Secrets Safe: Configure | BI Cloud

Prerequisite

Before you configure Secrets Safe, ensure you understand what Secrets Safe is and the benefits they provide, see Secrets Safe: Overview.

Assign the Secrets Safe feature to a group

Access to Secrets Safe is granted to users by assigning permissions for the Secrets Safe feature to a group in which the users are members.

1. From the left menu, click .
   The Configuration page displays.

2. Under Role Based Access select User Management.
   The User Management page displays.

3. Select the Groups tab.

4. Locate the group you want to assign the Secrets Safe feature to.

5. Click > View Group Details.
   The Group Details page displays.

6. Under Group Details, select Features.

7. In the Features pane, select the Secrets Safe feature.

ℹ️

You can filter the list of features by All Features or Disabled Features, and Feature Name to quickly locate the Secrets Safe feature.

8. Click Assign Permissions above the grid:
9. Select the appropriate permissions:
   • Read-only
   • Full control (read and write) – users with full control can create safes
   • Disable permissions

Users who are members of the group are granted access to the Secrets Safe page. They must have Read and Write permission in order to view safes.

Create safe

Any user assigned the Secrets Safe feature with full control permissions can create safes. Users that create a safe are automatically granted the Manage Safe permission.

ℹ️

• By default, administrators do not automatically see all safes. They can only see safes they have Read and Write permission to. To view all safes, toggle Show All Safes to on. Safes they don’t have access to are greyed out.
• The Manage Safe permission can be removed by other users with the same permission on that safe, or by BeyondInsight administrators.

1. From the left menu, click .
   The Secrets Safe page displays.
2. Under Safes, click Create New Safe +.
3. Enter a name for the safe.
4. Click Create Safe.

Rename a safe

Users can rename safes that they own.

To rename a safe:

1. From the left menu, click .
   The Secrets Safe page displays.
2. Locate the safe in the Safe panel.
3. Click > Rename.
4. Enter a new name for the safe, and then click Save Changes.

Delete a safe

Users can delete safes that they own.

To delete a safe:

1. From the left menu, click .
   The Secrets Safe page displays.
2. Locate the safe in the Safe panel.
3. Click > Delete.
4. Click Delete in the confirmation dialog.

ℹ️

Users must have the Manage Safe permission assigned to them directly, or to a group they’re a member of, to delete or rename a safe.

Add users and groups to a safe, and assign permissions

Any user who is assigned the Manage Safe permission, either directly or through a group, can assign access and permissions to a safe. BeyondInsight administrators can always manage safe permissions regardless of their current access level.

1. From the left menu, click .
   The Secrets Safe page displays.
2. Locate the safe in the Safe panel.
3. Click > Go to Advanced Details.
   The Advanced Details page displays. The Access Management grid displays users and groups already added to the safe.
4. Select All Users & Groups from the Show dropdown list:
   • For individual users or groups, click > Assign Permissions.
   • For multiple users or groups, check the boxes next to the user or group. Click Assign Permissions above the grid.

ℹ️

If the selected user or group has no permissions assigned, the bulk delete permissions button is not available

5. In the Assign Permissions panel, check the appropriate permissions. Permissions available are:
   • Read Secrets and Folders (Required) – this is assigned by default
   • Create Secrets and Folders
   • Update Secrets and Folders
   • Delete Secrets and Folders
   • Share Secrets
   • Manage Safe (selecting this permissions automatically checks all permissions).
6. If required, toggle Set an expiration date to on. Enter an expiry date and time. Expiration defaults to one week from the current date.

ℹ️

When an expiry occurs, expired permissions remain listed in the Access Management grid until a scheduled job, which runs at midnight, removes them.

7. If multiple users or groups are selected, you can remove them prior to saving by clicking X to the right of the user/group. If all users/groups are removed, the Assign Permissions side panel closes.
8. Click Assign Permissions to save selections.

Manage folders

Users can organize their secrets into subfolders within a safe to make locating a secret more efficient.

Create a folder

To create a new folder:

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. Click > Create Folder.
4. Enter a name for the folder.
5. Click Create Folder.

Rename a folder

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a folder within a safe.
3. Click > Rename.
4. Enter a new name.
5. Click Save Changes.

Delete a folder

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a folder within a safe.
3. Click > Delete.
4. Click Delete on the confirmation message.

Add Secrets to a safe or folder

Permissions are a combination of all permissions given to a user, as well as the permissions they inherit from the groups they belong to.

• Users with full permissions to a safe can create secrets in that safe or in any of the safe’s subfolders.
• Users and Groups with read access to a safe can be assigned ownership to a secret within that safe.
• Owners of a secret have update, share, and delete permissions to that secret.
• Users that own a secret in a safe they do not have read access to will not be able to access that secret.

Add a secret

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. In the Secrets pane, click + Add Secret.
4. Select a secret type: Add Credential, Add File, Add Text, or Import Secrets.
   The Create New Secrets pane displays.
5. Fill out the information for each type of secret.

Add Credential

1. Enter a Title, Description, Username, and URL (if required).
2. Set the password:
   • Select Manual Input to manually enter a password.
   • Select Auto Generate and select a Password Policy from the list to have the password created based on the defined policy.
   • Click Generate Password.
3. Add a note if you require additional information to display for this credential other than its description. You can add Notes as a column when viewing the list of credentials in the grid, and you can also filter the grid by Notes.
4. Click Create Secret.

Add File

1. Enter a Title, Description, and URL (if required).
2. Drag the file into the Upload File box or click the box to navigate to a file to upload.
3. Click Create Secret.

ℹ️

There are no restrictions on file type; however, files must be 5 megabytes (MB) or less.

Add text

1. Enter a Title, Description, and URL (if required).
2. Enter the body of the text.
3. Add a note if you require additional information to display for this credential other than its description. You can add Notes as a column when viewing the list of credentials in the grid, and you can also filter the grid by Notes.
4. Click Create Secret.

Import secrets

1. Select a safe or one of its subfolders.
2. In the Secrets pane, click + Add Secret.
3. If a confirmation dialog appears, click Import Secrets.
4. Drag the file into the Import CSV File box or click the box to navigate to a file to upload.
5. Select a folder or create a new folder to save the imported secret to.
6. Click Import Secrets.

Import requirements

• Import Secret file type must be CSV
• CSV import functionality is only available if Workforce Passwords is enabled for the user.
• Files must be 200 kilobytes (KB) or less.
• CSV files must contain the following:
  • CSV (comma is the only supported field separator)
  • Header row (the first row in the file is skipped and seconds are processed starting on line two
  • Eight columns are required (not all columns are used)
    • URL
    • Username
    • Password
    • TOTP (not used)
    • Extra (not used)
    • Name
    • Grouping (not used)
    • Fav (not used)

✅

Example

CSV File - url,username,password,totp,extra,name,grouping,fav

URL	Username	Password	TOTP	Extra	Name	Group	Favorite
https://www.testsite00001.com	TestUser01	password01			TestName001
https://www.testsite00002.com	TestUser02	password02			TestName002

View, copy, edit, and delete a secret

Users can view details for their safe’s secrets, such as who owns the secret, when the secret was created and modified, and the folder path for the secret. Users can also copy the username and password for a team secret so they may use it. Secret owners can edit the properties and delete secrets they own.

Administrators are limited by their current access level. For example, they cannot edit a secret that they are not the owner of if they do not have the update permission. However, administrators can manage user and group access to a safe to change permissions as needed. Any modifications to permissions are audited.

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. Locate the secret in the Secrets grid.
4. Click to the right of the secret in the Secrets grid. Each secret type, as indicated by its Type icon, has specific actions available from the options menu. Depending on your permissions:
   • For credential secrets, you can:
     • Copy Username to the clipboard
     • Copy Password to the clipboard
     • Copy Notes to the clipboard
     • View Details of the secret
     • Edit Secret - update information, and then click Update Secret
     • Share Secret - share the secret to one of the Safes in your Safes pane
     • Remove Share - unshare from the safe the secret was shared to
     • Delete Secret - click Delete in the confirmation message.
   • For file secrets, you can:
     • Download File locally
     • Copy Notes to the clipboard
     • View Details of the secret
     • Edit Secret - update information, and then click Update Secret
     • Share Secret - share the secret to one of the Safes in your Safes pane
     • Remove Share - unshare from the safe the secret was shared to
     • Delete Secret - click Delete in the confirmation message.
   • For text secrets, you can:
     • Copy Text to the clipboard
     • Copy Notes to the clipboard
     • View Details of the secret
     • Edit Secret - update information, and then click Update Secret
     • Share Secret - share the secret to one of the Safes in your Safes pane
     • Remove Share - unshare from the safe the secret was shared to
     • Delete Secret - click Delete in the confirmation message.
   • For imported secrets, you can:
     • Copy Username to the clipboard
     • Copy Password to the clipboard
     • Copy Notes to the clipboard
     • View Details of the secret
     • Edit Secret - update information, and then click Update Secret
     • Share Secret - share the secret to one of the Safes in your Safes pane
     • Remove Share - unshare from the safe the secret was shared to
     • Delete Secret - click Delete in the confirmation message.

Share a link to the secret

Create and share a link to a secret.

• Access to Secrets Safe is required to share a URL to a secret.
• Users you are sending the URL to require permissions to the secret.
• You cannot create a direct link to secrets saved in the Personal folder.

To share a URL for a secret:

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. In the Secrets grid, click > Copy Secret Link.
   The Distributing a Secret Link dialog box displays.
4. Click OK.
   A cookie is saved.
5. Send the link to the users.
6. When the user clicks the link:
   • The View Details page displays for the secret if the user is already logged on to Secrets Safe.
   • The Secrets Safe logon page displays if the user is not logged on.
   • If the user cannot access Secrets Safe, an error notification displays and their dashboard opens.
   • The user can access Secrets Safe but not the safe where the linked secret exists. Their personal folder displays (or all secrets if they don't have Workforce Passwords enabled) and an error notification displays.

Share a secret

Secrets can be shared between safes and folders. Shared secrets inherit the destination safe’s permissions. When secrets are shared, a shared icon displays in the type column in addition to the original type icon.

To share a secret:

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. In the Secrets grid, click > Share Secret.
4. The Share to Folders panel displays all safes and folders where you have the Create permission assigned.
5. Select a safe or folder.
6. Click Share. The secret displays in the secrets grid for the associated safe or folder.

ℹ️

Secrets can be shared from the Personal folder, however ownership is locked for secrets shared from a personal folder. You can see the owner’s name, but the Manage Ownership option is hidden.

Remove a shared secret

You can remove a shared secret. The Remove Share option is only available on the original copy of a secret. If selected it removes all shared instances of that secret, while the original copy remains. This requires the Share permission to that secret or ownership of the secret.

Additionally, you can delete individual shared copies of a secret from the safe they were shared to. This is done by selecting the Delete Share option . This requires the Delete permission to that secret or ownership of the secret. You can bulk delete original secrets and shared copies at the same time with multi-select.

1. From the left menu, click .
   The Secrets Safe page displays.
2. Select a safe or one of its subfolders.
3. In the Secrets grid, click > Remove Share.
4. Click Remove on the confirmation message.

ℹ️

Shared secrets cannot be moved. When editing a shared instance of the secret the option to move that secret is not available.