Add Assets to Password Safe
This chapter provides a high-level overview of adding systems and accounts to be managed by Password Safe. Once assets are managed by Password Safe, selected users can request access to them. For details on adding specific systems, please refer to the chapter for the particular system in this guide.
A system and the associated account can be added to Password Safe in any of the following ways:
- Manually: After an asset is added to the management console, you can add the asset to Password Safe.
- Smart Rules: You can create a Smart Rule with selected filter criteria, to match on the systems that you want to add to Password Safe.
- Discovery Scanning: You can run a Discovery Scan in BeyondInsight on a selected range of IP addresses.
Workflow to Add Managed Systems and Accounts to Password Safe
There are three ways to add systems and accounts to Password Safe:
- Add the asset manually.
- Run a Discovery Scan and then import the assets using an address group or directory query.
- Use API scripts.
The following is a high-level overview of the steps required to add systems and accounts to be managed in Password Safe.
- Add the functional account: A functional account is one that can access the system with the privileges required to manage and change passwords for shared accounts on the system.
- Add the managed system: A managed system is a computer or device where one or more account passwords are to be maintained by Password Safe. Managed systems can be Windows machines, Unix/Linux machines, network devices, databases, firewalls, routers, iLO machines, and LDAP or Active Directory domains.
- Add the managed account: A managed account is an account on the managed system whose password is being stored and maintained through Password Safe. Typically, managed accounts are privileged accounts that can perform administrative tasks on the managed system.
- Configure managed system settings: After a system is added to Password Safe, configure settings that apply to the managed system.
- Set up role based access: Create user groups that permit users to:
- Log in to the Password Safe web portal.
- Assign Password Safe roles, such as Requester or Approver.
- Create access policies to permit accounts to access the systems, applications, and sessions, and to request password releases.
A functional account on a managed system is required to manage passwords for accounts on that managed system. The passwords for functional accounts cannot be retrieved through the Password Safe web portal.
Do not set up a functional account as a managed account. Functional accounts have built-in management capabilities and passwords might fail to synchronize, causing issues.
The settings vary, depending on the type and platform chosen.
- In BeyondInsight, go to Configuration > Privileged Access Management > Functional Accounts.
- Click Create New Functional Account.
- Select a type from the list.
- Select a platform from the list.
The DSS authentication and Automatic password management settings are not supported if you are using the elevated credential pbrun jumphost.
- Provide credentials and a description for the account.
- Provide an alias. The Alias value is shown in the selectors throughout Password Safe where you must select a functional account to use.
- Select a Workgroup, if applicable.
- If desired, enable Automatic Password Management, and then select the password policy and change frequency. This option enables automatic password changes for each managed system that this functional account is associated with at the designated frequency.
If the Automatic Password Management option is enabled, passwords are set immediately when a new functional account is added to Password Safe.They are changed during the next scheduled rotation.
- Click Create Functional Account.
Override a Functional Account Password
Every managed system that uses a specific functional account has a unique password associated with that functional account. The password on the managed system might be out of sync with the password in Password Safe. You can override a functional account password from the Functional Account section in the Advanced Details of a managed system.