Configure Role Based Access

Creating groups gives you great flexibility in delegating access to managed systems. Permissions provide access to BeyondInsight system components, while Password Safe roles determine the scope of access to managed systems.

  • Group permissions: Permissions are assigned when you create a group. Permissions are system-wide and provide access to various components of the BeyondInsight infrastructure. There are permissions that are specific to accessing and using features of the Password Safe application.
  • Password Safe roles: The roles define the actions that Password Safe users can take when using the Password Safe web portal for password releases or access to applications.

Group Features

The following table provides information on the Password Safe features that you can assign to your groups.

Feature Full Control permission assigned
Password Safe Account Management

Grants permissions to the following features on the Managed Accounts page:

  • Bulk delete accounts
  • Add accounts to a Quick Group
  • Remove accounts from a Quick Group
  • Add, edit, and delete accounts
Password Safe Admin Session

Allows non ISA users access to the Admin Session feature in Password Safe.

Using an Admin Session allows administrators to open ad-hoc RDP / SSH sessions without going through the request process.

Password Safe Bulk Password Change Use the bulk password change feature on the Managed Accounts page.
Password Safe Role Management Manage roles provided they have the following permissions: Password Safe Role Management and User Accounts Management.
Password Safe System Management

Users can manage systems on the Managed Systems page, including:

  • Create, change, and remove directory and cloud systems
  • Link and unlink directory accounts to managed systems

Password Safe Account Management is needed with Password Safe System Management to manage Password Safe accounts. Full Control is required for both.

Smart Rule Management - Managed Account Users can create and edit Managed Account Smart Rules.
Smart Rule Management - Managed System Users can create and edit Managed System Smart Rules.
Team Passwords Users can access the Team Passwords feature.

In addition to Password Safe features permissions, users need the following general permissions:

Asset Management Read, create, and delete assets and databases.
Management Console Access Access to log on to the management console.

Password Safe Roles

In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role defines what the user or group can do with respect to that managed system.

Role Description

Users can submit a request to retrieve a managed password or file.

When assigning the Requester role, you must select an access policy.


Users can approve requests for the release of managed passwords or files.

Typically, system administrators and network engineers are assigned to this role.


With this cross-functional role, a user can submit or approve requests for password or file releases. However, an approver cannot approve their request when dual control is enforced.

This role is typically used in a peer approval environment.

Information Security Administrator

This role is responsible for setting up managed systems and accounts.

The ISA role provides the functionality required for security help desk personnel. The ISA role can delegate limited authority to those responsible for resource management.

The role enables a user to bypass every workflow and security measure, like approval workflows or checked out accounts. So even if another user already checked out an account and the password is known by this user, an ISA user can look at the password.


Users can:

  • Log on and run reports in BeyondInsight Analytics & Reporting
  • View Replay Sessions in the web portal

The Auditor role can be assigned with other roles.

No Roles Assign this role to remove any previously assigned roles to a user group.
Credentials Manager Users can set credentials using the PUT ManagedAccounts/{accountId}/Credentials API.
Recorded Session Reviewer

Users can view and take action on recorded Password Safe sessions, including:

  • Add comments
  • Mark the session as reviewed
  • Archive sessions if configured on the U-Series Appliance
Active Session Reviewer

Users can view and take action on active Password Safe sessions, including:

  • Lock session
  • Terminate the session
  • Cancel the request

On all systems where a user is granted the ISA role, the user can change the following system details:

  • Grant users/groups roles to the managed system.
  • Review release requests.
  • Add and change accounts on managed systems.
  • Assign a system to a collection (provided the ISA role is granted to the user for both the system and the collection).
  • Remove their ISA role from a system.

The roles that you can assign vary depending on the Smart Rule type.

  • Asset Based Smart Rule: Roles only include the ISA role and Auditor role.
  • Managed Accounts Based Smart Rule: Roles include most roles.