Configure Workgroups for Multi-Node and Multi-Tenant Environments

Password Safe allows you to assign worker nodes to workgroups to give the user more granularity on password changes. Password Safe uses workgroup assignments at the managed account level to allow Password Safe worker nodes to process password changes, password tests, and account notifications for their designated workgroup.

If a worker node is not assigned to a workgroup, the worker node functions on a global level and can change any account that does not have a designated workgroup assigned.

Create a Password Safe Worker Node

This is an automated self registered process, so it is not possible to add worker nodes manually. When any node in an active active configuration is running Password Safe, v6.0 or higher, the worker node registers with the BeyondInsight database.

You can view registered Password Safe worker nodes from Configuration > Privileged Access Management > Worker Nodes.

Assign a Password Safe Worker Node to a Workgroup

  1. Select Configuration > Privileged Access Management Agents > Worker Nodes.

Screenshot of the Worker Node - Edit Workgroup Allocation page

  1. Select a worker node from the list on the left. The following options display:
    • Organizations: Use the dropdown list to select the organization.
    • Unassigned: The node is not assigned.
    • Assign to existing workgroup: If selected, use the dropsdown list to select the workgroup you want.
  2. Click Save Worker Node when done.

Assign a Workgroup to a Managed Account

You can assign a workgroup to a particular managed account by editing the managed account or by using a Smart Rule.

Select a workgroup from the list on the Edit Managed Account page to assign a workgroup to a managed account.

To assign a workgroup to particular managed account, go the Managed Accounts page and select the account to edit. On the Edit Managed Account page, select a workgroup from the dropdown list.

If you set the workgroup value to None, the account can be changed by any Password Safe agent.


Configure Smart Rule to assign workgroup on each account in the Smart Rules Manager.

To assign a workgroup using a Smart Rule, go the Smart Rules page, and create or a edit an existing rule. Under Actions, select Assign workgroup on each account.

Assign Agents to Workgroups for Multi-Tenant Environments

After your BeyondInsight environment is configured with multiple organizations, the Password Safe worker nodes must be assigned to a workgroup. Multiple worker nodes can be assigned to one workgroup. This distributes the workload and allows Password Safe to scale if needed for the organization.

In a multi-tenant environment, each organization requires at least one worker node. You can only assign a worker node to one organization. Assigning a worker node to more than one organization is not a supported implementation.

Any managed accounts that are in a workgroup that is not assigned to a worker node will not be processed.

Every time a worker node is reassigned to a workgroup, the Password Safe omniservice must be restarted.

After the worker nodes are assigned, managed accounts can be reassigned to a different workgroup, if required. Managed accounts can be assigned to workgroups manually by editing the Managed Account or by creating a Smart Rule to bulk assign accounts to a new workgroup.

For more information, please see the following:

Synced Accounts in a Multi-Tenant Environment

When viewing synced accounts on a managed account in a multi-tenant environment, only synced accounts in that organization are displayed.