DocumentationAPI ReferenceRelease Notes
Documentation

Discovery | RS On-prem

Suggest Edits

What is discovery in Vault?

Discovery in Vault refers to the process of scanning and importing privileged credentials from external sources, such as Active Directory or local accounts, into BeyondTrust Vault. This process can be done manually or through the built-in discovery tool.

How is discovery useful in Vault?

Discovery simplifies credential management by automatically finding and importing privileged credentials into Vault. This ensures that credentials are securely stored and centrally managed, enhancing security and reducing the risk of manual errors in credential handling.

How do I access the Discovery page?

  1. Use a Chromium-based browser to sign in to your Remote Support URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.
  3. At the top of the page, click Discovery.
    The Discovery page displays.

Discovery: Windows domain

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, Windows service accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

Click New Discovery Job to initiate a discovery. The options are:

  • Windows Domain: Discover endpoints, domain accounts, and local accounts accessible from a Jumpoint on a Windows domain.
  • Local Windows Accounts on Jump Clients: Discover local Windows accounts on machines where an active, service mode Jump Client is currently online.
  • AWS Secrets
  • Password Safe

ℹ️

The AWS Secrets and Password Safe options are only available in version 25.2 and above. For more information on how to configure AWS Secrets or Password Safe, see Discovery of AWS Secrets or Discovery of Password Safe.

The Local Windows Accounts on Jump Clients option only displays if you have the Jump Clients permission located in Users & Security > Users > Representative Permissions > Jump Technology. If you have any issues, contact your site administrator.

Click Continue to start the discovery process.

If you selected Windows Domain, follow the steps in the Add Domain section. If you selected Local Windows Accounts on Jump Clients, follow the steps in the Discovery: Jump Client Search Criteria.

ℹ️

For more information on Jumpoints, please see the Jumpoint guide.

Add domain

DNS name of the domain

Enter the DNS name for your environment.

Jumpoint

Choose an existing Jumpoint located within the environment you wish to discover accounts.

Management account

Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation to be entered. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section.

Username

Enter a valid username to use for discovery (username@domain).

Password

Enter a valid a password to user for discovery.

Confirm password

Re-enter the password to confirm.

ℹ️

You can define which parts of a domain to run a Discovery/Import job. Once you select the required fields for a Discovery Job, you can refine the search by specifying which OU’s to target or entering LDAP queries.

Discovery scope

Select the objects you wish Vault to discover:

  • Domain Accounts
  • Endpoints
  • Local Accounts
  • Services

You can enter a Search Path, or leave it blank to search all OUs and containers. You can also use an LDAP Query to narrow the scope of user accounts and endpoints searched.

Discovery: Jump Client search criteria

Enter one or more search criteria to find active Jump Clients you'd like to use to discover local Windows accounts. All text field searches are partial and case-insensitive. Jump Clients that match all the search criteria will be displayed on the next page for you to select before discovery begins.

ℹ️

The following types of Jump Clients cannot be used for local account discovery and are not included in the search results:

  • Jump Clients that are currently offline or disabled
  • Jump Clients that are not running as an elevated service
  • Jump Clients that are installed in a domain controller

Jump Groups

Administrators can search for Jump Clients via their Jump Groups and their attributes. If the user is not a member of any Jump Group, the Jump Groups selection section is grayed out and either a tool tip or note is shown indicating that user must be a member of at least one Jump Group to proceed with the Jump Client discovery process. This is similar to how domain discovery works when a user is not a member of a Jumpoint during discovery or not a member of a Jump Group when importing an endpoint.

You can search All of Your shared Jump Groups or Specific Jump Groups.

Jump Client attributes

You can select one or more shared Jump Groups. Private Jump Groups are not supported.

One or more Jump Client attributes can be entered. If more than one search criteria is entered, only Jump Clients matching all criteria are used for discovery.

The following attributes can be used as search criteria:

  • Name: The Jump Client's name as it appears in the Name column in the Representative Console.
  • Hostname: The Jump Client's hostname as it appears in the Hostname/IP column of the Representative Console.
  • FQDN: The Jump Client's fully qualified domain name, as it appears under the FQDN label of the Jump Client details pane in the Representative Console.
  • Tag: The Jump Client's tag as it appears in the Tag column of the Representative Console.
  • Public/Private IP: The Jump Client's public and private IP addresses, as they appear under the Public IP label of the Jump Client details pane in the Representative Console. Jump Clients whose IP address starts with the given search value will match.

Click Continue to initiate the discovery.

Discovery: Select Jump Clients

This screen displays the Jump Clients that will be used in discovery. Select one or more and click Start Discovery.

Discovery results

The results display a list of discovered Endpoints and Local Accounts. Select one or more and click Import Select.

Import discovered items

A list of the selections you made displays.

Account group

Select from which account group you want to import, then click Start Import. A warning display indicating this process cannot be stopped once it has started. Click Yes to proceed, or No to abort.

Importing

A message displays indicating the import was completed successfully. A list of Endpoints and Local Accounts displays.

Accounts

Search shared/personal accounts

If you get an extensive list of accounts discovered, use the Search field to search accounts by Name, Endpoint, or Description (by Name and Description only for personal accounts).

Toggle between Shared and Personal accounts. Select one or more accounts. Click ... to Rotate Password, Edit or Delete the account. You can also click Rotate at the top of the page to rotate the password for the select accounts.

Discovery jobs

View discovery jobs that are in progress for a specific domain, or review the results of successful and failed discovery jobs.

View results

Click View Results for a discovery job to view the Discovery Results, which includes discovered endpoints, local accounts, domain accounts, and services found in the domain.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

Select which endpoints, accounts, and services to import and store in your BeyondTrust Vault instance. For each list item you wish to import, check the box beside it and click Import Selected.

Discovery of AWS Secrets

Use discovery to locate AWS Secrets that are in AWS Secrets Manager.

Prerequisites

  • You must install a Jumpoint on an EC2 instance in an AWS environment.
  • You must assign an IAM role to the EC2 instance that has the IAMFullAccess and SecretsManagerReadWrite permission.

Initiate an AWS Secrets discovery job

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Discovery tab.
    The Discovery tab displays.

  3. Click New Discovery Job.
    The Discovery: New Job page displays.

  4. You have the following four options to choose:

    • Windows Domain
    • Local Windows Accounts on Jump Clients
    • AWS Secrets
    • Password Safe

  5. Click AWS Secrets.

  6. Click Continue.

  7. For Jumpoint, select the AWS Jumpoint.

    ℹ️

    Discovery of clustered Jumpoints only supports all nodes on EC2 instances in the same organization.

  8. Click Start Discovery.

  9. From the Discovery Results table, select the items you want to import.

  10. Click Import Selected.

  11. For Account Group, you can specific a particular group you want the results to reside, or select the Default Group.

  12. Click Start Import.

  13. Click Yes if the dialog box says "This process cannot be stopped after it is started. Are you sure you want to continue?"

  14. Click Done Importing.

  15. From the Vault > Accounts page, click the AWS Secrets tab to display the AWS Secrets table.

Checkout an account

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the AWS Secrets tab.

  3. From the AWS Secrets table, select the account you want to checkout. The user must have Inject And Checkout Vault role, otherwise the Checkout button in step 4 does not display.

  4. Click Checkout .

  5. The AWS Secret dialog box displays.
    You can either view the secret , copy the secret , or download the secret by clicking the Download Secret button.

  6. After you make your selection, click Close.

In the Status field of the AWS Secrets table, it displays that item is checked out.

Rotate Secrets

From the main menu, click Remote Support > Vault.
The Vault page opens and the Accounts tab displays by default.

  1. Click the AWS Secrets tab.

  2. From the AWS Secrets table, select the account you want to rotate.

  3. Click Rotate or select the horizontal ellipsis from the row in the table and select Rotate Secret.
    The Rotate Summary displays.

  4. Click Start Rotation.

In the Status field of the AWS Secrets table, it displays that the item is in rotation.

Once rotation is complete, the Password Age information updates with a time stamp of a few seconds.

ℹ️

A Lambda function is needed for rotate secrets to work.

Edit Secrets

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the AWS Secrets tab.
  3. From the AWS Secrets table, select the account you want to edit.
  4. Click Edit.
  5. Make the necessary changes and click Save.

    ℹ️

    You cannot make changes to the Name field. Changes to imported accounts must be made in the originating system and will be reflected after re-discovery.

Delete Secrets

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the AWS Secrets tab.
  3. From the AWS Secrets table, select the account you want to delete.
  4. Click Delete.
  5. A confirmation dialog box displays, click Yes.

Credential injection of AWS Secrets account

AWS Secrets accounts are available for injection into matching Jump Clients from the access console. At the time of injection, the Credential Store dialog box displays.

  1. For the Credential Store option, click the dropdown and select the appropriate AWS Secrets account.

  2. Click OK.

  3. To view all the AWS Secrets accounts available for credential injection, click the Vault tab at the top of the screen.

  4. In the Search bar, enter AWS Secret.
    A list of only AWS Secret account displays.

  5. Users with the Inject and Checkout role can also select a AWS Secret account from the list and choose the appropriate option of Check In or Check Out.

Discovery of Password Safe

You can use Vault to discover and import Managed Accounts and Managed Systems from your Password Safe instance.

ℹ️

  • The new direct integration currently supports Windows credentials and endpoints only. For broader credential and endpoint access managed in Password Safe, continue using the ECM-based integration. We plan to expand direct integration support for additional credential types in future releases.
  • The Vault integration with PWS requires commercial CA-signed SSL certificates.

Prerequisites

You must configure an API registration in Password Safe. This is used as a connection in PRA.

Create connection

Start by creating a connection between the SRA site and Password Safe. Most of the information entered in this step comes from Password Safe; ensure you have that information on hand. To do this, follow these steps:

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Connections tab.
    The Password Safe Connections page displays.
  3. Click Add.
  4. For Name, type a unique name to help identify this role. This is a required field.
  5. For Password Safe Host, type the name of the Password Safe Host. This is a required field.
  6. For API Key, copy the information from the Key field in Password Safe for the API registration you created and paste it into the API Key field in PRA. This is a required field.
  7. For Impersonating Username, select a valid username from one of the following groups: Password Safe's Administrators, Global Approvers, or Secure Remote Access Requestors. This is a required field.
  8. Impersonating Username Password is determined by the User required password checkbox on the API registration from Password Safe. If the checkbox is not selected, then no password is required for this field in PRA. If the checkbox is selected, then use the password associated with the username on the Password Safe API registration and enter it in this field in PRA.

Initiate a Password Safe discovery job

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Discovery tab.
    The Discovery tab displays.

  3. Click New Discovery Job.
    The Discovery: New Job page displays.

  4. You have the following four options to choose:

    • Windows Domain
    • Local Windows Accounts on Jump Clients
    • AWS Secrets
    • Password Safe

  5. Click Password Safe.

  6. Click Continue.

  7. For the Password Safe Connection, make sure a valid Password Safe connection exists. Select the connection. This is a required field.

  8. Click Continue.
    The Discovery: Password Safe Scope page displays.

  9. Select the appropriate checkboxes you want to receive information for from Password Safe:

    • Managed Accounts

    • Managed Systems

  10. Click Start Discovery.
    The Discovery Progress page displays.

  11. From the Discovery Results table, select the items you want to import.

ℹ️

The Workgroup Name field is new.

  1. Click Import Selected.
    The Import Discovered Items page displays.

  2. For Account Group, choose the account group that the selected Managed Accounts is associated with.

  3. Create one Jump Item per Managed System is available when importing Managed Systems and a Jumpoint is available. Choose a Jump Group and Jumpoint to associate the created RDP Jump Items with when importing. If you do not want to immediately create jump items for the imported Managed Systems, select Do not create Jump Item.

  4. Click Start Import.

  5. Click Yes in the following dialog box: "This process cannot be stopped after it is started. Do you want to continue?"

  6. On the Importing page, the results of the Managed Accounts and Managed Systems display.

  7. To view Managed Systems, click the View Endpoints link. This takes you to the Vault > Endpoints page.

  8. To view Managed Accounts, click the View Accounts link. This takes you to the Vault > Accounts page. The Password Safe table with Managed Accounts and Managed Systems displays.

  9. From the Accounts page, you can check out a Password Safe account , edit a Password Safe account , or delete a Password Safe account from the Password Safe table.

ℹ️

  • The option to rotate credentials does not exist in discovery of a Password Safe account.
  • There are two new fields: System and Workgroup.

Check out a Password Safe account

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Password Safe tab.

  3. From the Password Safe table, locate the account you want to check out. The user must have Inject And Checkout Vault role, otherwise the Checkout button in step 4 does not display.

  4. Click Check Out .
    The Account Password dialog box displays. The password displays in plain text for one minute when you click Reveal .

  5. To copy the displayed password, click Copy .

🚧

Important info

Credentials are sourced from Password Safe at time of Check Out and Check In. No passwords are ever stored in the SRA Vault for Password Safe Accounts.

Check out a Directory Linked account

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the Password Safe tab.

  3. From the Password Safe table, locate the account you want to check out .

  4. For the Target Endpoint for Directory Linked Account Checkout, ensure a valid endpoint exists in Password Safe.

    🚧

    Important info

    Directory Linked accounts must be checked out against a Managed System. If the Target Endpoint for Directory Linked Account Checkout field is left blank in the Connections tab, the following error occurs on checkout:

    System name is not configured for directory linked account checkout.

    If the supplied endpoint name does not match a Managed System in Password Safe, or the account has not been linked to the Managed System in Password Safe, checkout fails with an error.

    This configuration is not necessary for Credential Injection.

  5. Click Check Out .
    The Status column should display.

  6. To check in the account, click Check In .

Edit a Password Safe account

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Password Safe tab.
  3. From the Password Safe table, locate the account you want to edit.
  4. Click the pencil to edit.
  5. Make the necessary changes and click Save.

Delete a Password Safe account

  1. From the main menu, click Remote Support > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Password Safe tab.
  3. From the Password Safe table, locate the account you want to delete.
  4. Click the trash can to delete.
  5. A confirmation dialog box displays. Click Yes.

Credential injection of a Password Safe account

Password Safe accounts are available for injection into matching RDP Jump Items or Jump Clients. At the time of injection, the Credential Store dialog box displays.

  1. For the Credential Store option, click the dropdown and select the appropriate Password Safe account.
  2. Click OK.
  3. To view all the Password Safe Vault accounts available for credential injection, click the Vault tab at the top of the screen.
  4. In the Search bar, enter password safe.
    A list of only Password Safe account displays.
  5. Users with the Inject and Checkout role can also select a Password Safe account from the list and choose the appropriate option of Check In or Check Out.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.