Create and Manage User Accounts

User accounts create the user identity that BeyondInsight uses to authenticate and authorize access to specific system resources. You can create local BeyondInsight users, as well as add Active Directory, Entra ID, and LDAP users into BeyondInsight.

You can also add application users, which are used to represent applications that interface with the public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API.

A user account must be a member of a BeyondInsight user group because permissions to features are assigned at the group level. If a user is not a member of any groups in BeyondInsight, the user cannot log in to the console, and application users cannot authenticate with the public API.

Create a BeyondInsight Local User Account

  1. Navigate to Configuration > Role Based Access > User Management.
  2. Click the Users tab to display the list of users in the grid.
  3. Click Create New User above the grid.
  1. Select Create a New User.

Create a new local user in BeyondInsight

  1. Provide a First Name, Last Name, Email, and Username for the new user. These fields are required.

You may use an email address for the username.

  1. Provide a password and confirm it.

The password must meet the complexity requirements as defined by your default password policy, defined at Configuration > Role Based Access > Password Policy.

  1. Optionally, enter the user’s contact information.
  2. Select an Activation Date and an Expiration Date for the user account.

These dates are based on UTC time on the BeyondInsight server and are considered during the user's login attempt. The attempt fails if the user account is not yet active or if the expiration date has passed.

  1. Check User Active to activate the user account.
  2. Leave the Account Locked and Account Quarantined options unchecked.
  3. Check the two Authentication Options, if applicable:
    • Override Smart Card User Principal Name: when enabled, allows a BeyondInsight user with a smart card that has a different Subject Alternative Name to log in to BeyondInsight and maps the smart card to the user.
    • Disable Login Forms: when enabled, disallows SAML users from using the standard BeyondInsight log in form. Check this option only if SAML is configured in your environment. Users authenticate with third party identity provider.
  4. Select a Two-Factor Authentication method and mapping information, if applicable.
  5. Click Create User.

 

  1. The user is created and User Details > Groups is displayed. You can filter the list of groups displayed by type, name, or description. Select a group, and then click Assign Group above the grid.

The user must belong to at least one group

  1. To remove the user from a group, select Assigned Groups from the Show dropdown, and then select a group and click Remove Group.

Update Default Password Policy for Local Users

The default password policy defines the password complexity requirements for local BeyondInsight users. This includes the minimum and maximum length of the password and the type of characters required and permitted in the password. Update the default password policy as follows:

  1. Go to Configuration > Role Based Access > Password Policy.

Update Default Password Policy in BeyondInsight

  1. Enter a name for the policy and an optional description.
  2. Set the minimum and maximum password length, and set the types of characters to be used: uppercase, lowercase, numeric, and non-alphanumeric.
  3. Click Update Password Policy when done. You can also discard changes or reset to default if desired.

 

Add an Active Directory User

Active Directory users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

Active Directory users must log in to the management console at least once to receive email notifications.

  1. Navigate to Configuration > Role Based Access > User Management.
  2. Click the Users tab to display the list of users in the grid.
  3. Click Create New User above the grid.
  1. Select Add an Active Directory User.

 

Add an Active Directory User - Search Active Directory

  1. Select a credential from the list.

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. If not automatically populated, enter the name of a domain or domain controller.
  2. After you enter the domain or domain controller credential information, click Search Active Directory. A list of users in the selected domain is displayed.

For performance reasons, a maximum of 250 users from Active Directory is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all users. Filter by user name to refine the list.

Sample filters:
  • a* returns all group names that start with a.
  • *d returns all group names that end with d.
  • *sql* returns all groups that contain sql in the name.
  1. Click Search Active Directory.

 

  1. Select a user, and then click Add User.
  2. Assign at least one group to the user.

Add an Entra ID User

Entra ID users can log in to the management console and perform tasks based on the permissions assigned to their groups. The user can authenticate against either a domain or domain controller.

Entra ID users must log in to the management console at least once to receive email notifications.

  1. Navigate to Configuration > Role Based Access > User Management.
  2. Click the Users tab to display the list of users in the grid.
  3. Click Create New User above the grid.
  1. Select Add a Microsoft Entra ID User.

Add a Microsoft Entra ID User - Search Microsoft Entra ID

  1. Select a credential from the list.

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

For performance reasons, a maximum of 250 users from Entra ID is retrieved. The default filter is an asterisk (*), which is a wild card filter that returns all groups. Filter by user name to refine the list.

Sample filters:
  • a* returns all group names that start with a.
  • *d returns all group names that end with d.
  • *sql* returns all groups that contain sql in the name.
  1. Click Search Microsoft Entra ID.
  2. Select a user, and then click Add User.
  3. Assign at least one group to the user.

Change the Preferred Domain Controller for Active Directory User Accounts

Edit User > Set preferred domain controller

The preferred domain controller for a user is set by the group they are in, provided that the group was created with the propagate option turned on, and that this action happened before the user was set up.

If you want to change the preferred domain controller for a user, edit the user, select an appropriate credential, and then select a different preferred domain controller from the list.

Any future change to the preferred domain controller at the group level can overwrite this setting if the propagate switch is turned on.

 

Add an LDAP User

  1. Navigate to Configuration > Role Based Access > User Management.
  2. Click the Users tab to display the list of users in the grid.
  3. Click Create New User above the grid.
  1. Select Add an LDAP User from the list.

 

Add an LDAP User - Search LDAP

  1. Select a credential from the list.

If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.

  1. Click Fetch to load the list Domain Controllers, and then select one.
  2. To filter the user search, enter keywords in the user filter or use a wild card.
  3. Click Search LDAP.

 

  1. Select a user, and then click Add User.
  2. Assign at least one group to the user.

Add an Application User

Application users represent applications that interface with the BeyondInsight public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user, and is used for processing IP rules. To create an application user:

  1. Go to Configuration > Role Based Access > User Management > Users.
  2. Click Create New User.
  3. Select Add an Application User from the dropdown list. The Create New Application User screen is displayed.
  4. Add a username.  
  5. Under API Access Policy, select the policy.
  6. Copy the information from the Client ID and Client Secret fields for later use.
  7. Click Create User.
  8. Assign the user to a group that has the required permissions to access BeyondInsight and Password Safe features.
    • Click the vertical ellipsis for the user, and then select View User Details.
    • From the User Details pane, click Groups.
    • Locate the group, select it, and click Assign Group above the grid.

Recycle the Client Secret for an Application User

When editing an application user, you have an option to recycle their secret. Once recycled, you can copy or view the new secret. When a secret is recycled and the user account is updated with this change, the previous client secret is no longer valid.

To recycle the secret for an application user:

  1. Go to Configuration > Role Based Access > User Management > Users.
  2. Locate the application user in the grid.
  3. Click the ellipsis to the right of the user, and then select Edit User Details.
  4. Click the Recycle icon to the right of the Client Secret.
  5. Click Recycle on the confirmation message that displays.
  6. Copy the new secret for later use.
  7. Click Update User.

View and Update OAuth Secret Expiry

The user's secret will eventually expire. The Users grid has an OAuth Secret Expiry column, which you can use to view what is close to expiring. The default duration of a client secret is 365 days. You can adjust the lifetime of the secret from the Authentication Options configuration area in BeyondInsight. Updating this value only changes the secret expiry date for new application users and recycled client secrets. Older secrets cannot be updated.

To view the OAuth Secret Expiry for an application user:

  1. Go to Configuration > Role Based Access > User Management > Users.
  2. Locate the application user. The OAuth Secret Expiry column lists the date and time that a client secret for that user expires.

To update the duration for client secrets:

  1. Go to Configuration > Authentication Management > Authentication Options.
  2. Under Application User Authentication Settings, enter the new duration of the client secret in the Client Secret Expiry field.
  3. Click Update Application User Authentications Settings.

Edit a User Account

Administrators can edit user details such as change the name, username, email, and password, update active status, lock and unlock the account, and update multi-factor authentication settings as follows:

  1. Navigate to Configuration > Role Based Access > User Management.
  1. Click Users to display the list of users in the grid.
  2. Optionally, filter the list of users displayed in the grid using the Filter By dropdown.
  3. Select a user, click the vertical ellipsis button, and then select Edit User Details.
  4. In the Edit User pane, update the details as required, and then click Update User.

For more information on creating and editing directory credentials, please see Create and Edit Directory Credentials.

Add User to Groups

  1. From the User Management page, click the Users tab to display the list of users in the grid.
  2. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.

Click the Add User to Groups button above the Users grid in BeyondInsight

  1. Select a user or multiple users, and then click the Add User to Groups button above the grid.

 

Add Users to Groups - Search local groups in BeyondInsight

  1. Search for the group or groups, and then select the group or groups to assign currently selected users to the selected groups.

If a group already contains all of the selected users, a check mark is displayed next to the group name.

 

Delete a User Account

Administrators can delete user accounts as follows:

  1. Navigate to Configuration > Role Based Access > User Management.
  1. Click the Users tab to display the list of users in the grid.
  2. Optionally, filter the list of users displayed in the grid using the Filter by dropdown.
  3. For local accounts, select the user, click the Delete button above the grid, and then click Delete to confirm.
  4. For directory accounts, select the user, click the vertical ellipsis, select Delete User, and then click Delete to confirm.

For auditing purposes, if a user account is linked to any Password Safe session recordings, you cannot delete the account; however, you may disable the account.

Directory accounts may be deleted only if they do not belong to any groups.