Password Safe Administration Guide

Password Safe is your privileged access management solution to ensure your resources are protected from insider threats. It combines privileged password and session management to discover, manage, and audit all privileged credential activity.

Password Safe creates and secures privileged accounts through automated password management, encryption, secure storage of credentials, and a sealed operating system.

Password Safe's random password generator algorithm does not use any common phrases or dictionary words as inputs or in its generation. It selects each password character randomly from the list of allowable characters, numerals, and symbols to build the password.

Password Safe is supported on a hardened U-Series Appliance that creates and secures privileged accounts through automated password management, encryption, secure storage of credentials, and a sealed operating system.

More specifically, you can use Password Safe to accomplish the following:

  1. Scan, identify, and profile all assets for automated Password Safe management, ensuring no credentials are left unmanaged.
  2. Control privileged user accounts, applications, SSH keys, cloud admin accounts, RPA accounts, and more.
  3. Use adaptive access control for automated evaluation of just-in-time context for authorization access requests.
  4. Monitor and record live sessions in real time and pause or terminate suspicious sessions.
  5. Enable a searchable audit trail for compliance and forensics, and achieve complete control and accountability over privileged accounts.
  6. Restrict access to critical systems, including assets and applications, keeping them safe from potential inside threat risks.

Log In to the BeyondInsight Console

The admin username used to sign into the BeyondInsight Console for the first time is configured during the installation process. Afterward, the credentials you use to log in to the console depend on the type of authentication configured for your BeyondInsight system.

The following authentication types can be used:

  • BeyondInsight and Password Safe Authentication: Create a BeyondInsight user in the console, add the user to a group, and assign roles.
  • Active Directory: Create a BeyondInsight group and add Active Directory users as members.
  • LDAP: Create a BeyondInsight group and add LDAP users as members.
  • Smart Card: Configure Password Safe to allow authentication using a Smart Card PIN.
  • RADIUS: Configure multi-factor authentication with a RADIUS server.
  • Third Party Authentication: Configure Password Safe to use authentication for web tools which support SAML 2.0 standard such as PingID, Okta and ADFS.

When working in the console, the times displayed match the web browser on the local computer unless stated otherwise.

To log in:

  1. Open a browser and enter the URL for your BeyondInsight instance: https://<hostname>/WebConsole/index.html.

You might need to accept a pre-login message, if one has been configured on your system.

  1. Enter your username and password. The default username is Administrator, and the password is the administrator password you set in the Configuration Wizard.
  2. If applicable, select a domain or LDAP Server from the Log in to list.
  3. Click Login.

The Log in to list is only displayed on the Login page when there are either Active Directory or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

For more information on configuring authentication using BeyondInsight groups, Smart Card, RADIUS, and third party SAML 2.0 web tools, please refer to the BeyondInsight and Password Safe Authentication Guide.

Select a Display Language

BeyondInsight and Password Safe can be displayed in the following languages:

  • Dutch
  • English
  • French
  • Japanese
  • Korean
  • Portuguese
  • Spanish

If the Show language picker option is enabled in Configuration > System > Site Options > Localization, you can select a language from the list on the Log In page or by clicking the Profile and preferences button, and then selecting it from the Language list.

Navigate the Console

BeyondInsight Home Page

Once logged into the BeyondInsight Console, you are taken to the Home page, where the BeyondInsight suite of features is easily accessible by clicking the container cards or by clicking Menu in the left navigation menu.


Available features include:

  • Assets: Display and manage all assets. Access the Smart Rules page to create and manage Smart Groups. Add assets to Password Safe management.
  • Smart Rules: View and mange Smart Rules.
  • Discovery: Run and schedule discovery scans, review active, completed, and scheduled scans, and view the list of discovery scanners.
  • Endpoint Privilege Management: View and manage Endpoint Privilege Management events, policies, policy users, agents, file integrity monitoring, and session monitoring.
  • Managed Systems: View and configure properties for Password Safe managed systems, managed databases, managed directories, managed applications, and their associated Smart Rules.
  • Managed Accounts: View and configure properties for Password Safe managed accounts and their associated Smart Rules.
  • Password Safe: Access the Password Safe web portal to request passwords and remote access sessions and to approve requests.
  • Team Passwords: View and manage team credentials.
  • Analytics & Reporting: Access reports on collected data.
  • Configuration: Configure BeyondInsight and Password Safe components and objects, such as users and groups, authentication settings, connectors, and much more.
  • About: Access helpful links and support tools, such as generating a support package and analysis to send to BeyondTrust Technical Support. View the current BeyondInsight version information, as well as the history of installed versions. View version information for currently installed plugins. View the maintenance expiry date and disable or enable the Maintenance Expiry Warning Banner.

For more information on installing and configuring Resource Brokers and Zones, please refer to the Password Safe Cloud Resource Broker Configuration and Installation Guide.