Work with Smart Rules

You can use Smart Groups to add assets, systems, and accounts into Password Safe management. The Smart Rule filters that you configure for the Smart Groups determine the assets that are added as managed systems and managed accounts in Password Safe.

There are four types of Smart Rules available with a Password Safe license: Asset, Managed Account, Managed System, and Policy User.

You can use Smart Rules to add the following types of assets:

  • Systems
  • Network Devices
  • Databases
  • Local Linux and Windows accounts
  • Active Directory accounts
  • Dedicated accounts

The settings in a Smart Rule override the settings configured on the managed system.

For more information on using Smart Rules, please see the BeyondInsight User Guide.

Predefined Smart Groups

By default there are Smart Groups already defined and created.

The following tables list Smart Groups useful in Password Safe environments.

Asset Based Smart Groups

Smart Group Category Definition
All Assets in Password Safe Assets and Devices All assets under Password Safe management.
Recent Assets not in Password Safe Assets and Devices All assets discovered in the last 30 days that have not yet been added to Password Safe.
Recent Non Windows Assets not in Password Safe Assets and Devices All non Windows assets discovered in the last 30 days that have not yet been added to Password Safe.
Recent Windows Servers not in Password Safe Servers Windows servers discovered in the last 30 days that have not yet been added to Password Safe.
Recent Virtual Servers not in Password Safe Virtualized Devices Virtualized server assets discovered in the last 30 days that have not yet been added to Password Safe.

Managed System Smart Rules

Smart Rule Category Definition
Database Managed Systems Types Database Managed Systems
Directory Managed Systems Types Directory Managed Systems
Cloud Managed Systems Types Cloud Managed Systems
Asset Managed Systems Types Asset Managed Systems
All Managed Systems associated with BeyondInsight Assets Managed Systems All Managed Systems associated with BeyondInsight Assets
All Managed Systems not associated with BeyondInsight Assets Managed Systems All Managed Systems not associated with BeyondInsight Assets
All Managed Systems Managed Systems All Managed Systems
Recently Added Managed Systems Managed Systems Managed Systems added less than 30 days ago

Managed Accounts Smart Groups

Smart Group Definition
All Managed Accounts All accounts managed by Password Safe.
Recently Added Managed Accounts Filters on managed accounts added less than 30 days ago.
Database Managed Accounts Filters on the database platform and includes SQL Server and Oracle platforms.
Hardware Device Managed Accounts Filters on hardware devices including Dell DRAC and HP iLO platforms.
Linux Managed Accounts Filters on the Linux platform.
Mac Managed Accounts Filters on the macOS platform.
Unix Managed Accounts Filters on the Unix platform.
Windows Managed Accounts Filters on the Windows platform.

Considerations When Designing Smart Rules

  • The filter criteria is processed hierarchically. When creating the filter structure, place the filters that reduce the largest number of entities at the top of the hierarchy.
  • When adding Active Directory accounts using a directory query, ensure the query is as restrictive as possible. For example, configure the query on a smaller set of data in your environment.
  • When adding assets to Password Safe, be cautious about creating more than one Smart Rule with the same systems or accounts. If the Smart Rules have different actions, they will start continually overwriting each other in an endless loop.
  • There can be delays when a Smart Rule depends on external data source, such as LDAP, as processing can take longer. For example, a directory query that uses the discover accounts feature (managed account Smart Rule) or discover assets feature (asset-based Smart Rule).

Smart Rule Processing

A Smart Rule processes and updates information in Smart Groups when certain actions occur, such as the following:

  • The Smart Rule is edited and saved.
  • A timer expires.
  • You manually kick off the processing by selecting the Smart Rule from the grid on the Smart Rules page, and then click Process.

The Process action from the grid on the Smart Rules page does not apply to Managed Account Quick Group Smart Rules, because these only run once upon creation and cannot be triggered to run again.

  • A Smart Rule with Smart Rule children triggers the children to run before the parent completes.
  • Managed account Smart Rules with selection criteria Dedicated Account process when a change to a mapped group is detected. This can occur in the following scenarios:
    • A new user logs on.
    • The group refreshes in Active Directory by an administrator viewing or editing the group in Configuration > Role Based Access > User Management.

Change the Processing Frequency for a Smart Rule

By default, Smart Rules process when asset changes are detected. The assets in the Smart Rule are then dynamically updated. For Smart Rules that require more intensive processing, you might want Smart Rules to process less frequently.

To provide more restrictive processing, you can select alternate frequency settings to override the default processing. The Smart Rules process in the selected time frame (for example, the rule processes once a week).

Details area of the Smart Rule showing the option to select a processing frequency other than the default.

When creating a new Smart Rule or updating an existing one, select your desired frequency from the Reprocessing limit list in the Details section.

A Smart Rule is always processed when first saved or updated.

 

View and Select Smart Rules Processing Statistics

The Smart Rules grid displays some processing statistics by default. Additional Smart Rules processing statistics, such as Processed Date, Successful Attempts, and Failed Attempts are available and can be displayed in the Smart Rules grid.

To add this information to the grid:

  1. From the left menu in the BeyondInsight Console, click Smart Rules.
  1. Click the Column chooser icon in the upper right of the grid.
  2. Click the desired column to add that information to the grid.
    • Check marks indicate columns currently displayed.
    • You can remove a displayed column by clicking the column name in the Column chooser list.
    • If there are more columns displayed than can fit in the width of the screen, a scroll bar appears at the bottom of the grid. It may be necessary to scroll sideways to view any additional columns.

Use Dedicated Account Smart Rule

A dedicated account Smart Rule allows you to dynamically map dedicated administrative accounts outside of BeyondInsight to users in a BeyondInsight group. This allows a lower privileged BeyondInsight user to access a higher privileged user's account temporarily while using Password Safe.

The below procedures provide instructions for configuring BeyondInsight users with the ability to access a dedicated directory account's credentials, using a query matching on directory attributes. Once configured, the users are able to request a password checkout for the dedicated account from the Password Safe portal. The user can then access resources using the dedicated account credentials.

You must configure the following in BeyondInsight:

  • Create a directory query to retrieve the directory account as well as its attributes.
  • Create a Smart Rule to run the directory query to find the account and its directory attributes, and add it as a managed account in Password Safe.
  • Create a Smart Rule to map the dedicated account to a user group in BeyondInsight.
  • Assign user group permissions to the two newly created Smart Rules.

Create the Directory Query

  1. Navigate to Configuration > Role Base Access > Directory Queries.
  2. Click Create New Directory Query +, and complete form as follows:

Create a new directory query to find active directory users.

    • Directory Type: Leave as Active Directory.
    • Title: Provide a meaningful name that allows for easy identification of the query.
    • Credentials: Select a credential that has permissions to query the directory user accounts.
    • Query Target: Provide the LDAP path to the target.
    • Scope: Leave as This Object and All Child Objects.
    • Object Type: Select User Objects.
    • Dynamically refresh results each use: Leave enabled.
    • Basic Filter: Provide the name of the dedicated account.
  1. Click Create Directory Query.

 

Create the Smart Rule to Run the Directory Query and Add Managed Account

  1. From the left navigation pane, click Smart Rules.
  2. Select Managed Account from the Smart Rule type filter dropdown.
  3. Click Create Smart Rule +.
  4. Configure the Smart Rule as follows:

Create Managed Account Smart Rule to run directory query and add managed account.

  • Category: Select Managed Accounts.
  • Name: Provide a meaningful name that allows for easy identification of the Smart Rule.
  • Selection Criteria:
    • Select Directory Query from the dropdown.
    • Leave Include accounts from Directory Query selected.
    • Select the directory query created in above steps.
    • Leave Discover accounts for Password Safe Management enabled.
    • Select the Domain from the dropdown.
  • Actions:
    • Select Manage Account Settings from the dropdown and set its related options as desired.
    • Add another action and select Show managed account as Smart Group from the dropdown.
    • Add another action and select Link domain accounts to Managed Systems from the dropdown, and then select your desired Asset or Managed System Smart Group from the dropdown.
  1. Click Create Smart Rule.

 

Create the Smart Rule to Map the Dedicated Account to the User Group

  1. From the left navigation pane, click Smart Rules.
  2. Select Managed Account from the Smart Rule type filter dropdown.
  3. Click Create Smart Rule +.
  4. Configure the Smart Rule as follows:

Create Managed Account Smart Rule to Map Dedicated Accounts to BeyondInsight User Group.

  • Category: Select Managed Accounts.
  • Name: Provide a meaningful name that allows for easy identification of the Smart Rule.
  • Selection Criteria:
    • Select Dedicated Account from the dropdown.
    • Select Directory Attribute Match from the dropdown.
    • Select the directory attribute you wish to match.
  • Actions:
    • Select Show managed account as Smart Group from the dropdown.
    • Add another action and select Map Dedicated Accounts to from the dropdown.
    • Select the applicable User Group to map to.
  1. Click Create Smart Rule.

 

Assign User Group Permissions to the Smart Rules

  1. Navigate to Configuration > Role Based Access > User Management.
  2. Locate the user group you had selected when creating the Smart Rule for dedicated account mapping.
  3. Click the vertical ellipsis for the group, and then select View Group Details.

Screenshot of assigining the Smart Groups Permissions for a User Group.

  1. In the Group Details pane, click Smart Groups.
  2. In the Smart Group Permissions pane, select the two dedicated account Smart Groups you created.
  3. Click Assign Permissions > Assign Permissions Read Only above the grid.

 

Screenshot of processing Smart Rules from Smart Rules page.

From the Smart Rules page, process the two newly created Smart Groups. After processing, the dedicated account discovered by the directory query is listed on the Managed Accounts page. Users belonging to the group you chose to map the dedicated account to are indicated in the Mapped to User column. You might need to add this column to the grid using the Column Chooser button above the grid.

 

Use an Azure AD Smart Rule

An Azure Active Directory Smart Rule enables Password Safe to automatically discover Azure AD credentials. This allows privileged accounts in an Azure Active Directory to be managed, including password rotation and check-in and check-out.

Follow the steps below to discover Azure Active Directory Credentials.

  1. On the left navigation pane, click Smart Rules.
  2. Select Managed Account from the Smart Rule type filter dropdown.
  3. Click Create Smart Rule + and configure the role on the new screen.

Create a Smart Rule to Manage Azure Active Directory platform accounts.

  1. Category: Select Managed Accounts.
  2. Name: Provide a meaningful name and description that allows for easy identification of the Smart Rule.
  3. Reprocessing Limit: If desired, select a reprocessing limit.
  4. Under Selection Criteria, select Azure Directory Query from the dropdown.
  5. There are several filters, and options are dynamic, depending on other selections.
    • Include ALL or ANY of the selection criteria.
    • Use a Group Name or a User Principle Name.
    • If using a Group Name, equals is the only match option. Enter the Group Name.
    • If using a User Principle Name, select starts with or ends with and enter the name.
  6. Set the value for how many hours for rerunning the query.
  7. Check the Discover accounts in Azure synced from on-premise option to include AAD accounts synced from on-premises Azure AD, as well as Azure-only accounts.
  8. Discover accounts for Password Safe Management is checked by default.
  9. Select an Azure domain.
  10. You can add additional selection criteria and groups.
  11. Under Actions, select Show managed account as Smart Group.
  12. Add other actions as required to manage settings or work with the managed account.
  13. Click Create Smart Rule.

Use Quick Groups

For a simpler way to organize managed accounts, you can group them using a Quick Group. The default processing time on a Quick Group is Once.

  1. In the console, click Managed Accounts.

Add Managed Accounts to Quck Group

  1. From the Smart Group filter dropdown, select an existing Smart Group in which the managed accounts are members.
  2. Check the boxes for the managed accounts that you want to add to the Quick Group.
  3. Click Add to Smart Group above the grid.
  4. Select Quick Groups from the Category dropdown, and then select a Quick Group from the Smart Group dropdown or create a new one.
  5. Click Add Selected Accounts To Smart Group.
  6. Your new Smart Group is now available in the Smart Group filter dropdown.
  7. To remove accounts from the Quick Group:
    • Select the group from the Smart Group filter dropdown.
    • Check the boxes for each account you wish to remove, and then click Remove From Smart Group above the grid.

 

Select Quick Group on Managed Accounts page

  1. To quickly locate Quick Groups from the Smart Rules page, select Quick Groups from the Category dropdown .
  2. To change the name and description for a Quick Group, or to deactivate a Quick Group:
    • From the Smart Rules page, click the vertical ellipsis for the group, and then select View Details.
    • Make your changes, and then click Save Changes.

 

You cannot add or modify filters or actions for Quick Groups.

You can also quickly manually add managed systems to Smart Groups from the Managed Systems page.

Managed systems do not have a Quick Group category; however, the concept and process is essentially the same as it is for managed accounts.

Add Managed Systems to Quick Group

  1. In the console, click Managed Systems.
  2. From the Smart Group filter dropdown, select an existing Smart Group in which the managed systems are members.
  3. Check the boxes for the managed systems that you want to add to the Quick Group.
  4. Click Add to Smart Group above the grid.
  5. Select a Category from the dropdown, and then select a group from the Smart Group list or create a new one.
  6. Click Add Selected Systems To Smart Group.
  7. Your new Smart Group is now available in the Smart Group filter dropdown.

To remove a managed system from a Smart Group:

  1. Select the Smart Group from the Smart Group filter.
  2. Check the boxes for the managed systems that you want to remove from the group.
  3. Click Remove From Smart Group above the grid.

To change the name and description for a managed system Quick Group, or to deactivate a Quick Group:

  1. Navigate to the Smart Rules page.
  2. Select Managed System from the Smart Rule type filter.
  3. Locate the Quick Group you created.
  4. Click the vertical ellipsis for the group, and then select View Details.
  5. Make your changes, and then click Save Changes.

You cannot add or modify filters or actions for Quick Groups.

For more information about Smart Rule processing, please see Change the Processing Frequency for a Smart Rule.