Smart Rules in Password Safe Cloud

What are Smart Rules?

A Smart Rule is a query that you can use to organize assets into Smart Groups and manage Password Safe managed accounts.

When you create a smart rule, you are essentially creating "if-then" logic.

The IF portion is the criteria you use to select assets in the Selection Criteria section. This criterion can be based on any collected data from scans or event processing.

The Then is the action you wish to take. This is in the Actions part of the smart rule form and can have multiple actions.

The View Results button allows you to preview the results of your smart rule, however you must create your smart rule before the results display by clicking Create Smart Rule.

ℹ️
You must include the Show as a Smart Group action for the preview of results to take effect.
For this reason, we recommend creating a smart rule without adding any additional actions beyond Show as a Smart Group.

Why use Smart Rules for asset discovery and onboarding

Smart Rules play a vital role in automating and optimizing asset management workflows. Use them to:

Group assets and accounts into Smart Groups- Allows you to simplify classification and policy enforcement.
Streamline onboarding workflows- Allows you to automate asset handling based on predefined logic.
Apply rules across asset, account, and managed system types- Allows you to achieve broad coverage and consistency.
Define selection criteria and actions using IF/THEN logic- Allows you to create dynamic, responsive rules and is the core of how Smart Rules operate; that is, evaluating conditions in real time and executing actions based on defined criteria.
Target specific assets with scheduled discovery scans- Ensures you get timely updates and visibility.
Reference Smart Groups within other Smart Rules- Allows you to build layered, modular logic.
Enable role-based assignment - Allows you to enforce granular access control and improve security posture.

Smart Rules types

You can use a Smart Rule to organize assets based on the filters selected. There are three types of smart rules:

Smart Rules Type	Description
Asset-based	This rule target assets that are stored within Password Safe database or through a Directory Query to onboard them for Password Safe management.
Managed Account	This rule manages accounts in Password Safe by giving the ability to change passwords on accounts and corresponding settings, functional accounts, and password policies.
Managed System	This rule targets current managed systems in Password Safe to edit settings or to group them using the Smart Rule action Show managed system as Smart Group.

Some common uses for Smart Rules are:

Search for assets to onboard to Password Safe
Discover Active Directory accounts and manage them in Password Safe
Link discovered Active Directory accounts to manage them

✅
Tip
Think of a Smart Rule as the logic engine which asks the question "How to select items"?

What are Smart Groups?

Smart Groups are a collection of managed assets, managed systems, or assets defined by a Smart Rule. These Smart Groups are automatically associated with:

Read permissions for all groups that the group creator is a member of
Full Control permissions for all groups that the user is a member of, and where the user has Asset Management and Smart Rule Management permissions

✅
Tip
Think of a Smart Group as the resulting buckets that hold the filtered items created by a Smart Rule.

How are Smart Rules useful?

When you use a Smart Rule to register assets as Smart Groups, you can run Discovery Scans, and monitor and view assets. Smart rules can:

Save time: Automating actions based on vulnerability findings or asset changes saves time for IT and security teams.
Ensure consistency: Actions are taken consistently, reducing the risk of human error or missed steps in critical processes.
Reduce risk: By automating responses to vulnerabilities and security issues, Smart Rules help reduce the time window in which systems remain vulnerable.
Enhance compliance: Smart Rules help ensure that remediation efforts align with compliance requirements, automating compliance workflows and reporting.
Improve your security posture: Automating security processes leads to quicker identification and remediation of risks, improving overall security.

How do I access Smart Rules?

Open a browser and enter the URL for your Password Safe instance: https://<hostname>/WebConsole/index.html.
Enter your username and password.
From the left menu, click .
The Smart Rules page displays.

The Smart Rule page

Left menu: Easy access to all pages in BeyondInsight/Password Safe, including the Home, Assets, Smart Rules, Discovery Scanner, Management Systems, Managed Accounts, Password Safe, Secrets Safe , Analytics and Reporting, Configuration, and About pages.
Header: Navigate to your favorite pages, view your notifications, access your connected apps, and set your account preferences.

Create Smart Rule: Click to create a new Smart Rule.
Filters: Select a filter to refine your results.
Filter types
- Smart Rule type filter: Filter by Asset, Managed Account, or Managed System,
- Filter by: Filter by Locked, Status, Category, Name, Description, Reprocessing Limit, Last Updated By, Last Updated, or Action.
Grid display preferences: Set display preferences on the Smart Rules grid using the following options represented by icons above the grid:
- Click to refresh the list, to download the list to a .csv file, to select which columns to display on the page, to configure your page display, andto expand the grid.
Smart Rules list columns: Not all columns display in the image above.
Column Names
- Category
- Name
- Description
- Reprocessing Limit
- Last Updated By
- Last Updated
- Processed Date
- Processing Status
- Last Attempt
- Average Time (min)
- Successful Attempts
- Failed Attempts
Smart Rules grid: Displays information based on filter selections.
List navigation options: Navigate in the Smart Rule list.

Critical Importance of Smart Rules

The BeyondInsight user must be a member of the Administrators group or be assigned the Full Control permission on the Asset Management and the applicable Smart Rule Management feature(s) to be able to create and edit Smart Rules.
Users assigned Read Only permissions on these features may only view the details of Smart Rules.
Smart Rules update results automatically, ensuring assets match the criteria and are current.
You can create address groups or Active Directory queries from the Configuration page to use as Smart Rule filters.
You can use more than one filter to refine or extend the scope of assets in a Smart Rule. Filters can be joined with and (match ALL criteria) or or (match ANY criteria) conditions. If you select to match ALL, every indented filter must be set to True for an asset to be included. If you select to match ANY, only one of the indented filter items must be set to True for an asset to be included.

Create and use dedicated account Smart Rules

A dedicated account Smart Rule allows you to dynamically map dedicated administrative accounts outside of BeyondInsight to users in a BeyondInsight group. This allows a lower privileged BeyondInsight user to access a higher privileged user's account temporarily while using Password Safe.

The below procedures provide instructions for configuring BeyondInsight users with the ability to access a dedicated directory account's credentials, using a query matching on directory attributes. Once configured, the users are able to request a password checkout for the dedicated account from the Password Safe portal. The user can then access resources using the dedicated account credentials.

You must configure the following in BeyondInsight:

Create a directory query to retrieve the directory account as well as its attributes.
Create a Smart Rule to run the directory query to find the account and its directory attributes, and add it as a managed account in Password Safe.
Create a Smart Rule to map the dedicated account to a user group in BeyondInsight.
Assign user group permissions to the two newly created Smart Rules.

Create the directory query

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Configuration page displays.
Under Role Base Access select Directory Queries.
Click + Create New Directory Query, and complete the form:
- Directory Type: Leave as Active Directory.
- Title: Provide a meaningful name that allows for easy identification of the query.
- Credentials: Select a credential that has permissions to query the directory user accounts.
- Query Target: Provide the LDAP path to the target.
- Scope: Leave as This Object and All Child Objects.
- Object Type: Select User Objects.
- Dynamically refresh results each use: Leave enabled.
- Basic Filter: Provide the name of the dedicated account.
Click Create Directory Query.

Create the Smart Rule to run the directory query and add managed account

ℹ️
This example is specific to managed accounts. Similar instructions apply for the other rule or entity types

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Smart Rules page displays.
From the Smart Rule Type filter dropdown, select Managed Account.
Click Create Smart Rule.
From the Category dropdown, select Managed Accounts.
Enter a Name and Description.
Set Selection Criteria as:
- Directory Query:
  - Include Accounts from Directory Query
  - <query name>
  - Discover Accounts for Password Safe Management: enabled
  - Select the Domain
Set Actions as:
- Manage Account Settings
- Show managed account as Smart Group
- Link domain accounts to Managed Systems:
  - Asset or Managed System Smart Group
Click Create Smart Rule.

ℹ️

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

Once the rule is saved, click View Results.

You are taken to the associated grid, where the contents of the Smart Rule are listed.

If the rule is actively processing, a banner displays letting you know that.

View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.

The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Create the Smart Rule to map the dedicated account to the user group

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Smart Rules page displays.
From the Smart Rule Type filter dropdown, select Managed Account.
Click Create Smart Rule.
From the Category dropdown, select Managed Accounts.
Enter a Name and Description.
Set Selection Criteria as:
- Dedicated Account:
  - Directory Attribute Match
  - Select the directory attribute you wish to match.
Set Actions as:
- Show managed account as Smart Group
- Map Dedicated Accounts to: <user group>
Click Create Smart Rule.

ℹ️

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

Once the rule is saved, click View Results.

You are taken to the associated grid, where the contents of the Smart Rule are listed.

If the rule is actively processing, a banner displays letting you know that.

View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.

The Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Assign user group permissions to the Smart Rules

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Configuration page displays.
Under Role Based Access, click User Management.
Select the Groups tab.
Locate the user group in the grid
Click > View Group Details.
In the Group Details pane, select Smart Groups.
In the Smart Group Permissions pane, select the two dedicated account smart groups you created.
Click Assign Permissions above the grid.
Select Assign Permissions Read Only.

From the Smart Rules page, process the two newly created smart groups. After processing, the dedicated account discovered by the directory query is listed on the Managed Accounts page. Users belonging to the group you chose to map the dedicated account to are indicated in the Mapped to User column. You might need to add this column to the grid using the Column Chooser button above the grid.

Use an Entra ID Smart Rule

An Entra ID Smart Rule enables Password Safe to automatically discover Entra ID accounts. This allows privileged accounts in Entra ID to be managed, including password rotation and check-in and check-out. RDP sessions, from an Azure-joined VM, can use Entra ID credentials to connect to an Azure-joined VM.

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Smart Rules page displays.
From the Smart Rule Type filter dropdown, select Managed Account.
Click Create Smart Rule.
From the Category dropdown, select Managed Accounts.
Enter a Name and Description.
From the Category dropdown, select Managed Accounts.
Enter a Name and Description.
Set Selection Criteria as:
- Microsoft Entra ID Query:
  - There are two matching options available for discovering Entra ID accounts: Group Name and User Principle Name. Use a Group Name match to discover all accounts that are a member of the specified group. Use a User Principle Name match to allow a partial name match.
  - If using a Group Name, equals is the only match option. Enter the Group Name.
  - If using a User Principle Name, select starts with or ends with and enter the name.
  - Set the value for how many hours for rerunning the query.
  - Discover accounts in Microsoft Entra ID synced from on-premise - includes Entra ID accounts synced from on-premises Entra ID, as well as Azure-only accounts.
  - Leave Discover accounts for Password Safe Management checked.
  - Select an Entra ID domain from the dropdown.
- Add additional selection criteria and groups, as required.
Set Actions as:
- Show managed account as Smart Group.
- Add other actions as required to manage settings or work with the managed account.
Click Create Smart Rule.

ℹ️

To view the contents of a Smart Rule when creating a new rule or editing an existing rule:

Once the rule is saved, click View Results.

You are taken to the associated grid, where the contents of the Smart Rule are listed.

If the rule is actively processing, a banner displays letting you know that.

View Results displays only if you have permissions to the grid corresponding to the Smart Rule, i.e.; Assets, Managed Accounts, Managed Systems.

The Smart Rule must be saved with Show<entity> as Smart Group selected under Actions to view the results.

Because the Smart Rule must process to display the contents in the grid, we recommend viewing the results using only the Show as Smart Group action and before adding additional actions that may make changes to accounts and assets in your network. Once you have confirmed the rule contains your desired items, you can then add additional actions to the Smart Rule.

Use Quick Groups

For a simpler way to organize managed accounts, you can group them using a Quick Group. The default processing time on a Quick Group is Once.

Add Managed Accounts to a Quick Group

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Managed Accounts page displays.
From the Smart Group filter dropdown, select an existing smart group in which the managed accounts are members.
Check the boxes for the managed accounts that you want to add to the Quick Group.
Click Add to Smart Group above the grid.
Select a group from the Smart Group dropdown or create a new one by typing in the name and clicking Add as New Option.
Select Quick Groups from the Category dropdown.
Leave the default description or enter a new one.
Click Add Selected Accounts To Smart Group.
Your new smart group is now available in the Smart Group filter dropdown.

Remove accounts from a Quick Group

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Managed Accounts page displays.
From the Smart Group filter dropdown, select an existing smart group in which the managed accounts are members.
Check the boxes for the managed accounts that you want to remove from the Quick Group.
Click Remove From Smart Group above the grid.

Edit a Managed System Quick Group

From the left menu, click .
The Managed Systems page displays.
Select Managed System from the Smart Rule type filter.
Locate the Quick Group in the grid.
Click > Edit Smart Rule.
Make your changes, and then click Save Changes.

Deactivate a Managed System Quick Group

From the left menu, click .
The Managed Systems page displays.
Select Managed System from the Smart Rule type filter.
Locate and select the Quick Group in the grid.
Click Deactivate above the grid.

Manually add managed systems to Smart Groups

ℹ️
Managed systems do not have a Quick Group category; however, the concept and process is essentially the same as it is for managed accounts.

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Managed Systems page displays.
From the Smart Group filter dropdown, select an existing Smart Group in which the managed systems are members.
Check the boxes for the managed systems that you want to add to the Quick Group.
Click Add to Smart Group above the grid.
Select a group from the Smart Group dropdown or create a new one by typing in the name and clicking Add as New Option.
Select a Category from the dropdown.
Leave the default description or enter a new one.
Click Add Selected Systems To Smart Group.
Your new smart group is now available in the Smart Group filter dropdown.

Remove a managed system from a Smart Group

Use a browser to sign in to your BeyondInsight/Password Safe URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
From the left menu, click .
The Managed Systems page displays.
Select the Smart Group from the Smart Group filter.
Check the boxes for the managed systems that you want to remove from the group.
Click Remove From Smart Group above the grid.

Updated 15 days ago