Role-Based Access

BeyondInsight offers a role-based delegation model so that you can explicitly assign permissions to groups on specific product features based on their role. Users are provisioned based on the permissions of their assigned groups.

A user must always belong to at least one group that has permissions assigned to be able to log in to BeyondInsight and Password Safe.

You can create BeyondInsight local groups, or you can use existing Active Directory, Entra ID, or LDAP groups.

ℹ️
Note
By default, an Administrators user group is created. The permissions assigned to the group cannot be changed. The user account you created when you configured BeyondInsight is a member of the group.

Create and edit directory credentials

A directory credential is required for querying Active Directory (AD), Entra ID, and LDAP. It is also required for adding AD, Entra ID, and LDAP groups and users in BeyondInsight. Follow the steps below for creating each type of directory credential.

ℹ️
Note
Before you can create an Entra ID credential, you must first register and configure permissions for an application in the Entra ID tenant where the user credentials reside.

To create a directory credential in BeyondInsight:

From the left sidebar, click Configuration.
Under Role Based Access, click Directory Credentials.
Click + Create New Directory Credential.
Select the Directory Type and follow the steps below that are applicable for that type.

Create an Active Directory credential

Select Active Directory for the Directory Type.
Provide a name for the credential.
Enter the name of the domain where the directory and user credentials reside.
Enable the Use SSL option to use a secure connection when accessing the directory.

ℹ️
Note
If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.

Enter the credentials for the account that has permissions to query the directory.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential can be set for group resolution per domain or server.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Create Credential.

Create an LDAP credential

Select LDAP for the Directory Type.
Provide a name for the credential.
Enter the name of the LDAP server where the directory and user credentials reside.
Enable the Use SSL option to use a secure connection when accessing the directory.

ℹ️
Note
If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.

Enter the credentials for the account that has permissions to query the directory.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential can be set for group resolution per LDAP server.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Create Credential.

Create an Entra ID credential

Select Microsoft Entra ID for the Directory Type.
Select a credential scope: Public or US Government (supports Azure GCC High). The scope cannot be changed after the directory credential is created.
Provide a name for the credential.
Paste the Client ID, Tenant ID, and Client Secret that you copied when registering the application in your Entra ID tenant.
Enable the Use Group Resolution option to use this credential for resolving groups from the directory.

ℹ️
Note
Only one credential is supported per Entra ID tenant.

Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Save Credential.

Edit a directory credential

From the Directory Credentials grid, click the vertical ellipsis for the credential, and then select Edit.
Make the changes required.

ℹ️
Note
For AD or LDAP credentials, if you change the Domain or LDAP Server, enable or disable the Use SSL option, or update the Username or Bind DN, you must change the password. Click Change Password to display fields to enter and confirm the new password.

Click Test Credential to ensure the edited credential can successfully authenticate with the domain or domain controller before saving the credential.
Click Save Credential.

ℹ️
Note
To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

Register and configure an application in Entra ID

Before you can create Entra ID credentials and add Entra ID groups and users into BeyondInsight, you must first register and configure an application in the Entra ID tenant where the user accounts reside. The below steps walk through creating a registered application in Entra ID, creating a client secret for the registered app, and configuring API permissions for the registered app.

Create a registered application in Entra ID

Sign into Azure and connect to the Entra ID tenant where the credentials you wish to add into BeyondInsight reside. Then follow these steps:

On the left menu, select App registrations.
Click + New Registration.
Under Name, enter a unique application name.
Under Supported account types, select Accounts in this organizational directory only.
Click Register.

Create a client secret for the registered app

Select the newly created app from the list of App Registrations (if not already visible).
Select Certificates & secrets from the left menu.
Click + New Client Secret.
Provide a Description and appropriate Expiry. If you select 1 or 2 years, the directory credential must be refreshed in BeyondInsight with a new client secret on the anniversary of its creation.
Click Add.
Copy the client secret and store it in a safe place. It is required when creating directory credentials for Entra ID in BeyondInsight.

ℹ️
Note
This is the only time this client secret value is displayed.

Assign API permissions to the registered application

Select the newly created app from the list of App Registrations.
Select API Permissions from the left menu.
Click + Add a permission.
Click Microsoft Graph.
Click Application Permissions.
Search for User.Read.All and check the box in the search results.
Search for Group.Read.All and check the box in the search results.
Click Add permissions.
Search for Domain.Read.All and check the box in the search results.
Click Add permissions.
Click Grant Admin Consent for to give consent to the app to have those permissions you just added.
Click Yes to confirm.

Now that your registered app is created, has a client secret, and has API permissions assigned, select Overview from the left menu and copy the Application (client) ID and the Directory (tenant) ID. Store these in a safe place as these are required when creating directory credentials for Entra ID in BeyondInsight.

Map directory credentials to a domain

Domain management allows you to map a default primary directory credential and an optional fallback credential as preferred binding credentials used for account resolution against domains in your environment when logging in to BeyondInsight.

ℹ️
Note
If credentials are not mapped, or both mapped credentials fail, BeyondInsight attempts login following the legacy process of not using mapped credentials.

Follow these steps to add or edit primary and secondary credentials for a domain:

From the left sidebar, click Configuration.
Under Role Based Access, click Domain Management.
Click Create New Domain + to create a new one.
Provide the name of the domain or LDAP server.
Select the type of platform.
Select a Primary Credential from the dropdown.
Select a Fallback Credential from the dropdown.
Click Create Domain.
To edit credentials for an existing domain, select the domain from the left pane, make your edits, and then click Save Domain.

ℹ️
Note
Primary and fallback credentials can include Password Safe managed accounts.

When domain management is configured for a domain and user selects the domain when logging into BeyondInsight, the specified primary and fallback credentials are used to resolve their account. The credentials used for authentication are shown in the Login Details for the specific login activity on the Configuration > General > User Audits page.

Create and configure groups for Role-Based Access

Create user groups and user accounts so that your BeyondInsight administrators can log in to BeyondInsight.

When a user is added to a group, the user is assigned the permissions assigned to the group.

You can create BeyondInsight local groups, as well as add Active Directory groups, add Entra ID groups , and add LDAP groupsin BeyondInsight from the Configuration > Role Based Access > User Management page.

You can filter the groups displayed in the grid by type of group, name of the group, group description, and the date the group was last synchronized.

ℹ️
Note
By default, the first 100 groups are displayed per page. You can change this by selecting a different number from the Items per page dropdown at the bottom of the grid.

Create a Local Group

To create a local group in BeyondInsight, follow the below steps:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Create a New Group.
Enter a Group Name and Description for the group.
The group is set to Active by default. Check the box to deactivate it, if you prefer to activate it later.
Click Create Group.
Assign users to the group:
- Under Group Details, select Users.
- From the Show dropdown list, select Users not assigned.
- Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.
- Select the users you wish to add to the group, and then click Assign User above the grid.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. For more information on permissions and how to assign them, see Assign Group Permissions.

ℹ️
Note
When a local user logs in to BeyondInsight for the first time using SAML authentication, BeyondInsight provisions their account by mapping it to the groups assigned to their account.
For releases prior to 21.3, and for upgrades to the 21.3 release, if the user account's group membership has changed (in the SAML claims provided) upon subsequent logins, BeyondInsight does not deprovision the user by removing them from the groups that were initially mapped to their account. Instead, BeyondInsight maps the user to any newly assigned groups, in addition to the groups their account is already mapped to.
You can configure BeyondInsight to synchronize group membership each time a local user logs in using SAML, as follows:
Navigate to Configuration > Authentication Management > Authentication Options.
Under SAML Logon for Local Users, toggle the Enable Group Resync option to enable it.
For new installs of release 21.3 and later releases, this option is enabled by default.

Add an Active Directory group

Active Directory (AD) group members can log in to the management console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
AD users must log in to the management console at least once to receive email notifications.

To create an Active Directory group in BeyondInsight:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add an Active Directory Group.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create New Credential to create one. The new credential is added to the list of available credentials.

If the Domain field is not automatically populated, enter the name of a domain or domain controller.
After you enter the domain or domain controller credential information, click Search Active Directory. A list of security groups in the selected domain is displayed.

ℹ️
Note
The default filter is an asterisk (*), which is a wild card filter that returns all groups. For performance reasons, a maximum of 250 groups from Active Directory is retrieved.

Set a filter on the groups to refine the list, and then click Search Active Directory.

✅
Example
Sample filters:
a returns all group names that start with "a"
_d returns all group names that end with "d"
_sql returns all groups that contain "sql" in the name

Select a group, and then click Add Group.
The group is added and set to Active but not provisioned or synchronized with AD. Synchronization with AD to retrieve users begins immediately.
Once the group has been synced with AD, you can view the users assigned to the group by selecting Users from the Group Details pane.

ℹ️
Note
Use the filters above the grid to narrow down the list of users displayed in the grid by Type, Username, Name, Email, or Domain, or to show users not assigned to the group.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. For more information on permissions and how to assign them, see Assign Group Permissions.

ℹ️
Note
For more information on creating and editing directory credentials, see Create and Edit Directory Credentials.

Propagate domain changes to group members

Domain changes can be propagated to all users in a group by enabling the Propagate this change to all group members option for the group. By default, this is set to OFF. When enabled, changes to the preferred domain controller at the group level are applied to all group members.

When creating a new group, we advise turning this setting on by editing the new group details. This ensures that all users in the new group get a preferred domain controller from the initial setup of the group.

Configure Active Directory group synchronization

Create and enable a recurring schedule for AD groups to automatically synchronize at a specified time and frequency. This ensures your AD groups are up to date with the latest users added to that group in Active Directory. This schedule applies globally to all AD groups in your BeyondInsight instance; however, the global schedule can be overridden at the group level and a group can be configured to be excluded from the synchronization process.

To enable Active Directory Group Synchronization:

Navigate to Configuration > Role Based Access > Active Directory Group Synchronization.
Check the Enable AD Group Synchronization option.
Specify a Start Time. Time is UTC.
Select your desired frequency of Daily, Weekly, or Monthly.
Click Save Configuration.

ℹ️
Note
For more information on overriding the global AD synchronization schedule and excluding a group from the synchronization process, see Edit Basic Group Details.

Add an Entra ID Group

Entra ID group members can log in to the management console using SAML authentication and perform tasks based on the permissions assigned to the group. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
AD users must log in to the management console at least once to receive email notifications.
Direct Connect does not support using SAML as an authentication method. Therefore, Direct Connect is not available with Entra ID accounts.

Create an Entra ID group in BeyondInsight, as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add a Microsoft Entra ID Group.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

Click Search Microsoft Entra ID. A list of security groups displays.

ℹ️
Note
For performance reasons, a maximum of 250 groups from Entra ID is retrieved. The default filter is an asterisk (*), which is a wildcard filter that returns all groups. Use the group filter to refine the list.

Set a filter on the groups that are to be retrieved, and then click Search Microsoft Entra ID.

✅
Example
Sample filters:
a returns all group names that start with a.
_d returns all group names that end with d.
_sql returns all groups that contain sql in the name.

Select a group, and then click Add Group.
The group is added and set to Active but not provisioned or synchronized with Entra ID. Synchronization with Entra ID to retrieve users begins immediately.
Once the group has been synced with Entra ID, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section and then using the filters.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. For more information on permissions and how to assign them, see Assign group permissions.

ℹ️
Note
To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

ℹ️
Note
For more information on creating and editing directory credentials, see Create and Edit Directory Credentials.

Configure Entra ID group synchronization

Create and enable a recurring schedule for Entra ID groups to automatically synchronize at a specified time and frequency. This ensures your Entra ID groups are up to date with the latest users added to that group in Entra ID. This schedule applies globally to all Entra ID groups in your BeyondInsight instance; however, the global schedule can be overridden at the group level and a group can be configured to be excluded from the synchronization process.

To enable Entra ID Group Synchronization:

Navigate to Configuration > Role Based Access > Entra ID Group Synchronization.
Check the Enable Microsoft Entra ID Group Synchronization option.
Specify a Start Time.
Select your desired frequency of Daily, Weekly, or Monthly.
Click Save Configuration.

ℹ️
Note
For more information on overriding the global Entra ID synchronization schedule and excluding a group from the synchronization process, see Edit Basic Group Details.

Add an LDAP group

LDAP group members can log in to the BeyondInsight console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging in to BeyondInsight, users can select a domain or LDAP server from the Log in to list on the Login page.

ℹ️
Note
The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

ℹ️
Note
LDAP users must log in to the BeyondInsight console at least once to receive email notifications.

Create an LDAP group in BeyondInsight, as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click + Create New Group.
Select Add an LDAP Group from the list.
Select a credential from the list.

ℹ️
Note
If you require a new credential, click Create a New Credential to create a new one. The new credential is added to the list of available credentials.

Enter the name or IP address for the LDAP server.
Click Fetch to load the list of Base DNs.
If the Base DN list does not populate, manually enter the details and click Add as New Option to populate the list.
Select the Base DN.
To filter the group search, enter keywords in the group filter or use a wild card.
Click Search LDAP.

✅
Example
Sample filters:
a returns all group names that start with a.
_d returns all group names that end with d.
_sql returns all groups that contain sql in the name.

Select a group, and then click Continue to Add Group.
Select the Group Membership Attribute and Account Naming Attribute.
Enter a Base Distinguished Name, if not automatically populated.
Click Add Group.
The group is added and set to Active but is not provisioned or synchronized with LDAP. Synchronization with LDAP to retrieve users begins immediately.
Once the group has been synced with LDAP, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section, and then using the filters.

ℹ️
Note
By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group. For more information on permissions and how to assign them, see Assign group permissions.

ℹ️
Note
For more information on creating and editing directory credentials, see Create and Edit Directory Credentials.

Assign group permissions

The following permissions may be assigned to user groups in BeyondInsight for each feature and Smart Group.

Permission	Description
No Access	Users cannot access the selected feature or Smart Group. In most cases, the feature is not visible to the users.
Read Only	Users can view selected areas, but cannot change information.
Full Control	Users can view and change information for the selected feature.

Permissions for a BeyondInsight user must be assigned cumulatively and at the group level. You must assign permissions on features and Smart Groups after creating a new group in order for users in that group to be able to access features in the product. For example, if you want a BeyondInsight administrator to manage discovery scans only, then you must assign full control for the following features:

Management Console Access
Asset Management
Reports Management
Scan – Job Management
Scan Management

ℹ️
Note
In addition to the group permissions noted, for the group to be provisioned, there must be at least one enabled Smart Group for the group. This sets the scope for the features.

Assign features permissions

ℹ️
Note
The features listed are based upon your BeyondInsight license. Only features relevant to your licensed installation are listed.

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click the vertical ellipsis for the group.
Select View Group Details.
Under Group Details, click Features.
Filter the list of features displayed in the grid using the Show and Filter by dropdowns.
Select the features you wish to assign permissions to.
Click Assign Permissions above the grid.
Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

The following table provides information on the features permissions you can assign to your groups.

Feature	Provides Permissions To:
Analytics & Reporting	Log in to the console and access Analytics & Reporting to generate and subscribe to reports. After you create a group, go to the Analytics & Reporting Configuration page and run the process daily cube job. Data between the management console and the reporting cube must be synchronized.
API Registration Management	Grants permission to read or write API Registrations.
Appliance (U-Series) Access	Grant access to manage the U-Series Appliance as a BeyondInsight user.
Asset Management	Create Smart Rules. Edit and delete buttons on the Asset Details window. Create Active Directory queries. Create address groups.
Attribute Management	Add, rename, and delete attributes when managing user groups.
Credential Management	Add and change credentials when running scans and deploying policies.
Directory Credential Management	Grant access to the configuration area where directory credentials are managed. This feature must be enabled to support access to directory queries as well.
Directory Query Management	Grant access to the configuration area where directory queries are managed.Access to Directory Credential Management must also be granted.
Domain Management	Grants the user permission to configure mappings of bind credentials to domains for account resolution.
Endpoint Privilege Management	Grant access to the Endpoint Privilege Management features, excluding Policy Editor and Reporting.
Endpoint Privilege Management Policy Editor	Grant access to the Endpoint Privilege Management Policy Editor feature.
Endpoint Privilege Management Reporting	Grant access to the Endpoint Privilege Management Reporting feature.
Endpoint Privilege Management for Unix & Linux	Grant access to the Endpoint Privilege Management for Unix & Linux features.
File Integrity Monitoring	Work with File Integrity rules.
License Reporting	View the Licensing folder in Analytics & Reporting (MSP reports, Endpoint Privilege Management for Windows, Endpoint Privilege Management for Mac true-up reports, and Assets Scanned report).
Management Console Access	Access the BeyondInsight management console.
Manual Range Entry	Allow the user to manually enter ranges for scans and deployments rather than being restricted to smart groups. The specified ranges must be within the selected smart group.
Option Management	Change the application options settings (for example, account lockout and account password settings).
Options - Connectors	Access the configuration area where connectors are managed.
Options - Scan Options	Access the configuration area where scan options are managed.
Password Safe Account Management	Grant read or write permissions to the following features on the Managed Accounts page and through the public API: Bulk delete accounts Add accounts to a Quick Group Remove accounts from a Quick Group Add, edit, and delete accounts
Password Safe Admin Session	Password Safe web portal admin sessions.
Password Safe Admin Session Reviewer	Grant a user admin session reviewer permissions only.
Password Safe Global API Quarantine	Access to the Quarantine APIs.
Password Safe Bulk Password Change	Change more than one password at a time.
Password Safe Agent Management	Grant a user administrator permissions to the Configuration > Privileged Access Management Agents page.
Password Safe Configuration Management	Grant a user administrator permissions to the Configuration > Privileged Access Management page.
Password Safe Domain Management	Check the Read and Write boxes to permit users to manage domains.
Password Safe Policy Management	Grant a user administrator permissions to the Configuration > Privileged Access Management Policies page.
Password Safe Role Management	Allows a user to manage roles, provided they have the following permissions: Password Safe Role Management and User Account Management.
Password Safe System Management	Read and write managed systems through the public API.
Password Safe Ticket System Management	This feature is not presently used.
Reports Management	Run scans, create reports, and create report categories.
Scan - Job Management	Activate Scan and Start Scan buttons. Activate Abort, Resume, Pause, and Delete on the Job Details page.
Scan - Report Delivery	Allow a user to set report delivery options when running a scan: Export Type Notify when complete Email report to Include scan metrics in email (only available for All Audits Scan)
Scan Management	Delete, edit, duplicate, and rename reports on the Manage Report Templates page. Activate New Report and New Report Category. Activate the Update button on the Edit Scan Settings view.
Secrets Safe	Provides access to Secrets Safe for all members of the selected group.
Session Monitoring	Use the session monitoring features.
Smart Rule Management – Asset	Grants permission to view, create, and edit asset Smart Rules; editing is limited to Smart Rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Managed Account	Grants permission to view, create, and edit managed account Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Managed System	Grants permission to view, create, and edit managed system Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Smart Rule Management – Policy User	Grants permission to view, create, and edit policy user Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member.
Ticket System	View and use the ticket system.
Ticket System Management	Mark a ticket as inactive. The ticket no longer exists when Inactive is selected.
User Accounts Management	Add, delete, or change user groups and user accounts. A minimum of read access to Directory Credential Management must also be granted to enable creation of AD and LDAP Groups.
User Audits	View audit details for management console users on the User Audits page.
U-Series Appliance Administrator	Provides access to manage all aspects of the U-Series Appliance.
U-Series Appliance Backups	Provides access to manage the Backup and Restore options of the U-Series Appliance.
U-Series Appliance High Availability	Provides access to manage the High Availability features of the U-Series Appliance.
U-Series Appliance Login	Provides access to manage the U-Series Appliance as a BeyondInsight user.
U-Series Appliance Manage RDP	Provides access to manage Remote Desktop Protocol to the U-Series Appliance.
U-Series Appliance Patching	Provides access to manage updates to the U-Series Appliance.
Workforce Passwords	Enables secure enterprise credential storage. In order to leverage Workforce Passwords, an additional license is required.

ℹ️
Note
For more information, see the managed accounts API documentation.

Features permissions required for configuration options

Configuration Option	Feature and Permission
Active Directory Queries	Asset Management - Full Control.
Address Groups	Asset Management - Full Control.
Attributes	Asset Management - Full Control.
Connectors	Asset Management and Management Console Access - Full Control.
Organizations	User Accounts Management - Full Control.
Password Safe Connections	Member of the Built-In Administrators group.
Endpoint Privilege Management Module	Management Console Access and Endpoint Privilege Management - Full Control.
Scan Options	Scan Management - Full Control.
Services	Member of the Built-In Administrators group.
User Audits	User Audits - Full Control.
User Management	Everyone can access. Users without the Full Control permission to User Account Management feature can edit only their user record.
Workgroups	User Accounts Management - Full Control.

Assign Smart Groups permissions

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, click the vertical ellipsis for the group.
Select View Group Details.
Under Group Details, select Smart Groups.
Filter the list of Smart Groups displayed in the grid using the Show and Filter by dropdowns.
Select the Smart Groups you wish to assign permissions to.
Click Assign Permissions above the grid.
Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Edit and Delete Groups

Edit groups

The below sections detail how to make basic edits to the settings and options of BeyondInsight local groups, Active Directory groups, Entra ID groups, and LDAP groups using the Edit Group functionality, as well as how to update more advanced group details such assigning permissions, updating group members, and managing API registrations.

Administrators can edit the following basic details for groups in BeyondInsight:

BeyondInsight local groups

For BeyondInsight local groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
- Modify the Group Name.
- Modify the Description.

Active directory groups

For Active Directory groups, administrators can update the following:

Deactivate or activate a group by enabling or disabling the Active status.
Change the credential used to query the group in Active Directory.
Select a new domain or domain controller used for accessing the group in Active Directory.
Enable or disable the option to propagate domain changes to all members of the group.
Select Sync Schedule Options to control how the user accounts in this group are automatically synchronized on a periodic schedule. The following options are available:
- Global: This is the default setting which uses the schedule settings specified in the Active Directory Group Synchronization configuration section.
- Custom: Select Custom to ignore the global synchronization schedule and specify a unique synchronization schedule for this group instead.
- No scheduled synchronization: Select this option to omit this group from any automatic synchronization. The group can still be synchronized manually.

Entra ID groups

For Entra ID groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
Select Sync Schedule Options to control how the user accounts in this group are automatically synchronized on a periodic schedule. The following options are available:
- Global: This is the default setting which uses the schedule settings specified in the Microsoft Entra ID Group Synchronization configuration section.
- Custom: Select Custom to ignore the global synchronization schedule and specify a unique synchronization schedule for this group instead.
- No scheduled synchronization: Select this option to omit this group from any automatic synchronization. The group can still be synchronized manually.

LDAP groups

For LDAP groups, administrators can update the following:
- Deactivate or activate a group by enabling or disabling the Active status.
- Change the credential used to query the group in LDAP.
- Select a new Group Membership attribute from the list. The following options are available:
  - member
  - uniqueMember (default)
  - memberUID
- Select a new Account Naming attribute from the list. The following options are available:
  - mail
  - cn
  - sAMAccountName
  - uid
  - userPrincipalName
- Edit the Base Distinguished Name.

To edit a group in BeyondInsight:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the vertical ellipsis for the group, and then select Edit Group.
In the Edit Group pane, update the details as required, and then click Update Group.

ℹ️
Note
For more information on configuring Active Directory Group Synchronization settings, see Configure Active Directory Group Synchronization.

Edit advanced group details

Administrators can edit the following advanced details for groups:

Update the group permissions for specific BeyondInsight and Password Safe features.
Update the group permissions for specific Smart Groups.
Edit Password Safe roles for Smart Groups
Add and remove users from local groups.
Manually synchronize group users for Active Directory and LDAP groups.
Enable and disable API Registrations for the group.

Follow these steps to access advanced details for a group:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the vertical ellipsis for the group, and then select View Group Details.
From the Group Details pane, you can select Features, Smart Groups, Users, and API Registrations to make updates for the group. Specific updates you can make for each of these options are detailed in the below sections.

Update group permissions for features

Permissions provide the members of the group access to BeyondInsight system components and Password Safe features. Assign permissions to groups for specific features, as follows:

From the Group Details pane, click Features.
From the Features grid, select the feature.
Click Assign Permissions above the grid.
Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Update group permissions for Smart Groups

Assign permissions to groups to provide members of the group access to Smart Groups as follows:

From the Group Details pane, click Smart Groups.
From the Smart Groups grid, select the Smart Group.
Click Assign Permissions above the grid.
Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Edit Password Safe roles for Smart Groups

Password Safe roles define the actions users can take when using the Password Safe web portal for password releases or access to applications. Assign Password Safe roles to groups as follows:

From the Group Details pane, click Smart Groups.
From the Smart Groups grid, click the vertical ellipsis for the Smart Group.
Select Edit Password Safe Roles.
Check or uncheck each role, as required.
Click Save Roles.

Add users to local BeyondInsight groups

Manually add users to local groups in BeyondInsight as follows:

From the Group Details pane, click Users.
Filter the Users grid to show users not assigned.
Select the user or users, and then click Assign User above the grid.

Sync group users for Active Directory and LDAP groups

To ensure your AD and LDAP groups contain the most recent group members, you can manually synchronize with AD and LDAP to retrieve the group's users. There are two methods for manually synchronizing group users, as follows:

From the group header, above the Group Details pane, click the Sync group users icon.
From the User Management page, click the vertical ellipsis for the group and select Sync group users.

Manage group API registrations

API Registrations provide a way to integrate part of the BeyondInsight and Password Safe functionality into your applications using an API key. Manage API registrations for groups as follows:

From the Group Details pane, click API Registrations.
Check or uncheck the API registrations to enable or disable them for this group or click Select All to enable all of them. Changes are automatically saved.

ℹ️
Note
Use the filter above the list to narrow down the list of API registrations or to quickly find a specific registration by its name. If you need to create a new API registration, click the Manage API Registrations link above the filter box to go to the API Registrations page where you can create a new one.

ℹ️
Note
For more detailed information on features permissions, Password Safe roles, and API registrations, please see the following:
Assign Group Permissions
Configure API Registration
Password Safe Role

Delete a group

ℹ️
Note
Groups associated with a secret or credential in Secrets Safe cannot be deleted. Users attempting this action receive the following warning: Unable to delete group as it contains secrets which must first be removed.

Administrators can delete groups as follows:

From the left sidebar, click Configuration.
Under Role Based Access, click User Management.
From the Groups tab, locate the group using the available filter options above the grid and select it.
Click the Delete button above the grid.
- Alternatively, click the vertical ellipsis for the group, and then select Delete Group.

Audit Console Users

You can track the following activities of users logging into the console:

Login and logout times
IP address from where the user logged in
Password change events
Other actions taken such as configuring user settings

To view user audit data:

Go to Configuration > General > User Audits.
User the filters above the grid to easily locate specific items listed. You can filter grid items by the following criteria:
- Date the user took the action
- Type of action taken
- Which section of the application the action was taken
- Username
- IP Address
- Key words of the item
- Key words in the item details
Click the i icon for the item to view more specific details about the action taken.

ℹ️
Note
You can export all of the data in the grid to a CSV file by clicking the Download all (downward arrow) button above the grid.

ℹ️
Note
User audits older than 120 days are purged from the database. Navigate to Configuration > System > Data Retention > Application Maintenance to change the data retention setting for user audits.

ℹ️Note

Create and edit directory credentials

ℹ️Note

Create an Active Directory credential

ℹ️Note

ℹ️Note

Create an LDAP credential

ℹ️Note

ℹ️Note

Create an Entra ID credential

ℹ️Note

Edit a directory credential

ℹ️Note

ℹ️Note

Register and configure an application in Entra ID

Create a registered application in Entra ID

Create a client secret for the registered app

ℹ️Note

Assign API permissions to the registered application

Map directory credentials to a domain

ℹ️Note

ℹ️Note

Create and configure groups for Role-Based Access

ℹ️Note

Create a Local Group

ℹ️Note

ℹ️Note

Add an Active Directory group

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

ℹ️Note

ℹ️Note

Propagate domain changes to group members

Configure Active Directory group synchronization

ℹ️Note

Add an Entra ID Group

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

ℹ️Note

ℹ️Note

Configure Entra ID group synchronization

ℹ️Note

Add an LDAP group

ℹ️Note

ℹ️Note

ℹ️Note

✅Example

ℹ️Note

ℹ️Note

Assign group permissions

ℹ️Note

Assign features permissions

ℹ️Note

ℹ️Note

Features permissions required for configuration options

Assign Smart Groups permissions

Edit and Delete Groups

Edit groups

BeyondInsight local groups

Active directory groups

Entra ID groups

LDAP groups

To edit a group in BeyondInsight:

ℹ️Note

Edit advanced group details

Update group permissions for features

Update group permissions for Smart Groups

Edit Password Safe roles for Smart Groups

Add users to local BeyondInsight groups

Sync group users for Active Directory and LDAP groups

Manage group API registrations

ℹ️Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note