DocumentationRelease Notes
Documentation

Workgroups for multi-node and multi-tenant environments | PS On-prem

Suggest Edits

What are worker nodes?

Worker nodes are systems or servers that perform background processing tasks, specifically handling password changes, password tests, and account notifications. They can be assigned to workgroups to provide more control and efficiency.

How are they useful?

When assigned to a workgroup, a worker node only processes tasks for that group’s managed accounts, which improves performance and organization.

If a worker node is not assigned to a workgroup, it operates at a global level, meaning it can handle password management tasks for any account that isn’t tied to a specific workgroup.

Create a Password Safe worker node

This is an automated self registered processt is not possible to add worker nodes manually. When any node in an active active configuration is running Password Safe, v6.0 or higher, the worker node registers with the BeyondInsight database.

To view registered Password Safe worker nodes:

  1. Open a browser and enter the URL for your Password Safe instance: https:///WebConsole/index.html.
  2. Enter your username and password.
  3. From the left menu, click .
    The Configuration page displays.
  4. Under Privileged Access Management Agents, select Worker Nodes.

Assign a Password Safe worker node to a workgroup

  1. From the left menu, click .
    The Configuration page displays.
  2. Under Privileged Access Management Agents, select Worker Nodes.
  3. Select a worker node from the list on the left. The following options display:
    • Unassigned: The node is not assigned.
    • Assign to existing workgroup: Use the dropdowns to select the organizations and workgroups.
  4. Click Update Worker Node.

Assign a workgroup to a managed account

You can assign a workgroup to a particular managed account by editing the managed account or by using a Smart Rule.

To assign a workgroup to particular managed account:

  1. From the left menu, click .
    The Managed Accounts page displays. You can also select the Managed Accountscontainer card on the Password Safe landing page.
  2. Locate the account in the grid.
  3. Click > Edit Account.
  4. On the Edit Managed Account panel, expand Identification.
  5. Select a workgroup from the dropdown.
  6. Click Update Account.

ℹ️

If you set the workgroup value to None, the account can be changed by any Password Safe agent.

To assign a workgroup using a Smart Rule:

  1. From the left menu, click .
    The Smart Rules page displays.
  2. Create a new Smart Rule or a edit an existing rule.
  3. Under Actions, select Assign workgroup on each account from the dropdown.

Assign agents to workgroups for multi-tenant environments

After your environment is configured with multiple organizations, the Password Safe worker nodes must be assigned to a workgroup. Multiple worker nodes can be assigned to one workgroup. This distributes the workload and allows Password Safe to scale if needed for the organization.

In a multi-tenant environment, each organization requires at least one worker node. You can only assign a worker node to one organization. Assigning a worker node to more than one organization is not a supported implementation.

ℹ️

  • Any managed accounts that are in a workgroup that is not assigned to a worker node will not be processed.
  • Every time a worker node is reassigned to a workgroup, the Password Safe omniservice must be restarted.
  • For more information, see Assign a Password Safe worker node to a workgroup.

After the worker nodes are assigned, managed accounts can be reassigned to a different workgroup, if required. Managed accounts can be assigned to workgroups manually by editing the Managed Account or by creating a Smart Rule to bulk assign accounts to a new workgroup.

Synced accounts in a multi-tenant environment

When viewing synced accounts on a managed account in a multi-tenant environment, only synced accounts in that organization are displayed.

Updated 1 day ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.