Vault accounts
Credential accounts are added, edited, and managed on the Vault > Accounts page. Adding accounts enables users with the correct roles to access the account credentials for injections and rotations.
Note
Vault can import, rotate, and manage up to 60,000 accounts.
Add generic credentials and SSH keys
Outside of the discovery process, you can manually add individual credential accounts to BeyondTrust Vault. You can add shared generic accounts and personal generic accounts. Shared generic accounts can be used by all users who have been assigned to the account with the Inject or the Inject and Check Out Vault account role. Personal generic accounts can be used only by the account owner (the user who created the account). To add generic accounts, follow the steps on the next page.
Add a shared generic account
- From the /login interface, go to Vault > Accounts.
- Click Add.
- Select Shared Generic Account.
- Provide a Name for the account.
- Provide a useful Description for the account.
- Select the type of authentication the account uses. Each selection has different requirements:
- Username and Password
- Enter the username.
- Enter and confirm the password.
- Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.
 
- Single Token
- Enter and confirm the value. Use this account type to store a secret such as an API Key that does not have an associated username or ID.
- Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.
 
- Private Key
- Enter the username.
- Enter the SSH private key. Only keys in OpenSSH formats are valid.
- Enter the SSH Key Passphrase.
 
- SSH Private Key with Certificate
- Enter the username.
- Enter the SSH private key. Only keys in OpenSSH formats are valid.
- Enter the SSH Key Passphrase.
- Enter the certificate. Only public certificates in OpenSSH formats are valid.
- A public key is generated after the account is saved, and can be viewed and copied by editing the account.
 
- SSH Certificate Authority
- Enter the username.
- Select if the private key is generated by Secure Remote Access or you will upload your own key.
- If uploading your own key, enter the key and passphrase. The private key cannot be modified or retrieved. Only keys in OpenSSH formats are valid.
 
 
- Username and Password
Note
After creating and saving the account, select the Edit action and copy the public key. It starts with cert-authority. Add this public key to the endpoint's SSH configuration as a trusted CA or in an account's known_hosts file, so that the endpoint trusts certificates signed by the CA.
- Select an Account Group from the list to add this account to a group. If no account group is selected, the account is automatically added to the Default Group.
Note
Adding a credential account to an account group allows all users who have been assigned to that group to use this credential. If an account group is not selected, you must add account users individually to this new credential and assign their role.
- If you are not adding this new credential account to an account group, add users and their Vault role individually in the Account Users section. Users can be assigned one of two roles:
- Inject: (default value) Users with this role can use this account in Secure Remote Access sessions.
- Inject and Checkout: Users with this role can use this account in Secure Remote Access sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.
 
Note
The Vault Account Role is visible in the list of users added to the Vault Account.
Important
Vault Account Role Precedence: Vault Account Roles can be assigned to both users and group policies. This means the same user can have different roles for a single Vault account. One role can be assigned by the user's group policies, while a different role can be assigned by the user's explicit access to the Vault Account. In such cases, the system uses the most-specific role for that user. Therefore, the system will let the role assigned on the Edit Vault Account page override the role assigned on the user's group policy. When the role is overridden in such a way, the word overridden appears on the Edit Vault Account page for the user's group policy membership. This behavior is consistent with the order of precedence for Jump Item Roles. User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.
- Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the console during credential injection attempts. Select one of the following associations methods:
- Inherited from the Account Group: Associations for this account are determined by the associations defined in this account's Account Group.
- Any Jump Items: This account can be injected within any session started from a Jump Item in which the account is applicable.
- No Jump Items: This account cannot be injected into any session started from a Jump Item.
- Jump Items Matching Criteria: This account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable.
- You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
- You can further define the association between Vault accounts and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
- Shared Jump Groups: Select a Jump Group from the list.
- Name: This filter is matched against the value that appears in the Name column of the Jump Item in the console.
- Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the console.
- Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the console.
- Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the console.
 
Note
Click the i icon for each option and attribute to view more specific information about it.
Note
Local accounts are available for injection within the endpoints on which they were discovered.
- Click Save at the top of the page to save the new shared credential account.
Add a personal generic account
Personal generic accounts may be used only by the account owner (the user who created the account).
- From the /login interface, go to Vault > Accounts.
- Click Add.
- Select Personal Generic Account.
- Provide a Name for the account.
- Provide a useful Description for the account.
- Select the type of authentication for the account. Each selection has different requirements:
- Username and Password
- Enter the username.
- Enter and confirm the password.
- Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.
 
- Single Token
- Enter and confirm the value. Use this account type to store a secret such as an API Key that does not have an associated username or ID.
 
- Private Key
- Enter the username.
- Enter the SSH private key. Only keys in OpenSSH formats are valid.
- Enter the SSH Key Passphrase.
 
- SSH Private Key with Certificate
- Enter the username.
- Enter the SSH private key. Only keys in OpenSSH formats are valid.
- Enter the SSH Key Passphrase.
- Enter the certificate. Only public certificates in OpenSSH formats are valid.
- A public key is generated after the account is saved, and can be viewed and copied by editing the account.
 
 
- Username and Password
- Click Save at the top of the page to save the new personal credential account.
Note
After creating and saving the account, select the Edit action and copy the public key. It starts with cert-authority. Add this public key to the endpoint's SSH configuration as a trusted CA or in an account's known_hosts file, so that the endpoint trusts certificates signed by the CA.
Vault administrators can view personal accounts but cannot edit them, inject them, or view their passwords. Only the user who created the personal account can modify, inject, or view the account's password.
Users can create up to 50 Vault personal accounts.
Edit or delete a Vault account
- From the /login interface, go to Vault > Accounts.
- For shared accounts:
- From the Shared tab, locate the account you wish to edit or delete.
- Click the ellipsis button for the account.
- To edit:
- Select Edit, modify options as necessary, and then click Save.
 
- To delete:
- Select Delete and click Yes to confirm.
 
 
- For personal accounts:
- From the Personal tab, locate the account you wish to edit or delete.
- To edit:
- Click Edit Account (pencil icon) for the account.
- Modify options as necessary, and then click Save.
 
- To delete:
- Click Delete Account (trash can icon) for the account.
- Click Yes to confirm.
 
 
View or copy an SSH public key
When creating the account, enter the SSH private key and passphrase. It is validated when the account is saved. The account cannot save if the key is invalid, not in an accepted format, or cannot be decrypted with the provided passphrase.
After saving the account, edit the account to view details for the public key, and copy the public key. The public key details can also be queried with an API.
View the status of a Vault account
On the Vault > Accounts page, a Status column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account. Accounts used to run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it.
Note
Click the Select visible columns button above the grid to customize the columns displayed in the grid.
Note
The Status column is auto-hidden when none of the accounts have a status set.
Note
For more information, see:
Updated 9 months ago
