Understanding Smart Rules and Smart Groups
Overview
Smart Rules and Smart Groups are core features in Password Safe. One of the functions that Smart Rules provides is the onboarding workflow for assets. Smart Groups are created through the Smart Rule Action and are used to group relevant assets, accounts, or systems, depending on the Smart Rule type.
This article explains what administrators need to know, without getting lost in how all the behind‑the‑scenes stuff works.
If you're new to onboarding systems or accounts, review the Getting Started with Password Safe article first. Smart Rules and Smart Groups make the most sense once you understand the basics of system and account onboarding.
What Are Smart Rules?
A Smart Rule is a Microsoft SQL query executed by BeyondInsight against either the BeyondInsight database or the directory service. You use Smart Rules to group assets, accounts, systems, and onboard‑workflow items (such as assets, accounts, and scanning targets) into Smart Groups.
The simplest way to think about Smart Rules is that they find objects based on set criteria and then take action on them
When you create a Smart rule, you are essentially creating "if-then" logic.
The IF portion is the criteria you use to select assets in the Selection Criteria section. This criterion can be based on any collected data from scans or event processing.
The Then is the action you wish to take. This is in the Actions part of the smart rule form and can have multiple actions.
When objects meet the rule’s criteria, Password Safe can:
- Onboard the object
- Add it to a smart group
- Trigger system scans
- Propagate service accounts
- Classify assets for policy use
TipStart with narrow, clearly defined rules. Broad or ambiguous criteria can unintentionally capture objects you didn’t intend to manage.
What Smart Rules Can Match
Smart Rules can evaluate the following:
- Operating system
- Discovery source (scan, directory query, etc.)
- Account type
- Naming pattern
- Metadata or tags
- Platform (Windows, Linux, etc.)
Important informationAvoid rules like Account Name contains “admin” without additional filters. This can accidentally onboard critical or service accounts you don’t want managed.
What Are Smart Groups?
Smart Groups are a collection of managed assets, managed systems, or accounts defined by a Smart Rule. Whenever an object matches a rule, it automatically appears in the group. When it no longer matches, it leaves the group, no manual cleanup required.
Smart Groups serve as the containers you use later for:
- Requester roles
- Approver roles
- Access policies
- Auditing scopes
- Session recording scopes
- Scan targets (starting in version 26.1)
TipUse descriptive names like Linux-PrivilegedAccts or Windows-LocalAccounts.
Good naming dramatically improves visibility when you have dozens of groups.
How Smart Rules and Smart Groups Work Together
Smart Rules find things. Smart Groups organize them. Together they form the automation backbone of Password Safe.
Why This Matters
Here’s are some of the ways on why Smart Rules and Smart Groups end up saving you a lot of time and effort.
- New accounts automatically enter the correct Smart Groups.
- Access policies apply instantly to newly discovered accounts.
- Administrators avoid reconfiguring permissions manually.
- Groups stay accurate over time without human intervention.
Why Smart Groups Are Critical for Access Workflows
When you assign access to users, you rarely assign it to individual accounts. Instead, you assign access to groups of accounts, and these groups almost always come from Smart Rules.
In Role Assignment
Smart Groups determine the following:
- Which accounts requesters can request
- Which accounts approvers oversee
- Which accounts require approvals
- Which policies users experience during access
In Access Policies
Different Smart Groups can have different behaviors.
For example:
| Smart Group | Contents | Access Policy |
|---|---|---|
| Windows_Admins | All Windows privileged accounts | Default (Mon–Fri, no visibility) |
| Linux_Admins | All Linux admin-level accounts | 24/7 with approval |
When a new account matches a smart rule, it enters the Smart Group automatically and receives the same policy and permissions, no admin steps required.
TipWhen you have an account-based Smart Group, design your Smart Groups based on behavioral categories (what they need access to), not technical categories (OS alone).
For example:
- Privileged Linux Accounts – Requires Approval
- Windows Local Accounts – No Password Visibility
For information on how to configure a Smart Rule, see Smart Rules: Configure .
Important informationOnce a Smart Rule is active, it continuously evaluates and updates its Smart Group. If your rule is too broad, you may unintentionally onboard or group objects you didn’t plan for.
Using Smart Groups in Access Management
Once Smart Groups exist, they become key inputs across the product.
| Key Input | Description |
|---|---|
| Role Assignments | Map requester or approver roles to specific groups. This is the most common use. |
| Access Policies | Each smart group can use a different policy, giving you fine-grained control. |
| Auditing and Recording | Auditors or reviewers can be restricted to specific Smart Groups, improving compliance. |
TipUse Smart Groups instead of manually created groups whenever possible. They stay accurate as your environment grows and changes.
Example
How Smart Rules Feed Smart Groups
Here’s a simple rule and how it works:
Smart Rule:
IF Operating System = "Linux"
AND AccountName ends with "admin"
THEN Onboard Account
AND Add to Smart Group "Linux_Admins"
As new Linux admin accounts appear in the environment, they are:
- Automatically identified
- Automatically onboarded
- Automatically added to the Linux_Admins group
- Automatically governed by that group’s access policy
This allows for no manual updates, no missed accounts, and no inconsistencies.
For additional information on an overview of Smart Rules, see Smart Rules: Overview.
When to Use Smart Rules vs. Manual Onboarding
The primary purpose of Smart Rules is not asset onboarding. Asset onboarding is only one of the many functions that Smart Rules provide.
Therefore, before you choose an onboarding method, it helps to know when Smart Rules make sense and when manual onboarding is the better fit.
| Scenario | Recommend approach | Reason |
|---|---|---|
| Onboarding a small number of accounts | Manual | Faster for low volume |
| Onboarding large environments | Smart Rules | Automation + consistency |
| Organizing accounts for access policies | Smart Groups | Dynamic & scalable |
| Testing onboarding logic | Manual first, then Smart Rule | Reduces risk before automating |
Important informationAlways test new Smart Rules on a small sample first. A single broad rule can unintentionally onboard hundreds of accounts.
Summary
Keep the following principles in mind:
- Smart Rules identify and classify accounts or systems automatically. (Account-based Smart Rules).
- Smart Groups dynamically collect the results of Smart Rules.
- Access policies and roles rely heavily on Smart Groups.
- Using Smart Rules and Smart Groups keeps your environment scalable, organized, and predictable.
Together, they form the foundation of efficient access management in Password Safe.
Updated about 2 hours ago
