Discovery and Profiling

Find and manage all accounts: Discover and profile all known and unknown assets, shared accounts, user accounts, and service accounts.

Smart Rules: Quickly identify assets with common traits and automatically place them under Password Safe management via Smart Rules.

Auto Discover SSH Keys: Discover all SSH keys on host systems.

Password Protection and Key Rotation

Keep passwords fresh: Randomize passwords on a scheduled basis or upon check-in to eliminate risk of passwords leaving the organization.

Rotate SSH keys: Automatically rotate keys according to a defined schedule and enforce granular access control and workflow.

Eliminate application credentials: Get control over scripts, files, code and embedded keys.

Ensure password strength: Define and enforce password policy to meet any complexity requirement.

Eliminate old passwords: Analyze password ages and proactively report policy violations.

Solve the problem of remote and mobile users: Utilize BeyondTrust Privilege Management for Desktops as an agent to update passwords on remote and mobile devices.

Active/active targeted password change: Selectively process password change, password test, and account notification queue items for designated workgroups.

Privileged Session Monitoring, Auditing, and Recording

Enable true dual control: Live session management gives administrators the ability to lock, terminate or cancel a session.

Enforce accountability: Record privileged sessions in real time via a proxy session monitoring service for SSH and RDP – without the need for Java.

Communicate and comply: Build reports for usage, audit, forensics, and regulatory compliance purposes.

Application proxy for RemoteApp: Allow any Windows application usage to be monitored and recorded.

Audit and log privileged sessions: Access and watch a session, then log an acknowledgement of the review to meet audit compliance requirements.

Quickly search session logs: Index and text search using keystroke to pinpoint data, and then log an acknowledgement of the review for audit purposes.

Integrate with SailPoint IdentityIQ: Manage access for privileged and non-privileged accounts with privileged access management and identity and access management (IAM).

RDP enhanced session audit: Every click within the Windows interface, along with any keystrokes, is audited and recorded in a searchable session replay index.

Real-time activity alerting: Defined user activity can generate real-time email alerts, as well as block commands, lock, and terminate SSH sessions.

Command blacklisting: Connection profiles define keyword groups that can determine a specific course of action – block command, lock session, block and lock session, or terminate session.

Auto logoff and disconnect: Utilize ‘log off on disconnect’ feature to ensure sensitive data is not exposed in subsequent RDP sessions.

Advanced Workflow Control

Streamline workflow: Leverage true Role-Based Access Controls (RBAC) with Active Directory and LDAP integration for assigning roles and rights to users.

Simplify requests: Manage checkout workflow with seamless connectivity to RDP & SSH via native desktop tools such as puTTY and Microsoft MSTSC.

Accommodate firecall requests: Ensure access to password-managed systems after hours, on weekends, or in other emergency situations.

Utilize context: Provides additional context by considering the day, date, time and location when a user accesses resources to determine their ability to access those systems.

Bulk Changes: Filter and select multiple accounts to perform mass password changes, removal, and unlinking from a managed AD account.

Ad Hoc Groups: Create ad hoc groups of managed accounts in seconds.

Post-login command execution: Administrators can leverage a Unix or Linux Jumphost to run a specific command or script after a session connects.

Multi-system checkout: Allows admins to check out an account with a multi-system parameter, then launch sessions to linked systems.

Expedite checkout operations: Expedite checkout operations using OneClick for access to passwords, sessions and applications that would normally be approved automatically.

Connect to sessions without an agent: With DirectConnect, administrators can launch an SSH session by simply passing a connection string to the Password Safe proxy. No agents need to be installed on the hosts, and connection to any SSH system is supported, including Unix/Linux hosts, and network devices such as routers or firewalls.

Security, Uptime & High Availability

Ensure solution security: Rely on hardened appliances with FIPS 1402-validated components, AES256 encryption and HTTPS/TLS communications.

Understand risk: Analyze privileged password, user and account behavior with BeyondInsight Threat Analytics.

Increase uptime: Deploy appliance pairs and replicate settings for high availability.

Active-Active infrastructure support: Allow an unlimited number of Password Safe appliances to be connected to an external SQL AlwaysOn Availability Group for unparalleled high-availability and scalability.

Cache API passwords securely: Rely on password caching for APIs when administrators need access to credentials directly on a local host.

Ensure API credential stability: Create aliases for APIs to map to multiple accounts so that API access is not interrupted during password changes.


One product to deploy: Realize the benefit of a single solution for both password and privileged session management.

Simplify deployment: Implement hardware appliances, virtual appliances, or software.

Speed user adoption: Provide a modern, HTML-5 requester interface – no Javascript or agents required.

Support any system: Employ out-of-the-box connectors, plus a custom connector builder for all systems that support Telnet or SSH.

One user interface, multiple languages: Single user interface with localization for Spanish, Japanese, Korean, and Brazilian Portuguese

Prefers reduced motion setting detected. Animations will now be reduced as a result.