Options
What are options in Vault?
Options in Vault allow administrators to configure and customize settings related to how Vault operates, including security, access controls, and management preferences for storing and handling credentials.
How are options useful in Vault?
Options provide flexibility for administrators to tailor Vault's behavior to meet specific organizational needs. Configuring options ensures that Vault aligns with internal security policies, compliance requirements, and user access needs, making credential management more efficient and secure.
How do I access the Options page?
- Sign into app.beyondtrust.io.
The BeyondTrust Home page displays. - From the main menu, click Privileged Remote Access > Vault.
The Vault page opens and the Accounts tab displays by default. - Click the Options tab.
The Options tab displays.
The Options page
- Left menu: Easy access to all pages in Privilege Remote Access, including Home, Status, Consoles & Downloads, My Account, Configuration, Jump, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.
- Status: Takes you to the Status page.
- Header: Change tenant site and obtain user profile setting information.
- Reset or Save: Lets you save or reset your global settings.
- Global options: Configure settings for the global account policy.
- Password rotation: Configure settings for password length and rotation.
Global options
The global default account policy must define an option for each setting. If an account does not have a setting defined using a specific policy, it inherits the policy from the account group. If the account group does not have a setting defined using a specific policy, it inherits the policy from the global default account policy.
There are three settings that affect the global account policy, they are the following:
Automatic password management
Scheduled password rotation rules
- When this option is set to Allow, if the account policy is connected with an account or account group, the credentials rotate after the set maximum password age.
- Maximum password age
If scheduled password rotation is enabled, specify the maximum number of days a password can be in place for Vault accounts before it is automatically rotated.
- Maximum password age
- When this option is set to Deny if the account policy is connected with an account or account group, the credentials do not rotate after the set maximum password age.
Account settings
Automatically rotate credentials after check in rules
- When this option is set to Allow, if the account policy is connected with an account or account group, the credentials auto rotates when account is checked in.
- When this option is set to Deny, if the account policy is connected with an account or account group, the credentials do not auto rotate when account is checked in.
Allow simultaneous checkout rules
- When this option is set to Allow, if the account policy is connected with an account or account group, the credentials can be simultaneously checked out by multiple users.
- When this option is set to Deny, if the account policy is connected with an account or account group, the credentials cannot be simultaneously checked out by multiple users.
Generated passwords for account rotation
Defines the length of passwords generated during account rotation for domain and local accounts. The minimum length is 20 characters and a maximum length is 256 characters.
Note
Password lengths do not apply to SSH and personal accounts.
Password length
Sets the minimum and maximum number of characters allowed for the password generated during manual, automatic, and scheduled password rotation for accounts that are rotated through Windows API (non-Entra ID accounts).
Password length of AADDS accounts
Sets the minimum and maximum number of characters allowed for the password generated during password rotation of Entra ID Domain Services accounts through MS Graph API.
Updated 17 days ago
