DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Account groups

Suggest Edits

What are account groups?

Vault account groups are collections of user accounts within the Vault system, organized based on access permissions or roles. These groups are used to streamline the management of shared Vault accounts that enable Vault administrators to efficiently grant users access to multiple shared accounts. Account groups can also associate a group of shared Vault accounts with a specific group policy.

📘

Note

Shared Vault accounts can only belong to one group at a time, and personal Vault accounts cannot be added to an account group.

How are account groups useful to my organization?

Account groups help simplify credential management which allow administrators to assign access to multiple shared Vault accounts at once. This ensures efficient and controlled access for users. These groups also provide an effective way to apply policies to a collection of shared accounts which enhance security and compliance while reducing administrative overhead.

How do I access the Account Groups page?

  1. Use a browser to sign in to your Privileged Remote Access URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.
  3. At the top of the page, click Account Groups.
    The Account Groups page displays.

Add an account group

  1. From the left menu, click Privileged Remote Access > Vault.

  2. The Vault page opens and the Accounts tab displays by default.

  3. Click the Account Groups tab.

  4. Click Add.
    The Add Account Group page displays.

  5. In the Name field, enter a name for the account.

  6. In the Description field, enter a useful description for the account.

  7. Select a specific policy for the account group or leave Account Policy set to the default value of Inherit Policy Settings. If Inherit Policy Settings is selected, the accounts in this account group inherit the policy settings set for the global default account policy on the Vault > Options page.

  8. Under Accounts, select the group from the Source Account Group list, and then select the accounts to add to this group.

ℹ️

Note

The Default Group is a system generated group that contains all user accounts that do not belong to an account group. The Default Group is selected by default.

You can filter the list of available accounts to add to the group by selecting a group from the Source Account Group list or by using the Search Selected Account Group box to search by Name, Endpoint, and Description.

  1. Click Add to move the accounts over to the Accounts in This Group list.

  2. In the Allowed Users section, add a user and select their Vault role from the New Member Role dropdown, and then click Add. Users can be assigned one of two member roles:

    • Inject: Users with this role can use this account in Secure Remote Access sessions (default value).
    • Inject and Checkout: Users with this role can use this account in Secure Remote Access sessions and can check out the account on Support for Admins. The Checkout permission has no effect on generic SSH accounts.

  3. Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target computers in the console during credential injection attempts.

    Select one of the following types:

    Jump Item Association TypeDescription
    Inherited from the Account GroupAssociations for this account are determined by the associations defined in this account's Account Group.
    Any Jump ItemsThis account can be injected within any session started from a Jump Item in which the account is applicable. The applicable accounts are the following:
    • Local Accounts- discovered on a Vault Endpoint are available for injection on Jump Items targeting the Endpoint.
    • Domain Accounts- are available for injection on Jump Items targeting Vault Endpoints on the Domain.
    • All Domain Accounts- are available for injection on Jump Items targeting remote systems that do not match a Vault Endpoint.
    • Shared Generic Username & Password Accounts- are available for injection into all Jump Items.
    • Shared Generic SSH Accounts- are available for injection into all Shell Jump Shortcuts.
    • Shared Generic Token Accounts- are available for injection into all Kubernetes Cluster Tunnel Jump Shortcuts.


    ℹ️ Note

    Personal Jump Items are not supported..



    No Jump ItemsThis account cannot be injected into any session started from a Jump Item.
    Jump Items Matching CriteriaThis account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable. The applicable accounts are the following:

    • Local Accounts- discovered on a Vault Endpoint are available for injection on Jump Items targeting the Endpoint.
    • Domain Accounts- are available for injection on Jump Items targeting Vault Endpoints on the Domain.
    • All Domain Accounts- are available for injection on Jump Items targeting remote systems that do not match a Vault Endpoint.
    • Shared Generic Username & Password Accounts- are available for injection into all Jump Items.
    • Shared Generic SSH Accounts- are available for injection into all Shell Jump Shortcuts.
    • Shared Generic Token Accounts- are available for injection into all Kubernetes Cluster Tunnel Jump Shortcuts.


    ℹ️ Note

    Personal Jump Items are not supported..


    If the Jump Item Attributes section is configured, this list combines with any Jump Items that match the criteria.

    The following Jump Methods are supported:
    • Jump Client
    • Remote RDP
    • Remote Jump
    • Shell Jump
    • Protocol Tunnel Jump
    • Web Jump

    Injection is not supported for the following items:
    • Personal Jump Items
    • TCP Tunnel Protocol Tunnel Jump Shortcuts
    • IP Tunnel Protocol Tunnel Jump Shortcuts

    📘

    Note

    You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list and then click Add Jump Item.

    If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.

    Local accounts are available for injection within the endpoints on which they were discovered.


    You can further define the association between Vault accounts and Jump Items by specifying matching criteria. Each of the following values have a maximum length of 64 characters and can contain a maximum of 32 values.

    The different Jump Item attributes are the following:

    • Name: This filter is matched against the value that appears in the Name column of the Jump Item in the console.
    • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the console.
    • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the console.
    • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the console.

    For example, a list of filter criteria is:

    CriteriaResult
    value matches the field exactly.
    value*matches the field as a prefix.
    *valuematches the field as a suffix.
    **value**matches if the field contains the value

  4. Click Save at the top of the page.

Add an Account Group to an existing shared account

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. From an existing shared account, click the ellipsis button, and then select Edit.
  3. Select the group from the Account Group list, and then click Save.

Import a discovered account

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Discovery tab.

  3. From the Discovery Jobs section, select a Discovery Job.

  4. Click View Results for the job.

  5. Select the Local Accounts or Domain Accounts tab as applicable.

  6. From the list of accounts, select the account you wish to import.

  7. Click Import Selected.

  8. Select the group from the Account Group list.

  9. Click Start Import.

Add an account group to a group policy

  1. From the left menu, click Privileged Remote Access > Users & Security.
    The User page opens and displays by default.

  2. Click the Group Policies tab

  3. From the list of existing group policies, click the pencil pencil icon to edit existing policies to edit a policy.

  4. Scroll down to the Memberships section.

  5. Check the Add Vault Account Group Memberships checkbox.

  6. Select the Account Group from the list.

  7. Select the Vault Account Role from the list.
    Users can be assigned one of two member roles:

    • Inject: Users with this role can use this account in Secure Remote Access sessions (default value).
    • Inject and Checkout: Users with this role can use this account in Secure Remote Access sessions and can check out the account on Support for Admins. The Checkout permission has no effect on generic SSH accounts.

  8. Click Add.

  9. Click Save at the top of the page.

  10. The group policy and its Vault account role are now displayed under the Group Policies section for the account group that was added to the policy.

  11. The members of the group policy are now added under Allowed Users for the account group.

ℹ️

Note

If a user was granted access individually from the account group edit page and also through a group policy, the group policy access is overridden by the explicitly granted individual access for this user.

Search Account Groups

You can filter the list of available account groups by using the Search Account Groups box. Based on the account type, you can use Name or Description as the criteria to search.

Edit an Account Group

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Account Group tab.
    The Account Groups page displays.

  3. Select a group in the list.

  4. Click the pencil pencil icon to edit a group. to edit a group.

  5. Make the necessary changes, and then click Save.

Delete an Account Group

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Account Group tab.
    The Account Groups page displays.

  3. Select a group in the list.

  4. Click the trash can Use the trash can to delete a group. to delete a group.

  5. Click Yes.





Account groups

Add, view, and manage account groups.

Add account group

Click Add to add an account group, add Vault accounts to the group, and grant users access to the group of shared Vault accounts.

Search account groups

Search for a specific account groups based on Name or Description.

Add account group

The Add Account Group option allows you to add account groups for the purpose of granting users access to multiple Vault accounts at once.

Name

Enter a name for the account group.

Description

Enter a brief and memorable description of the account group.

Account policy

Select a specific policy for the account group or leave Account Policy set to the default value of Inherit Policy Settings, in which case the accounts in this account group inherit the policy settings set for the global default account policy on the Vault > Options page.

Group policies

If the account group was added to any group policies, they are listed here, along with their Vault account roles.

Accounts

Source account group

Filter the list of accounts available to add to the group by selecting a group from the Source Account Group list.

Search selected account group

Filter the list of accounts available to add to the group by searching for an account group. You can search by Name, Endpoint, and Description.

Accounts in group "Default Group"

List of Vault accounts available to add to the account group.

Add

Select accounts from the list of available groups, and then click Add to add them to the Accounts in This Group list.

Remove

Select accounts from the list of Accounts in This Group, and then click Remove to remove them from the account group.

Search this account group

Filter the list of Accounts in This Group by searching for an account group by Name, Endpoint, and Description.

Accounts in this group

List of Vault accounts that exist in this account group.

Allowed users

New user name

Select users who are allowed to access this account.

New member role

Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:

  • Inject: (default value) Users with this role can use this account in Privileged Remote Access sessions.
  • Inject and Checkout: Users with this role can use this account in Privileged Remote Access sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

ℹ️

Note

The Vault Account Role is visible in the list of users added to the Vault account.

Jump Item associations

Select the type of Jump Item Associations for the account group. The Jump Item Associations setting determines which Jump Items the accounts in this account group are associated with, so that only the accounts relevant to the target machine are available in the access console during credential injection attempts. Select one of the following associations methods:

  • Any Jump Items: Accounts in this group can be injected into any Jump Item session in which the accounts are applicable.
  • No Jump Items: Accounts in this group cannot be injected into any Jump Item session.
  • Jump Items Matching Criteria: Accounts in this group can be injected only into Jump Item sessions that match the criteria you define, in which the accounts are applicable.
    • You can define a direct association between applicable accounts in this account group and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
    • You can further define the association between applicable accounts in this account group and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, accounts in this account group are available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
      • Shared Jump Groups: Select a Jump Group from the list.
      • Name: This filter is matched against the value that appears in the Name column of the Jump Item in the access console.
      • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the access console.
      • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the access console.
      • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the access console.

ℹ️

Note

Click the i icon for each option and attribute to view more specific information about it.

Local accounts are available for injection within the endpoints on which they were discovered.

Updated 22 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.