Documentation

Password Safe

Suggest Edits

What is BeyondTrust Password Safe?

BeyondTrust Password Safe (PS) is a Just-in-Time (JIT) privileged access management (PAM) tool that secures and manages privileged accounts, credentials, and secrets in organizations' IT environments.

How is this integration useful?

PS provides comprehensive visibility and control over privileged credentials and secrets used by both human and non-human users in a centralized location. With this integration, Entitle can manage Managed Accounts as a resource type.

Prerequisites

  • Use Password Safe Cloud. This integration is not applicable for Password Safe on-premises.
  • You must have an Admin account in Entitle.
  • Ensure Slack or Teams is integrated with Entitle. If already integrated, re-integrate before proceeding to grant the necessary permissions for file sharing.

    ❗️

    Important

    This prerequisite is required to proceed with this guide.

  • Mapping of various systems into managed systems entities on PS.
  • Mapping of systems’ users into managed accounts entities on PS.
  • Have active user accounts configured to allow employees to request access to Managed Accounts.

💡

Note

Make sure you have gone through Password Safe's Cloud user guide to fulfill this prerequisite.

  • Access to your PS URL, Client ID, and Client secret.
  • PS version 24.3 is required for this integration. Earlier versions are not supported and will cause integration failures.

Configure API access to Managed Accounts

  1. Log in to the BeyondInsight Console.

  2. There are two options through which you can configure API access to specific Managed Accounts:

    1. by creating Smart Rules that configure the access in bulk for all managed accounts that fit the selection criteria.
    2. by manually configuring the API access for each Managed Account.

Option 1: Create Smart Rules

  1. From the left menu in BeyondInsight, click Smart Rules.

  2. Select Managed Account from the Smart Rule type filter dropdown.

  3. Click + Create Smart Rule.

  4. Configure the Smart Rule as follows:

    1. Category: Select Managed Accounts.
    2. Name: Provide a meaningful name that allows for easy identification of the Smart Rule.
    3. Note: By default, the Smart Rule is set to Active (yes), so it is always available for processing.
    4. From the Selection Criteria section, create appropriate criteria.
    5. From the Actions section, select the Set attributes on each account option.
    6. Click on the Select Attributes
    7. Mark the Yes checkbox. Click Save Changes.
    8. Click Add another action and select Manage Account Settings.
    9. Click the toggle to turn on the API Enabled option.

      💡

      Note

      A Managed Account must have API Enabled set to Yes, or it will be invisible to Entitle.

    10. Under Maximum Release duration, Entitle recommends setting the Days section to 365 (one year).
    11. Under Max Concurrent Requests, Entitle recommends enabling the Unlimited option by setting the value to 0.

Option 2: Configure API access manually

  1. From the BeyondInsight console, navigate to the Managed Accounts page.
  2. Click the vertical ellipsis for a Managed Account, and then select Edit Account.
  3. Scroll down and expand Account Settings.
  4. Click the toggle to turn on the API Enabled option.

    💡

    Note

    A Managed Account must have API Enabled set to Yes, or it will be invisible to Entitle.

  5. Under Maximum Release duration, Entitle recommends setting the Days section to 365 (one year).
  6. Under Max Concurrent Requests, Entitle recommends enabling the Unlimited option.
  7. Click Update Account.

Create API registration

  1. From the left sidebar in BeyondInsight, click Configuration.

  2. Under General, click API Registrations.

  3. Click + Create API Registration.

  4. Select + API Access Policy from the dropdown.

    1. Enter a name.

    2. Click Add Authentication Rule +.

      Note: Activation of the API access policy will only be possible after adding at least one authentication rule. For example, an IP range rule.

    3. Click Create Rule.

Create an application user

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Click the Users tab.
  4. Click + Create New User.
  5. Select the Add an Application User from the dropdown.
  6. In the Create New Application User page:
    1. Enter a name for the application.
    2. Make sure to select the User Active checkbox.
    3. Copy the Client ID and Client Secret details and save them.
    4. Click Create User.

Configure application user access delegation

This section explains how to create a new group (if one doesn't exist) that allows application users to request access on behalf of regular users.

💡

Note

In PS, an application user can execute requests on behalf of a regular user only if both users share at least one group. Consider creating a dedicated group for this purpose and adding regular users.

Create a new group

  1. From the left sidebar in BeyondInsight, click Configuration.

  2. Under Role Based Access, click User Management.

  3. Click the Groups tab.

  4. Click + Create New Group.

  5. Select the Create a New Group option from the dropdown.

  6. Enter a name and a description for your new group. Click Create Group.

    The new group is shown under the Groups tab in the User Management screen.

Add users to a group

  1. From the Groups tab, locate and select the group you wish to add users to.

  2. Click the vertical ellipsis for the group, and click View Group Details.

  3. From Group Details, select Users.

  4. From the Show dropdown list, select Users not assigned.

  5. Select the users you wish to add to the group, and then click + Assign User above the grid.

    The selected users are now assigned to the group.

Grant the application user management privileges

This step will show you how to give the application users management privileges.

💡

Note

In Password Safe, privileges are assigned to groups rather than directly to users. Therefore, users receive privileges by becoming members of these groups. If you don't already have a group with the necessary privileges, you must create one.

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click User Management.
  3. From the Groups tab, click the vertical ellipsis for the group.
  4. Select View Group Details.
  5. Under Group Details, click Features.
  6. Select these three features:
    1. Password Safe Account Management.
    2. Password Safe System Management.
    3. User Account Management.
  7. Click Assign Permissions above the grid.
  8. Select Assign Permissions Read Only for both features.

Set Up application user access for Managed Accounts

  1. From the left sidebar, click Configuration.
  2. Under Role Based Access, click User Management.
  3. From the Groups tab, click the vertical ellipsis for the group.
  4. Select View Group Details.
  5. Under Group Details, select Smart Groups.
  6. Select the Smart Groups you wish to assign permissions to or create a new one. Note: This group needs to include all the Managed Accounts you want Entitle to have access to.
  7. Click Assign Permissions above the grid. Click Edit Password Safe Roles.
  8. Edit the Smart Group permission to include Requestor and Approver permissions.
    • The Access Policy for Requestor value is irrelevant, as the application user does not request access on behalf of itself.
    • The Requestor role is necessary for the application user to be able to see all the managed accounts that are included in the smart group.
    • The Approver role is necessary for the application user to be able to revoke previously requested access to those managed accounts.
    • Make sure to select the Active session reviewer role option.
  9. Click Save Roles.

Create the PS integration in Entitle

💡

Important

This applies to creating an integration either through Entitle on Pathfinder or through the Entitle standalone product.

  1. Sign in to Entitle.
  2. Navigate to the Integrations page.
  3. Click Add Integration.
  4. In the Application field, enter Password Safe.
  5. In the Save on dropdown, select Entitle cloud or your hosted agent.
  6. In the Connection field:
    • url: Enter your instance URL. Make sure to include the API endpoint of your URL - /BeyondTrust/api/public/v3 (found after the .com) part of the URL.
    • client_id: Enter the client ID you saved from the User Management page in PS.
    • client secret: Enter the client secret you saved from the User Management page in PS.

Example Connection JSON

{
  "url": "<https://EXAMPLEURL.BEYONDTRUSTCLOUD.COM/BeyondTrust/api/public/v3>",
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>"
}
  1. Click Save.
    The Entitle integration with Password Safe saves

Access session flow

This section outlines the end-user experience for starting an access session in PS.

Create a new access request in Entitle

To start an access session, the user must submit an access request:

ℹ️

Note

For more information, see the Create a new request section in the Entitle Web App user guide.

  1. Log in to Entitle, and click the New Request button.

  2. Select your PS application from the catalog, and click Next.

  3. Choose the duration of your request, and click Next.

  1. Briefly explain the reason for the request, and click the Review Request button.

  2. Review your request’s details and make adjustments if needed. Click the Submit request button.

  3. Your request is now submitted and will be added to the My pending requests section. Once the request is approved, you will have access to the specific session.

Start a session via Slack or Teams

  1. Once the access request is approved, the user will receive two consecutive messages from Entitle via Slack or Teams (depending on which app was previously integrated with Entitle in the Prerequisites section).
  2. There are three ways to start a session:
    1. Option 1: For Linux machines, through an SSH link.
    2. Option 2: For Windows machines, through an RDP file.
    3. Option 3: Using credentials (least recommended).

Option 1: Start a session through an SSH link (for Linux machines)

The user will receive an SSH link via the Entitle app on Slack/Teams:

Via Slack

  1. Click the SSH link > Open link.

  2. The session will start on the SSH Client installed on the user’s machine.

Via Teams

To start the session, click the SSH link.

ℹ️

Note

If the session is closed before the access request expires, the link will not work again.

Option 2: Start a session through an RDP file (for Windows machines)

The user will receive a session started message as well as an RDP file via the Entitle app on Slack/Teams:

Via Slack

  1. Download the RDP file to your machine.

  2. To start a new session, connect with RDP by loading the RDP file in the Remote Desktop Connection. It may take a few moments for your PS session to load.

Via Teams

  1. Click Allow to begin downloading the RDP file.

  2. Click the vertical ellipses (…) to download the RDP file to your machine.

  3. Load the RDP file in the Remote Desktop Connection to start a new session.

    ℹ️

    Note

    If the session is closed before the access request expires, the file will not load again.

Option 3: Start a session using credentials

In case starting a session through an SSH link or an RDP file is made unavailable by an Administrator, it is possible to start a session using the user’s password.

Via Slack

Copy the password into your desired managed account to manually start the session.

Via Teams

Copy the password into your desired managed account to manually start the session.

ℹ️

Note

If the session is closed before the access request expires, the credentials will not work again.

Manage PS applications in Entitle

Add a new application in PS

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Select Applications > + Create new application. Proceed with defining the new application and add it to your chosen managed system.
  3. Navigate to the Managed Accounts screen.
  4. Click on a specific user and associate the chosen application by clicking Applications and choosing the application from the list. Click Update account to save.
  5. In the account’s access policy, make sure the Application tab is enabled to include application access.
  6. The managed account resources in Entitle will be updated in the next sync.

Access session flow for PS applications

ℹ️

Notes

  • The required steps for starting a session to an application in PS are identical to the steps outlined in the Access session flow section.
  • The name of the role is the alias of the application defined in PS.
  • Choose one of the following options for starting a session and proceed with its corresponding steps:

Updated 1 day ago

What’s Next