Configure Role Based Access

Creating groups gives you great flexibility in delegating access to managed systems. Permissions provide access to BeyondInsight system components, while Password Safe roles determine the scope of access to managed systems.

  • Group permissions: Permissions are assigned when you create a group. Permissions are system-wide and provide access to various components of the BeyondInsight infrastructure. There are permissions that are specific to accessing and using features of the Password Safe application.
  • Password Safe roles: The roles define the actions that Password Safe users can take when using the Password Safe web portal for password releases or access to applications.

Group Features

The following table provides information on the Password Safe features that you can assign to your groups.

Feature Full Control permission assigned
Password Safe Account Management

Grants permissions to the following features on the Managed Accounts page:

  • Bulk delete accounts
  • Add accounts to a Quick Group
  • Remove accounts from a Quick Group
  • Add, edit, and delete accounts
Password Safe Admin Session

Allows non-ISA users access to the Admin Session feature in Password Safe.

Using an Admin Session allows administrators to open ad-hoc RDP / SSH sessions without going through the request process.

Password Safe Bulk Password Change Use the bulk password change feature on the Managed Accounts page.
Password Safe Agent Management Grant a user administrator permissions to the Configuration > Privileged Access Management Agents page.
Password Safe Configuration Management Grant a user administrator permissions to the Configuration > Privileged Access Management page.
Password Safe Policy Management Grant a user administrator permissions to the Configuration > Privileged Access Management Policies page.
Password Safe Role Management Manage roles provided they have the following permissions: Password Safe Role Management and User Accounts Management.
Password Safe System Management

Users can manage systems on the Managed Systems page, including:

  • Create, change, and remove directory and cloud systems.
  • Link and unlink directory accounts to managed systems.

Password Safe Account Management is needed with Password Safe System Management to manage Password Safe accounts. Full Control is required for both.

Smart Rule Management - Managed Account Users can create and edit Managed Account Smart Rules.
Smart Rule Management - Managed System Users can create and edit Managed System Smart Rules.
Secrets Safe Users can access the Secrets Safe feature.

In addition to Password Safe features permissions, users need the following general permissions:

Asset Management Read, create, and delete assets and databases.
Management Console Access Access to log on to the management console.

Password Safe Roles

In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role defines what the user or group can do with respect to that managed system. Roles are assigned to Smart Groups, and the roles that you can assign depend on the Smart Group type, as follows:

  • Asset Smart Group: The ISA and Auditor roles may be assigned.
  • Managed Account Smart Group: The Requestor, Approver, Credentials Manager, Recorded Session Viewer, and Active Session Reviewer roles may be assigned.
Role Description

Allows users to submit a request to retrieve managed passwords or remote session connection files.

When assigning the Requester role, you must select an access policy.


Allows users to approve requests for the release of managed passwords or remote session connection files.

Typically, system administrators and network engineers are assigned to this role.

In peer approval environments, users may be both approvers and requestors. In this case, a user cannot approve their own requests when dual control is enforced.
Information Security Administrator (ISA)

Allows users to setup managed systems and accounts.

The ISA role provides the functionality required for security help desk personnel. User with the ISA role can delegate limited authority to those responsible for resource management.

This role enables a user to bypass every workflow and security measure, like approval workflows or checked out accounts.

If another user has an account checked out and the password is known by this user, an ISA user can view the password. ISA users are not permitted to use the Admin Session feature.

Users with the Auditor role can:

  • Run reports in BeyondInsight Analytics & Reporting
  • Replay recorded sessions in the Password Safe web portal

The Auditor role can be assigned with other roles.

Credentials Manager Allows users to set credentials using the PUT ManagedAccounts/{accountId}/Credentials API.
Recorded Session Reviewer

Allows users to view and take action on completed recorded Password Safe sessions, including:

  • Add comments
  • Mark the session as reviewed
  • Archive sessions if configured on the U-Series Appliance
Active Session Reviewer

Allows users to view and take action on active Password Safe sessions, including:

  • Lock session
  • Terminate the session
  • Cancel the request

On all systems where a user is granted the ISA role, the user can change the following system details:

  • Grant users/groups roles to the managed system.
  • Review password release and session requests.
  • Add and change accounts on managed systems.
  • Assign a system to a collection (provided the ISA role is granted to the user for both the system and the collection).
  • Remove their ISA role from a system.