DocumentationRelease Notes
Log In
Documentation

Vault

Suggest Edits

What is Vault?

Vault is a secure storage solution that allows organizations to safely store and manage sensitive information, such as credentials and passwords, to ensure they are accessible only to authorized users.

How is Vault useful to my organization?

Vault helps improve security and compliance by providing a centralized location for managing sensitive data, ensuring that credentials are protected, and reducing the risk of unauthorized access during remote support sessions.

ℹ️

Note

Vault can import, rotate, and manage up to 60,000 accounts.

How do I access the Vault page?

  1. Use a Chromium-based browser to sign in to your Remote Support URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.

View Vault account details

Available information for shared accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Username: The username associated with the account.
  • Group: The name of the account group to which the account belongs.
  • Endpoint: The endpoint with which the account is associated.
  • Description: Short description about the account.
  • Last Checkout: The last time the account was checked out.
  • Password Age: The age of the password.
  • Status: The status of the account. For example, warnings, errors, and if the account is checked out are indicated in this column. This column is auto-hidden when there aren't any statuses to indicate for any accounts. Multiple statuses are stacked and indicated in different colors. You can mouse-hover over a specific status to view more details about it.

ℹ️

Note

You can filter the list of shared accounts displayed using the filters for Group and Password Age.

Based on this information, you can perform various actions, including credential check-out/check-in and credential rotation.

Available information for personal accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Owner: The name of the person who created and owns the account.
  • Description: Short description about the account.
  • Password Age: The age of the password.

ℹ️

Note

You can filter the list of shared accounts displayed using the filters for Owner and Password Age.

Accounts

Add account

Click Add to manually add a shared or personal generic account to BeyondTrust Vault.

Search shared accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Select visible columns

Click the Select Visible Columns button (columns icon) above the Accounts grid and select the columns to display in the grid.

Check out and check in a shared account

Click Check Out to view and use the credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

ℹ️

Note

For more information, please see Check Out Credentials from the /login Interface.

Ellipsis menu for shared accounts

Click ... to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

ℹ️

Note

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault.

Search personal accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View password for personal account

Click View Password to view and use the credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.

Edit personal account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Add shared account

The Add > Shared Generic Account option allows you to add accounts without having to run a discovery job. Instead, you can manually enter information about the account. This option is helpful in situations where a shared account or username/password combination can be used to access many different systems.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key, or SSH Private Key With Certificate.

ℹ️

Note

If you use an SSH private key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password and confirm password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH private key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

SSH private key with certificate

If SSH Private Key With Certificate is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphrase if applicable. You must also provide the SSH public certificate for the account.

SSH key passphrase

If applicable, enter the SSH private key's passphrase.

Account policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Account group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the Default Group.

Group policies

If the account was added to any group policies, they are listed here, along with their Vault account roles.

Account users

New user name

Select users who are allowed to access this account, as well as their Vault account role, and then click Add.

New member role

Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:

  • Inject (default value): Users with this role can use this account in Remote Support sessions.
  • Inject and Checkout: Users with this role can use this account in Remote Support sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

ℹ️

Note

The Vault Account Role is visible in the list of users added to the Vault Account.

ℹ️

Note

When upgrading to a BeyondTrust Remote Support installation with the Configurable Vault Checkout feature, all existing Vault Account Memberships that were configured in Group Policies before the upgrade will have their Vault Account Role set to Inject and Checkout by default after the upgrade.

⚠️

Important

Vault Account Role Precedence: Vault Account Roles can be assigned to both users and group policies. This means the same user could have different roles for a single Vault account. One role could be assigned by the user's group policies, while a different role could be assigned by the user's explicit access to the Vault Account. In such cases, the system uses the most-specific role for that user. Therefore, the system will let the role assigned on the Edit Vault Account page override the role assigned on the user's group policy. When the role is overridden in such a way, the word "overridden" appears on the Edit Vault Account page for the user's group policy membership. This behavior is consistent with the order of precedence for Jump Item Roles.

ℹ️

Note

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the console during credential injection attempts. Select one of the following associations methods:

  • Inherited from the Account Group: Associations for this account are determined by the associations defined in this account's Account Group.
  • Any Jump Items: This account can be injected within any session started from a Jump Item in which the account is applicable.
  • No Jump Items: This account cannot be injected into any session started from a Jump Item.
  • Jump Items Matching Criteria: This account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable.
    • You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
    • You can further define the association between Vault accounts and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
      • Shared Jump Groups: Select a Jump Group from the list.
      • Name: This filter is matched against the value that appears in the Name column of the Jump Item in the console.
      • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the console.
      • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the console.
      • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the console.

ℹ️

Note

Click the i icon for each option and attribute to view more specific information about it.

ℹ️

Note

Local accounts are available for injection within the endpoints on which they were discovered.

Add personal account

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key, or SSH Private Key With Certificate.

ℹ️

Note

If an SSH private key is selected for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password and confirm password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH private key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

SSH private key with certificate

If SSH Private Key With Certificate is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphrase if applicable. You must also provide the SSH public certificate for the account.

SSH key passphrase

If applicable, enter the SSH private key's passphrase.

Edit local account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password and confirm password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password age

View the age of the existing password.

Account policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Allow simultaneous checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Account group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the None system group.

Endpoint name

View which endpoint or endpoints are associated with the account.

Endpoint hostname

View the hostname of the associated endpoints.

Account users

Select users who are allowed to access this account, as well as their Vault account role, and then click Add.

ℹ️

Note

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the console during credential injection attempts. Select one of the following associations methods:

Edit domain account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password and confirm password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

View password history

View the dates and times of password changes. Click Reveal to temporarily show the password. Click Use to set the password of this account to that password.

Password age

View the age of the existing password.

Account policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Distinguished name

View the distinguished name for the account.

Account group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the Default Group.

Account users

Select users who are allowed to access this account, as well as their Vault account role, and then click Add.

ℹ️

Note

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the console during credential injection attempts. Select one of the following associations methods:

Edit personal generic (password) account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password and confirm password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.