Account policies
What are account policies?
Vault account policies define settings related to password rotation, credential checkout, and other account management rules for Vault accounts. These policies can be applied to multiple accounts simultaneously, simplifying the management of account security settings.
Multiple account policies that apply to a single Vault account are applied in the following order, from top to bottom:
- The account policy associated with the Vault account
- The account policy associated with the Vault's account group
- The global default account policy settings
If multiple account policies define a setting, then the value from the first applied policy is used.
How are account policies useful to my organization?
Vault account policies ensure consistent application of security settings across multiple accounts, reducing administrative effort and ensuring compliance with organizational security requirements. By applying policies in a defined order, organizations can prioritize specific settings for individual accounts or groups, while still retaining a global default for broader governance. This hierarchical approach provides flexibility in managing account security.
How do I access the Account Policies page?
- Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
 This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
- From the left menu, click Vault.
 The Accounts page opens and displays by default.
- At the top of the page, click Account Policies.
 The Account Policies page displays.
Account policies
Add, view, and manage account policies.
Add account policy
Click Add to add an account policy.
Copy account policy
Click Copy to copy an existing account policy.
Edit account policy
Click Edit to modify an existing account policy.
Add account policy
Add a new account policy.
Display name
Enter a name for the account policy.
Code name
Set a code name for integration purposes. If you do not set a code name, Privileged Remote Access creates one automatically.
Description
Enter a brief and memorable description of the account policy.
Permissions
Automatic password management
Scheduled password rotation rules
- Select Allow to schedule passwords for Vault accounts to automatically rotate when the password reaches a specified maximum age.
- Select Deny to disable scheduled password rotation for Vault accounts.
Maximum password age
If scheduled password rotation is enabled, specify the maximum number of days a password can be in place for Vault accounts before it is automatically rotated.
Account settings
Automatically rotate credentials after check in rules
- Select Allow to automatically rotate passwords after a credential is checked in.
- Select Deny to disable the automatic rotation of passwords after a credential is checked in.
Allow simultaneous checkout rules
- Select Allow to enable the ability for Vault credentials to be checked out simultaneously.
- Select Deny to disable the ability for Vault credentials to be checked out simultaneously.
Note
If a setting in an account policy is not defined, it inherits the settings from the global default account policy, configured from the Vault > Options page in /login.
Updated 9 months ago
