Documentation
Start typing to search…

Vault | PRA Pathfinder

What is Vault?

Vault is a secure storage solution that allows organizations to safely store and manage sensitive information, such as credentials and passwords, to ensure they are accessible only to authorized users. On the Accounts page, you can add, edit, and manage credential accounts. When you add accounts, it enables users with the correct roles to access the account credentials for injections and rotations.

How is Vault useful to my organization?

Vault helps improve security and compliance by providing a centralized location for managing sensitive data, ensuring that credentials are protected, and reducing the risk of unauthorized access during remote support sessions. It mitigates the risk of shared privileged account credentials by enabling secure credential management, including credential discovery, masking, injection, and rotation.

Vault fits seamlessly into your service desk workflow by integrating directly with the Privileged Remote Access solution. This allows administrator accounts to access systems without exiting BeyondTrust. With just one click in the Secure Remote Access console, users can select the correct credential and log directly in to a remote system that keep your privileged accounts more secure.

How do I access the Vault page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  1. Add: Adds a new vault account.

  2. Rotate: Rotates privileged credentials. You must select an existing account in the list for Rotate to become available.

  3. Shared: Use this tab to manually create a credential account. This account can be used by all users who have been assigned to the account with the Inject or the Inject and Check Out Vault account role.

  4. Personal: Use this tab to create a personal account. This account can be used only by the account owner (the user who created the account). You can create up to 50 personal accounts.

  5. AWS Secrets: Use this tab to start a discovery of AWS Secrets.

  6. Password Safe: Use this tab to start a discovery of Password Safe accounts.

  7. Filter: Select a Name, Description, or Endpoint to search a Shared account. Select a Name or Description to search a Personal account.

  8. Vault Account list columns: The list varies depending on the type of account you are using. Not all columns are displayed.

    Shared account columns
    • Type: The type of account (that is, generic password, single token, private key, etc.).
    • Name: Unique name of the account.
    • Username: The username of the account.
    • Group: The name of the group you want the account to be in.
    • Endpoint: The size of the policy (in KB).
    • Account Policy: Select an existing policy or specify a custom policy.
    • Last Checkout: Display when date/time when the policy was last checked out.
    • Password Age: Displays the age of the policy.
    9. Personal account columns
    • Name: Unique name of the account.
    • Owner: The owner name of the account.
    • Description: Unique description of the account.
    • Password Age: Displays the age of the policy.
    Status column

    A Status column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account. Accounts that run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account are stacked and displayed in different colors. You can hover over a specific status to view more details about it.

ℹ️

Click Select visible columns above the grid to customize the columns displayed in the grid.

Information about Vault Accounts

ℹ️

Vault can import, rotate, and manage up to 100,000 accounts.

Account Groups

Vault Account Groups organize shared Vault user accounts by role or access level, allowing administrators to efficiently grant access to multiple accounts and apply a single group policy to them. For more information

Account Policies

Vault Account Policies define password rotation, credential checkout, and other account management rules that can be applied across multiple Vault accounts to simplify and standardize security settings.

What is Vault?

Vault is a secure storage solution that allows organizations to safely store and manage sensitive information, such as credentials and passwords, to ensure they are accessible only to authorized users. On the Accounts page, you can add, edit, and manage credential accounts. When you add accounts, it enables users with the correct roles to access the account credentials for injections and rotations.

How is Vault useful to my organization?

Vault helps improve security and compliance by providing a centralized location for managing sensitive data, ensuring that credentials are protected, and reducing the risk of unauthorized access during remote support sessions. It mitigates the risk of shared privileged account credentials by enabling secure credential management, including credential discovery, masking, injection, and rotation.

Vault fits seamlessly into your service desk workflow by integrating directly with the Privileged Remote Access solution. This allows administrator accounts to access systems without exiting BeyondTrust. With just one click in the Secure Remote Access console, users can select the correct credential and log directly in to a remote system that keep your privileged accounts more secure.

Important information about accounts

ℹ️

Vault can import, rotate, and manage up to 100,000 accounts.

How do I access the Vault page?

  1. Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.

View Vault account details

Available information for shared accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Username: The username associated with the account.
  • Group: The name of the account group to which the account belongs.
  • Endpoint: The endpoint with which the account is associated.
  • Account Policy: The account policy the Vault account is using.
  • Description: Short description about the account.
  • Last Checkout: The last time the account was checked out.
  • Password Age: The age of the password.
  • Status: This column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account. Accounts used to run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it.
ℹ️

The Status column is auto-hidden when none of the accounts have a status currently set.

You can filter the list of shared accounts displayed using the filters for Group and Password Age. Click the Select visible columns button above the grid to customize the columns displayed in the grid.

Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.

Available information for personal accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Owner: The name of the person who created and owns the account.
  • Description: Short description about the account.
  • Password Age: The age of the password.
ℹ️

You can filter the list of personal accounts displayed by Owner and Password Age.

Add account

Click Add to manually add a shared or personal generic account to BeyondTrust Vault.

Rotate

Select one or more discovered (non-generic) accounts, click Rotate, and then click Start Rotation.

ℹ️

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

For more information, see Rotate credentials.

Search shared accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Check out and check in a shared account

Click Check Out to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

Ellipsis menu for shared accounts

Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

ℹ️

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

Search personal accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View password for personal account

Click View Password to view and use a personal credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.

Edit personal account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Updated 11 days ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.