Account Groups
What are account groups?
Vault account groups are collections of user accounts within the Vault system, organized based on access permissions or roles. These groups are used to streamline the management of shared Vault accounts, enabling Vault administrators to efficiently grant users access to multiple shared accounts. Account groups can also associate a group of shared Vault accounts with a specific group policy. Note that shared Vault accounts can only belong to one group at a time, and personal Vault accounts cannot be added to an account group.
How are account groups useful to my organization?
Account groups help simplify credential management by allowing administrators to assign access to multiple shared Vault accounts at once, ensuring efficient and controlled access for users. These groups also provide an effective way to apply policies to a collection of shared accounts, enhancing security and compliance while reducing administrative overhead.
Note
A shared Vault account can belong to only one group at a time and personal Vault accounts cannot be added to an account group.
How do I access the Account Groups page?
- Use a Chromium-based browser to sign in to your Remote Support URL.
This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login. - From the left menu, click Vault.
The Accounts page opens and displays by default. - At the top of the page, click Account Groups.
The Account Groups page displays.
Account groups
Add, view, and manage account groups.
Add account group
Click Add to add an account group, add Vault accounts to the group, and grant users access to the group of shared Vault accounts.
Search account groups
Search for a specific account groups based on Name or Description.
Add account group
The Add Account Group option allows you to add account groups for the purpose of granting users access to multiple Vault accounts at once.
Name
Enter a name for the account group.
Description
Enter a brief and memorable description of the account group.
Account policy
Select a specific policy for the account group or leave Account Policy set to the default value of Inherit Policy Settings, in which case the accounts in this account group inherit the policy settings set for the global default account policy on the Vault > Options page.
Group policies
If the account group was added to any group policies, they are listed here, along with their Vault account roles.
Accounts
Source account group
Filter the list of accounts available to add to the group by selecting a group from the Source Account Group list.
Search selected account group
Filter the list of accounts available to add to the group by searching for an account group. You can search by Name, Endpoint, and Description.
Accounts in group "Default Group"
List of Vault accounts available to add to the account group.
Add
Select accounts from the list of available groups, and then click Add to add them to the Accounts in This Group list.
Remove
Select accounts from the list of Accounts in This Group, and then click Remove to remove them from the account group.
Search this account group
Filter the list of Accounts in This Group by searching for an account group by Name, Endpoint, and Description.
Accounts in this group
List of Vault accounts that exist in this account group.
Allowed users
New user name
Select users who are allowed to access this account.
New member role
Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:
- Inject (default value): Users with this role can use this account in Remote Support sessions.
- Inject and Checkout: Users with this role can use this account in Remote Support sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.
Note
The Vault Account Role is visible in the list of users added to the Vault account.
Jump Item associations
Select the type of Jump Item Associations for the account group. The Jump Item Associations setting determines which Jump Items the accounts in this account group are associated with, so that only the accounts relevant to the target machine are available in the console during credential injection attempts. Select one of the following associations methods:
- Any Jump Items: Accounts in this group can be injected into any Jump Item session in which the accounts are applicable.
- No Jump Items: Accounts in this group cannot be injected into any Jump Item session.
- Jump Items Matching Criteria: Accounts in this group can be injected only into Jump Item sessions that match the criteria you define, in which the accounts are applicable.
- You can define a direct association between applicable accounts in this account group and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
- You can further define the association between applicable accounts in this account group and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, accounts in this account group are available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
- Shared Jump Groups: Select a Jump Group from the list.
- Name: This filter is matched against the value that appears in the Name column of the Jump Item in the console.
- Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the console.
- Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the console.
- Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the console.
Note
Click the i icon for each option and attribute to view more specific information about it.
Note
Local accounts are available for injection within the endpoints on which they were discovered.
Updated 5 days ago