DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Account policies

Suggest Edits

What are account policies?

Vault account policies define settings related to password rotation, credential checkout, and other account management rules for Vault accounts. These policies can be applied to multiple accounts simultaneously that simplify the management of account security settings.

Vault account policies give admins the ability to specify the following account settings:

  • Enable scheduled password rotation and set the maximum password age or deny scheduled password rotation.
  • Allow or deny the automatic rotation of credentials after the credential is checked in.
  • Allow or deny credentials to be checked out simultaneously.

📘

Note

The global default account policy must define an option for each setting. If an account does not have a setting defined using a specific policy, it inherits the policy from the account group. If the account group does not have a setting defined using a specific policy, it inherits the policy from the global default account policy.

If multiple account policies define a setting, then the value from the first applied policy is used.

How are account policies useful to my organization?

Vault account policies ensure consistent application of security settings across multiple accounts that reduce administrative effort and ensure compliance with organizational security requirements. When policies are applied in a defined order, organizations can prioritize specific settings for individual accounts or groups, while still retaining a global default for broader governance. This hierarchical approach provides flexibility in managing account security.

How do I access the Account Policies page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  3. Click the Account Policies tab.
    The Account Policies tab displays.

The Account Policies page

  1. Left menu: Easy access to all pages in Privilege Remote Access, including Status, Consoles & Downloads, My Account, Configuration, Jump, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.
  2. Status: Opens the Status page.
  3. Header: Change your tenant site, manage your profile, and access documentation.
  1. Add:- Adds a new Account Policy.
  2. List option: Click Expand All to get detailed information about the policy. The default value is collapse.
  3. Account Policy columns: The list of columns varies on what you choose to display.
    Account Policy columns
    • Display Name: Unique name of the account.
    • Code Name: Set a code name for integration purposes. If you do not set a code name, one is created automatically.
    • Description: A brief description of the Account Group.
  4. Account Group options: Copy, edit or delete an account policy.

Add an account policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Account Policies tab.
    The Account Policies tab displays.

  4. Click Add.

  5. In the Name field, enter a name for the account.

  6. In the Code Name field, create a code name for integration purposes. If you do not set a code name, one is created automatically.

  7. In the Description field, enter a useful description for the account.

  8. Set your Permissions.

Scheduled Password Rotation Rules

  • Not Defined: Uses the default Global setting.

  • Allow: When this option is set, if the account policy is connected with an account or account group, the credentials rotate after the set maximum password age.

  • Deny: When this option is set, if the account policy is connected with an account or account group, the credentials do not rotate after the set maximum password age.

Automatically Rotate Credentials after Check in Rules

  • Not Defined: Uses the default Global setting.

  • Allow: When this option is set, if the account policy is connected with an account or account group, the credentials auto rotates when account is checked in.

  • Deny: When this option is set, if the account policy is connected with an account or account group, the credentials do not auto rotate when account is checked in.

Allow Simultaneous Check Out Rules

  • Not Defined: Uses the default Global setting.

  • Allow: When this option is set, if the account policy is connected with an account or account group, the credentials can be checked out simultaneously by multiple users.

  • Deny: When this option is set, if the account policy is connected with an account or account group, the credentials cannot be checked out simultaneously by multiple users.

  1. In the Allowed Users section, add a user and select their Vault role from the New Member Role dropdown, and then click Add. Users can be assigned one of two member roles:
  • Inject: Users with this role can use this account in Secure Remote Access sessions (default value).
  • Inject and Checkout: Users with this role can use this account in Secure Remote Access sessions and can check out the account on Support for Admins. The Checkout permission has no effect on generic SSH accounts.
  1. Click Save.

After an account policy is created, it is listed in the grid on the Account Policies page. You can copy or edit any of the listed polices by clicking the Copy or Edit button for the policy in the grid and modifying the settings as required.

ℹ️

Note

If a setting in an account policy is not defined, it inherits the settings from the global default account policy, configured from the Vault > Options page.

Copy an account policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Account Policies tab.
    The Account Policies tab displays.

  4. Select an existing policy in the list, click Copies an existing policyto copy.

  5. The Add Account Policy page displays.

  6. Make the necessary changes, and then click Save.

Edit an account policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Account Policies tab.
    The Account Policies tab displays.

  4. Select an existing policy in the list, click the pencil Click the pencil to edit an existing policy..

  5. The Edit Policy page displays.

  6. Make the necessary changes and then click Save.

Delete an account policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Account Policies tab.
    The Account Policies tab displays.

  4. Select an existing policy in the list, click the trash can Use the trash can to delete an account policy. to delete the account policy.

  5. A confirmation dialog box appears, click Yes.

Updated 1 day ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.