What are options in Vault?

Options in Vault allow administrators to configure and customize settings related to how Vault operates, including security, access controls, and management preferences for storing and handling credentials.

How are options useful in Vault?

Options provide flexibility for administrators to tailor Vault's behavior to meet specific organizational needs. Configuring options ensures that Vault aligns with internal security policies, compliance requirements, and user access needs, making credential management more efficient and secure.

How do I access the Options page?

  1. Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.
  3. At the top of the page, click Options.
    The Options page displays.

Global options

The global default account policy must define an option for each setting. If an account does not have a setting defined using a specific policy, it inherits the policy from the account group. If the account group does not have a setting defined using a specific policy, it inherits the policy from the global default account policy.

There are three settings that affect the global account policy, they are the following:

Automatic password management

Scheduled password rotation rules

  • When this option is set to Allow, if the account policy is connected with an account or account group, the credentials rotate after the set maximum password age.
    • Maximum password age
      If scheduled password rotation is enabled, specify the maximum number of days a password can be in place for Vault accounts before it is automatically rotated.
  • When this option is set to Deny if the account policy is connected with an account or account group, the credentials do not rotate after the set maximum password age.

Account settings

Automatically rotate credentials after check in rules

  • When this option is set to Allow, if the account policy is connected with an account or account group, the credentials auto rotates when account is checked in.
  • When this option is set to Deny, if the account policy is connected with an account or account group, the credentials do not auto rotate when account is checked in.

Allow simultaneous checkout rules

  • When this option is set to Allow, if the account policy is connected with an account or account group, the credentials can be simultaneously checked out by multiple users.
  • When this option is set to Deny, if the account policy is connected with an account or account group, the credentials cannot be simultaneously checked out by multiple users.

Generated passwords for account rotation

Defines the length of passwords generated during account rotation for domain and local accounts. The minimum length is 20 characters and a maximum length is 256 characters.

ℹ️

Note

Password lengths do not apply to SSH and personal accounts.

Password length

Sets the minimum and maximum number of characters allowed for the password generated during manual, automatic, and scheduled password rotation for accounts that are rotated through Windows API (non-Entra ID accounts).

Password length of AADDS accounts

Sets the minimum and maximum number of characters allowed for the password generated during password rotation of Entra ID Domain Services accounts through MS Graph API.


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.