DocumentationRelease Notes
Documentation

User accounts | PS Pathfinder

Suggest Edits

What is a user account?

A user account represents an identity that BeyondInsight uses to authenticate and authorize access to system resources. User accounts can be created locally within BeyondInsight or imported from external directories such as Active Directory, Entra ID, or LDAP.

Application user accounts can be created to represent applications that interact with the BeyondInsight public API. These accounts cannot log in to the console but can authenticate and perform API-based operations.

How are they useful?

User accounts enable secure authentication and authorization within BeyondInsight. By assigning each person or application a unique identity, administrators can control who can access specific system resources and track their actions. This ensures proper access management, supports integration with external directories like Active Directory or Entra ID, and allows applications to safely interact with the system through the public API.

ℹ️

A user account must be a member of a user group because permissions to features are assigned at the group level. If a user is not a member of any groups, the user cannot log in to the portal, and application users cannot authenticate with the public API.

Add an application user

Application users represent applications that interface with the public API. Application users cannot log in to the Password Safe user portal. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user, and is used for processing IP rules. To create an application user:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Select the Users tab to display the list of users in the grid.
  4. Click Create New User above the grid.
  5. Select Add an Application User from the drop-down list.
    The Create New Application User screen displays.
  6. Add a username.  
  7. Under API Access Policy, select the policy.
  8. Copy the information from the Client ID and Client Secret fields for later use.
  9. Click Create User.
  10. Assign the user to a group that has the required permissions to access Password Safe features.
    • Click the vertical ellipsis for the user, and then select View User Details.
    • From the User Details pane, click Groups.
    • Locate the group, select it, and click Assign Group above the grid.

Recycle the client secret for an application user

When editing an application user, you have an option to recycle their secret. Once recycled, you can copy or view the new secret. When a secret is recycled and the user account is updated with this change, the previous client secret is no longer valid.

To recycle the secret for an application user:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Select the Users tab.
  4. Locate the application user in the grid.
  5. Click > Edit User Details.
  6. Click to the right of the Client Secret.
  7. Click Recycle on the confirmation message that displays.
  8. Copy the new secret for later use.
  9. Click Update User.

View and update OAuth secret expiry

The user's secret will eventually expire. The Users grid has an OAuth Secret Expiry column, which you can use to view what is close to expiring. The default duration of a client secret is 365 days. You can adjust the lifetime of the secret from the Authentication Options configuration area. Updating this value only changes the secret expiry date for new application users and recycled client secrets. Older secrets cannot be updated.

To view the OAuth Secret Expiry for an application user:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Click the Users tab.
  4. Locate the application user. The OAuth Secret Expiry column lists the date and time that a client secret for that user expires.

To update the duration for client secrets:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Authentication Management click Authentication Options.
  3. Under Application User Authentication Settings, enter the new duration of the client secret in the Client Secret Expiry field.
  4. Click Update Application User Authentications Settings.

Edit a user account

Administrators can edit user details such as change the name, username, email, and password, update active status, lock and unlock the account, and update multi-factor authentication settings as follows:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Select the Users tab.
  4. Locate the user in the grid.
  5. Click > Edit User Details.
  6. In the Edit User pane, update the details as required.
  7. Click Update User.

Add user to groups

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Select the Users tab.
  4. Select a user or multiple users.
  5. Click Add User to Groups above the grid.
  6. Select the group or groups to assign currently selected users to the selected groups.

ℹ️

If a group already contains all of the selected users, a check mark is displayed next to the group name.

Delete a user account

Administrators can delete user accounts as follows:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configurationpage displays. You can also click the Configuration container card on the Password Safe page.
  2. Under Role Based Access, click User Management.
  3. Select the Users tab.
  4. For local accounts:
    • Select the user.
    • Click above the grid.
    • Click Delete in the confirmation message.
  5. For directory accounts:
    • Select the user.
    • Click > Delete User.
    • Click Delete in the confirmation message.

ℹ️

  • For auditing purposes, if a user account is linked to any Password Safe session recordings, you cannot delete the account; however, you may disable the account.
  • Directory accounts may be deleted only if they do not belong to any groups.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.