User permissions
When you assign permissions, it grants users access to capabilities like modifying accounts or viewing Vault reports. BeyondTrust Vault provides two different permissions you can assign to Secure Remote Access users.
| Permission name | Description |
|---|---|
| Allowed to Administer Vault | This permission grants the user full rights to discover, add, modify, and manage privileged accounts stored on the Appliance. If a user has not been granted this permission, they cannot view or add shared generic Vault accounts. However, they can add and manage their own personal generic Vault accounts. If a user has not been granted this permission, they cannot view or add shared generic Vault accounts. However, they can add and manage their own personal generic Vault accounts. |
| Allowed to View Vault Reports | This permission indicates what level of rights a user has for viewing Vault reports:
|
Note
When BeyondTrust Vault is enabled, users with administrator privileges in BeyondTrust Secure Remote Access automatically possess the Allowed to Administer Vault and the Allowed to View Vault Reports - View All Events permissions. For other users, these permissions need to be explicitly configured.
If a user wishes to rotate passwords on protected users such as domain admins, enterprise admins, etc., additional permission configuration is required.
Note
By default, users are not given access to credentials. However, if an administrator grants a user access to a credential, the user can begin using the credential in Secure Remote Access sessions and can check out the credential in Support for admin (if enabled). Once the user uses the credential, they are able to view reporting about their credential use.
Configure Vault user permission
To set Vault permissions for a user, follow these steps:
-
Sign into app.beyondtrust.io.
The BeyondTrust Home page displays. -
From the main menu, click Privileged Remote Access > Users & Security > Users.
The User Account page opens and the User tab displays by default. -
Locate the user you wish to assign the permission to. Click the pencil
. -
Click the General Permissions section to expand it.
-
Under Administration, check Allowed to Administer Vault.
-
Under Reporting, select a permission from the Allowed to View Vault Reports dropdown.
-
Click Save.
Note
Vault administration and report privileges can also be configured via group policy from Users & Security > Group Policies.
Configure user permissions to rotate protected credentials
To configure additional permissions for rotating passwords on protected users such as domain admins, and enterprise admins, follow these steps:
- Go to the Command Prompt as an admin on the domain controller.
- Run the following commands, where dc=cps, dc=com is the information for your domain:
dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S
dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G "<yourDomainName>\<yourAccountName>:CA;Reset Password"
Next, manually run the SDProp process, following these steps:
- Run ldp.exe as admin.
- Select Connection > Connect.... from the Ldp window.
- In the Connect window, make sure 389 is listed in the Port field.
- Click OK.
- Select Connection > Bind... from the Ldp window.
- Select Bind as currently logged on user.
- Click OK.
- Select Browse > Modify from the Ldp window.
- Configure the following fields in the Modify window:
- DN field: empty
- Attribute field: type RunProtectAdminGroupsTask
- Values field: 1
- Operation: click Add and then click Enter.
- Click Run.
Note
For more information, please see Users & security and SDProp.
Updated 2 days ago
