Privileged Remote Access

What is BeyondTrust Privileged Remote Access?

BeyondTrust Privileged Remote Access (PRA) is a tool that helps organizations manage and secure remote access for users with special permissions, such as system administrators or external vendors.

How is this integration useful?

PRA safeguards sensitive systems while enabling authorized personnel to perform their duties efficiently. With this integration, Entitle can manage the following resource types in PRA:

Jump groups
group policies
vault accounts
vault account groups
teams

Prerequisites

You must have an Admin account in Entitle.
The Privileged Remote Access user must have Administrator privileges.
The Privileged Remote Access user you wish to integrate with Entitle must have an API account.
Access to your PRA API account Hostname, Client ID, and Client secret.
For an optimal experience with real-time access console updates, please use PRA version 24.3.1 or higher.

Obtain your Client ID and Client Secret in PRA

You must have an API account in PRA to integrate it with Entitle. If you already have an existing API account, skip this procedure.

Sign in to PRA.
In PRA, from the left navigation menu, click Management.

The Management page displays.
In the top menu, click API Configuration.

The API Configuration page displays.
If you do not have an API account in PRA, create one.
1. In the API Accounts section, click Add.
  
  The Add an API Account page displays.
2. To activate the API account, select Enabled.
3. Enter a Name for the account.
4. Optionally, add Comments.
5. Click Save.
  
  The API account saves in PRA.
On the API Configuration page, locate your Client ID and Client Secret.
Copy the OAuth Client ID and Client Secret details and save them.

Configure the PRA API account permissions

In PRA, from the left navigation menu, click Management.

The Management page displays.
In the top menu, click API Configuration.

The API Configuration page displays.
In the Permissions section, set the following mandatory settings:
- Command API: Select Full Access.
- Configuration API: Select Allow Access and Manage Vault Accounts.
Optionally, select additional permissions.
Click Save.

Create the PRA integration in Entitle

Sign in to Entitle.
Navigate to the Integrations page.
Click Add Integration.
In the Application field, enter Privileged Remote Access.
In the Save on dropdown, select Entitle cloud or your hosted agent.
In the Connection field:
- host: Enter your instance host. Do not include the https:// prefix.
- client_id: Enter the client ID you saved from the API Configuration page in PRA.
- client secret: Enter the client secret you saved from the API Configuration page in PRA.
- options: Optionally, you can exclude specific resource types from the integration using the option field. Available resource types include:
  - Jump Groups - "jump-group"
  - Group policy - "group-policy"
  - Vault account - "vault-account"
  - Vault account group - "vault-account-group"
  - Team - "team"
    Example options set:
```
 "options": {
        "exclude_asset_types": ["jump-group", "team"], 
```
  Example Connection JSON with options set:
```
{
  "host": "<YOUR_HOST>", 
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>",
  "options": {
        "exclude_asset_types": ["jump-group", "group-policy"], 
    },
}
```
Click Save.

The Entitle integration with PRA saves