Configure Workgroups for Multi-Node and Multi-Tenant Environments
Password Safe allows you to assign
Create a Password Safe Worker Node
This is an automated self registered process, so it is not possible to add worker nodes manually. When any node in an active active configuration is running Password Safe, v6.0 or higher, the worker node registers with the BeyondInsight database.
You can view registered Password Safe worker nodes from Configuration > Privileged Access Management > Worker Nodes.
Assign a Password Safe Worker Node to a Workgroup
- Select Configuration > Privileged Access Management Agents > Worker Nodes.
- Select a worker node from the list on the left. The following options display:
- Organizations: Use the dropdown list to select the organization.
- Unassigned: The node is not assigned.
- Assign to existing workgroup: If selected, use the dropsdown list to select the workgroup you want.
Click Save Worker Node when done.
Assign a Workgroup to a Managed Account
You can assign a workgroup to a particular managed account by editing the managed account or by using a Smart Rule.
To assign a workgroup to particular managed account, go the Managed Accounts page and select the account to edit. On the Edit Managed Account page, select a workgroup from the dropdown list.
If you set the workgroup value to None, the account can be changed by any Password Safe agent.
To assign a workgroup using a Smart Rule, go the Smart Rules page, and create or a edit an existing rule. Under Actions, select Assign workgroup on each account.
Assign Agents to Workgroups for Multi-Tenant Environments
After your BeyondInsight environment is configured with multiple organizations, the Password Safe worker nodes must be assigned to a workgroup. Multiple worker nodes can be assigned to one workgroup. This distributes the workload and allows Password Safe to scale if needed for the organization.
In a multi-tenant environment, each organization requires at least one worker node. You can only assign a worker node to one organization. Assigning a worker node to more than one organization is not a supported implementation.
Any managed accounts that are in a workgroup that is not assigned to a worker node will not be processed.
Every time a worker node is reassigned to a workgroup, the Password Safe omniservice must be restarted.
After the worker nodes are assigned, managed accounts can be reassigned to a different workgroup, if required. Managed accounts can be assigned to workgroups manually by editing the Managed Account or by creating a Smart Rule to bulk assign accounts to a new workgroup.
For more information, please see the following:
- For more information on assigning managed accounts to workgroups, Assign a Workgroup to a Managed Account
- For more information on how to configure a multi-tenant environment, the The BeyondInsight User Guide
Synced Accounts in a Multi-Tenant Environment
When viewing synced accounts on a managed account in a multi-tenant environment, only synced accounts in that organization are displayed.