Work with Managed Accounts

Managed accounts are user accounts which are local or active directory accounts on the managed system.

View Managed Accounts

Managed Accounts page highlighting the available filters for the grid.

When viewing managed accounts, you can change the number of items displayed on the page using the Items per page dropdown at the bottom of the grid. You can use the filters above the grid to filter the list by smart group and the various attributes listed in the Filter by dropdown.

 

View Managed Account Details

After the account is added to Password Safe management, you can:

  • Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.
  • View managed systems linked to the account.
  • View Smart Groups associated with the account, as well as their last process date and processing status.
  • See which accounts are synced to the managed account.
  • View a list of password changes and the reason for each change.

To view details on a specific managed account:

  1. From the Managed Accounts page, click the vertical ellipsis for the account.
  2. Select Go to Advanced Details.

Screenshot of the Advanced Details page for a managed account.

  1. Managed account details, such as identification information, account settings, policies and attributes are displayed under Details & Attributes for quick access.
  2. To see more granular details, click through the tabs in the Advanced Details pane to view details on each topic.

Click the View Managed System link above the grid to view the advanced details for the managed system associated with the managed account. To return to the advanced details for the managed account, click the View Managed Account link.

 

For more information on propagation actions, please see Add Propagation Actions to Managed Accounts.

Delete Managed Accounts

Managed accounts can be deleted, except for synced accounts. A message is displayed if an account cannot be deleted.

  1. From the menu, select Managed Accounts.

Deleting multiple managed accounts

  1. Select the account or multiple accounts you want to delete, and then click the Delete button above the grid.

 

  1. Click Delete on the confirmation message.

Unlink Managed Accounts

You can unlink managed accounts from managed systems; however, this applies to Active Directory accounts only. If accounts included in the unlink selection are not domain accounts, no action is taken on those accounts.

  1. From the menu, select Managed Accounts.

Unlink Managed Accounts

  1. Select the account or multiple accounts you want to unlink, and then click the Unlink button above the grid.

 

  1. Click Unlink on the confirmation message.

Change Passwords for Managed Accounts

  1. From the menu, select Managed Accounts.

Change the password for selected managed accounts.

  1. Select the account or multiple accounts for which you want to change the password, and then click the Change Password button above the grid.

 

  1. Click Change Password on the confirmation message.

Configure Subscriber Accounts

Any managed account can be synced to multiple accounts. These synced accounts become subscribers to the managed account. The managed account and all of its subscribers always share an identical password. When the password of the managed account or any of the subscriber accounts is changed, Password Safe automatically changes the password of the primary managed account and all of its subscribers to a new password.

Once an account is synchronized as a subscriber account, settings modifications are limited to:

  • Enable API
  • Allow for scanning
  • Application

To sync an account:

  1. From the Managed Accounts page, click the vertical ellipsis button for the account.
  2. Select Go to Advanced Details.

Sync Accounts for a managed account.

  1. Under Advanced Details, click Synced Accounts.
  2. Select the account or multiple accounts that you want to sync.
  3. Click Sync Accounts above the grid.

 

Unsync a managed account

  1. To remove a synced account, select the account, and then click the Unsync Accounts button above the grid.

 

Configure Password Reset for Managed Account Users

You can grant managed account users permission to reset the password on their own managed account, without granting them permission to reset passwords on other managed accounts. You can do this by creating a group, adding the managed account to the group, and then assigning permissions and the Credential Manager role to the group.

  1. In the BeyondInsight console, go to Configuration > Role Based Access > User Management.
  2. From the Groups tab, click Create New Group.
  1. Select Create a New Group.
  2. Provide a name and description for the group, and then click Create Group.

 

Assign Users to Group

  1. From the Group Details pane, select Users.
  2. Select users to add to the group, and then click Assign User above the grid.

 

  1. From the Group Details pane, select Features.
  2. Select the Management Console Access and Password Safe Account Management features, and then click Assign Permissions.
  3. Select Assign Permissions Read Only. Do not grant Full Control.

Smart Groups Permissions > Edit Password Safe Roles

  1. From the Group Details pane, select Smart Groups.
  2. Filter the list of Smart Groups by Type > Managed Account.
  3. Select the Smart Group that contains the applicable managed accounts.
  4. Click the vertical ellipsis button for the Smart Group, and then select Edit Password Safe Roles.

 

Smart Group Permissions > Password Safe Credential Manager Role

  1. Select the Credentials Manager role, and then click Save Roles.

 

The managed account user can now log in to the console and reset the password for the managed account as follows:

  1. Go to the Managed Accounts page.
  2. Select the account.
  3. Click the vertical ellipsis button for the account.
  4. Select Change Password.

Use a Managed Account as a Discovery Scan Credential

A managed account can be used as a credential when configuring a Discovery Scan.

Once the Scanner option is enabled, the key must be specified again if the account is edited. It may be the same key or a new one.

The following credential types are supported:

  • Windows,
  • SSH
  • MySQL
  • Microsoft SQL Server.

The following platforms are supported:

  • Windows
  • MySQL
  • Microsoft SQL Server
  • Active Directory
  • Any platform with the IsUnix flag (AIX, HP UX, DRAC, etc.)

To add the managed account as a scan credential:

  1. From the Managed Accounts page, click the vertical ellipsis button for the account.
  2. Select Edit Account.

Edit Managed Account >Scanner Settings

  1. Expand Scanner Settings.
  2. Click the toggle to enable the scanner.
  3. For the Scanner Credential Description, enter a name for the account that can be selected as the credential when setting up the scan details. The name is displayed on the Credentials Management dialog box when setting up the scan.
  4. Assign and confirm a key so that only users that know the key can use the credential for scanning.
  5. Click Update Account.

For more information on configuring credentials, please see Add Credentials for Use in Scans.

 

Managed Account Aliasing

Aliases are accessible using the API only. Account mappings can be changed without affecting the alias name. At least one managed account is required to be mapped for the alias to be active; when an alias has two or more managed accounts mapped, it is considered to be highly available. An account can only be mapped to one alias. Managed account aliases can be accessed from Configuration > Privileged Access Management > Managed Account Aliases.

Create a New Alias

New Account Alias

  1. Navigate to Configuration > Privileged Access Management > Managed Account Aliases.
  2. Click Create New Alias +.
  3. Enter a name, and then click Create Alias.

 

The new alias appears in the grid under Account Mappings, which displays all aliases ready to be mapped. New aliases show as Unmapped until they are associated with accounts.

Each managed account can only be mapped to a single alias.

You can use the dropdown to select which accounts to display: All Accounts, Mapped, or Unmapped Accounts only.

The Filter-by allows you to filter accounts by System, Account Name, Account Status, or Last Changed Date.

Unmap an account using the broken link icon

To unmap an account, select the account and click the broken link icon.

 

 

Alias Account Details

Mapped accounts have three status values:

  • Active: The account credentials are current and can be requested.
  • Pending: The account credentials are current but the password is queued to change.
  • Inactive: The account password is changing.

The list of mapped accounts is rotated in a round-robin fashion, typically in order of last password change date. The preferred account, or the account whose status is active and has the oldest change date, is returned on the Alias API model.