folders without changing them. Search and filter tools help users locate a secret quickly by title, type, owner, or folder.

Configure Secrets Safe

Grant Secrets Safe access by assigning the feature to a group in BeyondInsight, with either read-only or full-control permissions. Full control lets a user create safes, and BeyondInsight automatically grants that creator the Manage Safe permission. From there, you assign granular permissions to users and groups on each safe: read, create, update, delete, and share secrets, or manage the safe itself. You can also set an expiration date so temporary access revokes itself automatically.

Why Smart Rules and Groups matter

  • New accounts enter the correct Smart Group automatically, the moment they match a rule.
  • Access policies apply instantly to newly discovered accounts, with no manual step.
  • You avoid reconfiguring permissions by hand every time the environment changes.
  • Groups stay accurate over time without ongoing human intervention.

Understanding Smart Rules and Smart Groups

A Smart Rule is an if-then query that BeyondInsight runs against your environment. The criteria define what to select, such as operating system, account name, or platform, and the actions define what happens next: onboard the object, add it to a Smart Group, or trigger a scan.

A Smart Group is the resulting container. Membership updates automatically as objects start or stop matching the rule, so you never manage the list by hand. Administrators rely on Smart Groups to assign roles, apply access policies, and scope audits.

Best practices for Smart Groups

  • Favor many simple rules over one complex rule: limit each rule to two criteria and two actions where possible.
  • Apply consistent name prefixes, such as Discovery, Onboard, and Access, so related groups stay easy to find.
  • Design groups around behavior, like approval requirements, not just technical traits like OS.
  • Test a new rule on a small sample and disable password rotation until you confirm the results.
  • Avoid regular-expression filters; they slow down processing at scale.

Quick reference

Remember — Secrets Safe
A safe is a permission boundary. Assign it deliberately, then delegate with Manage Safe.

Remember — Smart Rules
Criteria plus actions equal one Smart Rule. The result of that rule is always a Smart Group.

Remember — Smart Groups
Automation, not manual upkeep, is the payoff: well-built Smart Groups stay accurate on their own.

Resources

Understanding Smart rules and groups

Best practices: Smart Groups

Smart Rules: Configure

Secrets Safe: Configure


©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.