Vault
What is Vault?
BeyondTrust Vault for Secure Remote Access is a secure storage solution that allows organizations to safely store and manage sensitive information, such as credentials and passwords, to ensure they are accessible only to authorized users.
It also mitigates the risk of shared privileged account credentials by enabling secure credential management, including credential discovery, masking, injection, and rotation.
How is Vault useful to my organization?
Vault helps improve security and compliance by providing a centralized location for managing sensitive data, ensuring that credentials are protected, and reducing the risk of unauthorized access during remote support sessions.
BeyondTrust Vault fits seamlessly into your service desk workflow by integrating directly with the Secure Remote Access solution, allowing administrator accounts to access systems without exiting BeyondTrust. With just one click in the Secure Remote Access console, users can select the correct credential and log directly into a remote system, keeping your privileged accounts more secure.
Note
Vault can import, rotate, and manage up to 60,000 accounts.
How do I access the Vault page?
- Sign into app.beyondtrust.io.
The BeyondTrust Home page displays. - From the main menu, click Privileged Remote Access > Vault.
The Vault page opens and the Accounts tab displays by default.
View Vault account details
Shared account
The information for shared accounts includes the following fields:
| Field name | Description |
|---|---|
| Type | The type of account, specifically, whether it is a domain or a local account, or a generic password account. |
| Name | The name of the account. |
| Username | The username associated with the account. |
| Group | The name of the account group to which the account belongs. |
| Endpoint | The endpoint with which the account is associated. |
| Account Policy | The account policy the Vault account is using. |
| Description | A brief description about the account. |
| Last Checkout: | The last time the account was checked out. |
| Password Age | The age of the password displayed in minutes, hours, days, or months. |
| Status | This column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account. Accounts used to run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it. |
Note
The Status column is auto-hidden when none of the accounts have a status currently set.
You can filter the list of shared accounts displayed using the filters for Group and Password Age. Click the Select visible columns button above the grid to customize the columns displayed in the grid.
Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.
Personal account
The information for personal accounts includes the following fields:
| Field name | Description |
|---|---|
| Type | The type of account, specifically, whether it is a domain or a local account, or a generic password account. |
| Name | The name of the account. |
| Owner | The name of the person who created and owns the account. |
| Description | A brief description about the account. |
| Password Age | The age of the password displayed in minutes, hours, days, or months. |
Note
You can filter the list of personal accounts displayed by Owner and Password Age.
Add account
To add a shared or personal generic account to BeyondTrust Vault, see the Add a shared generic account and Add a personal generic account sections in Shared generic account
Rotate
To rotate one or more discovered (non-generic) accounts, see Rotate credentials
Note
- Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the Run as password for the service <service_name>" is displayed when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
- Services using a Microsoft Graph account as the Run as account cannot be rotated.
- Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.
Search shared accounts
From the Search Shared Accounts field, you can search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.
Check out and check in a shared account
To check out an account, you click Check Out 
to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In 
to check the password back into the system.
Ellipsis menu for shared accounts
Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.
Note
- Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
- Services using a Microsoft Graph account as the Run As account cannot be rotated.
- Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.
Search personal accounts
From the Search Personal Accounts box, you can search for a specific personal account or a group of accounts based on Name and Description.
View password for personal account
To view and use a personal credential, click 
(View Password). When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.
Edit a personal account
To modify the account's information, specifically Name, Description, Username, and Password, click the pencil 
(Edit Account)
Delete a personal account
To delete a personal account, click the trash can 
, and then click Yes.
Updated 27 days ago
