DocumentationRelease Notes
Log In
Documentation

SailPoint IdentityNow

Overview

IdentityNow is a Software as a Service (SaaS) identity governance solution from SailPoint.

Password Safe can integrate with IdentityNow using an access data source connector that is supported by default with IdentityNow.

Password Safe Cloud can also integrate with IdentityNow using a BeyondTrustPassword Safe open source Saas Connector, which allows for direct cloud-to-cloud communication.

ℹ️

Note

For more information, please see IdentityNow for BeyondTrust Password Safe.

To configure the integration between Password Safe and IdentityNow using the Password Safe SailPoint SaaS open source connector for IdentityNow, see Welcome to the Password Safe SailPoint SaaS Connector.

Configure IdentityNow service account in BeyondInsight

Creating an IdentityNow service account in BeyondInsight requires the following:

  • Create a user group
  • Enable features and Smart Groups for the user group
  • Create a user account and add it to the user group
  • Log in to BeyondInsight as the new service account user to generate OAuth credentials.

The below sections detail the steps to take to accomplish the above.

Create a new group for the service account

To create a local group in BeyondInsight, follow the below steps:

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click User Management.
  3. From the Groups tab, click + Create New Group.
  4. Select Create a New Group.
  5. Enter a Group Name and Description for the group.
  6. Click Create Group.
  7. Follow the steps in the below sections to enable features and Smart Group for your newly created group.

ℹ️

Note

In addition to creating groups locally, you can import Active Directory, Entra ID, and LDAP groups into BeyondInsight.

Enable features for the group

To enable features for a group in BeyondInsight, assign permissions to the features as follows:

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Groups tab, find the group and click on the corresponding ellipsis to right of the group.
  3. Select View Group Details from the list.
  4. Click Features located under Group Details.
  5. Select All Features from the Show dropdown above the grid to display a list of features in the grid.
  6. Select the Management Console Access feature and click Assign Permissions > Assign Permissions Read Only above the grid. This permission is required so the service account can log in to BeyondInsight and obtain the service accounts’ unique OAuth credentials.
  7. Select the following features and click Assign Permissions > Assign Permissions Full Control above the grid.
    • Options - Connectors: This feature is required to allow the creation of OAuth credentials by the member account. In production, this permission could be removed after connection is established, but is needed again to cycle client_secret and refresh_token.
    • Password Safe Account Management: This feature is required to read or write managed accounts through the public API.
    • Password Safe Role Management: This feature is required to allow visibility into account Smart Groups, which are assigned via user groups in BeyondInsight.
    • Smart Rule Management - Managed Account: This feature is required to manage Smart Rules for managed accounts.
    • User Accounts Management: This feature is required for the service account to manage user groups and user accounts.

Enable Smart Groups for the group

To enable Smart Groups for a group in BeyondInsight, assign permissions to the Smart Groups as follows:

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Groups tab, find the group and click on the corresponding ellipsis to the right of the group.
  3. Select View Group Details from the list.
  4. Click Smart Groups located under Group Details.
  5. Select All Smart Groups from the Show dropdown above the grid to display a list of Smart Groups in the grid.
  6. Select the All Managed Accounts Smart Group and click Assign Permissions > Assign Permissions Read Only above the grid.

ℹ️

Note

Managed Account Smart Groups with a category of Managed Accounts are visible via the SCIM API. Managed Account Smart Groups with a category of Platforms are not visible. However, you can recreate the same Smart Group with a category of Managed Accounts.

Create a new user and assign to group

Once the group is created and assigned the appropriate features and Smart Groups permissions, you can create a new account in BeyondInsight for the service account and add it to the group.

ℹ️

Note

Permissions are assigned only to the group, not to the account.

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Users tab, click Create New User.
  3. Select Create a New User.
  4. Provide Identification, Credentials, Contact Information, User Status, and Authentication Options as needed.
  5. Click Create User.
  6. You are taken to the details page for the user account where Groups is automatically selected. Select All Groups from the Show dropdown above the Groups grid to list all available user groups.
  7. Locate the group you created above for the service account, select it, and then click Assign Group above the grid.

ℹ️

Note

In addition to creating user accounts locally, you can import AD, Entra ID, and LDAP accounts and add them to either local or imported groups.

Generate OAuth credentials

Once the user account is created and assigned to a group, you must log in as the new user to generate OAuth credentials.

  1. Go to Configuration > General > Connectors.
  2. Under Connectors, select the SCIM connector. Once selected, the SCIM connector information displays.

ℹ️

Note

Do not select the SailPoint connector. This was available in previous versions of BeyondInsight, but it is an older integration and is not based on SCIM.

  1. Each logged-in account in BeyondInsight has a unique client ID. The Client ID is located within the SCIM connector information. Highlight the ID, right-click, and save locally as client_id to a text file.
  2. Click Recycle Client Secret.
  3. Click Recycle on the Recycle Secret Access Key pop-up. This generates a unique access key.
  4. Highlight the Client Secret access key, right-click, and save as client_secret to a text file.
  5. Click Generate Refresh Token if you want to use this method of authentication. Use the account login password when prompted.

ℹ️

Note

The refresh token is used in the production environment. Client credentials (client ID and client secret) are used in a lab or test environment. Every Password Safe user with full control permissions to the Options – Connectors feature can obtain a Client ID and Client Secret via the connector.

ℹ️

Note

Only one SCIM connector can be created by Password Safe per instance.

Configure the BeyondTrust source type in IdentityNow

BeyondTrust provides an access data source supported by default with IdentityNow. Once IdentityNow has visibility into a data source, it can manage information at the source location.

ℹ️

Note

Users must have the appropriate credentials to log in to IdentityNow.

Configure a source type for BeyondTrust

  1. In the IdentityNow console, go to Admin > Connections > Sources.
  2. Click the New button in the top right corner.
  3. Under Source Type select BeyondTrustPassword Safe - Cloud.
  4. Include a Source Name, Description, Source Owner, and Connection Type.
  5. Click Continue.
  6. On the next screen, under Base Configuration, select a Virtual Appliance Cluster.
  7. Click Save.

Update connection settings

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. On the next screen, click the Edit Configuration button in the top right corner.
  3. On the next screen, select Connection Settings on the left hand side.
  4. For a production environment, select the API Token option. For a test environment, select the OAuth 2.0 option.
  5. Fill out the rest of the form as required with information saved earlier when configuring an OAuth service account in BeyondInsight for SailPoint IdentityNow.
  6. Click Save.
  7. Once connection settings have been saved, test the connection:
    1. Select Review and Test on the right-hand side of the screen.
    2. Click Test Connection on the upper left-hand side of the screen.

Aggregate accounts and entitlements

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. On the next screen, select the Import Data tab.
  3. Select Account Aggregation and enter the necessary information.
  4. Click Save.
  5. Select Entitlement Aggregation and enter the necessary information.
  6. Click Save.

Smart Group permissions

Within Password Safe, permissions are granted via groups. A Smart Group is a filtered list of managed accounts. All managed accounts are granted read-only permission.

  1. In the Password Safe console, go to Configuration > Role Based Access > User Management > Groups. Select the group and then click on the corresponding ellipsis to the right of the group.
  2. Select View Group Details.
  3. Select Smart Groups under Group Details.
  4. Select a managed account and then Assign Permissions.
  5. Assign permissions as read-only.
  6. Select the managed account again and then click on the corresponding ellipsis to the right of the account.
  7. Select Edit Password Safe Roles.
  8. Assign role as Requestor.
  9. Select Access Policy for Requestor from the drop-down.
  10. Click Save Roles.

View user entitlements

To view user entitlements and Password Safe groups assigned to the user:

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. Select Accounts.
  3. Select the user.
  4. Select Accounts.
  5. Select the Source Name.
  6. Scroll to the bottom of the screen to view entitlements.
  7. To view Entitlement Details and Permissions, expand the appropriate user group.
  8. Select either the Details tab or Permissions tab to view information. Here you can find the target (Smart Group/Rule All Managed Accounts), Smart Group Permissions (Read or Write), and the Password Safe Role (Requestor).

Create profile

BeyondTrust source types come with a preconfigured Create Profile.

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. Select Accounts.
  3. Select Create Profile.

Correlation

BeyondTrust source types come with a preconfigured Correlation.

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. Select Import Data.
  3. Select Correlation.

Schema

BeyondTrust source types come with a preconfigured Schema.

  1. In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
  2. Select Import Data.
  3. Select Correlation.

Once the BeyondTrust source is in place, you have access to IdentityNow business processes including Access Request, Access Certification, automated provisioning for Joiner, Mover, Leaver, Search and Analytics, and more.

It is possible to create Access Profiles that consume Password Safe Groups and then assign the Access Profiles to Roles or Applications.

ℹ️

Note

For more information on assigning Access Profiles to Roles or Applications, see SaaS Product Documentation / IdentityNow.

SailPoint SaaS Connector

The BeyondTrust Password Safe SaaS Connector is an open source connector for SailPoint IdentityNow. Currently it is available as a github project. Later in 2024, SailPoint plans to provide a new feature to allow for adding it as a source type within IdentityNow, without requiring the SaaS Connectivity CLI.

The BeyondTrust Password Safe SaaS Connector has been created using SailPoint IdentityNow SaaS Connectivity. Password Safe was added to IdentityNow as the first default PAM Source in March 2022. However, a SaaS Connector allows direct cloud-to-cloud communication without requiring a virtual appliance to be deployed on-premises to Password Safe Cloud.

This SaaS Connector is a fully working example for how to implement cloud-to-cloud communication based on SCIM and SCIM PAM extensions.

Supported use cases

  • Account Create
  • Account Delete
  • Account Enable
  • Account Disable
  • Account List
  • Account Read
  • Account Update
  • Entitlement List
  • Entitlement Read
  • Test Connection

Requirements

Configure the Password Safe SailPoint SaaS Connector

For step-by-step instructions, see the BeyondTrust Password Safe Connector CoLab in the SailPoint Developer Community.


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.