Work with Managed Accounts

Work with Managed Accounts

Managed accounts are user accounts which are local or active directory accounts on the managed system.

View Managed Accounts

Screenshot of the filters on Managed Accounts page

When viewing managed accounts, the first 100 accounts are displayed in the grid. You can change the number of items displayed on the page using the Items per page dropdown at the bottom of the grid. You can use the Smart Group filter to filter the list by Smart Group and you can also filter the list by various attributes using the Filter by list.

View Managed Account Details

After the account is added to Password Safe management, you can:

  • Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.
  • View managed systems linked to the account.
  • View Smart Groups associated with the account, along with their last process date and processing status.
  • See which accounts are synced to the managed account.
  • View a list of password changes and the reason for each change.

To view details on a specific managed account:

  1. From the menu on the left in BeyondInsight, select Managed Accounts.

Screenshot of the Go to advance Details menu item for a managed account.

  1. Select the managed account, and then click the vertical ellipsis button for the account.
  2. Select Go to advanced details.

 

The Advanced Details page of a managed account

  1. All managed account details are displayed under Details & Attributes for quick access.
  2. To see more granular details, click through the tabs to view details on each topic.

Delete Managed Accounts

Managed accounts can be deleted, except for synced accounts. A message is displayed if an account cannot be deleted.

  1. From the menu, select Managed Accounts.

Deleting multiple managed accounts

  1. Select the account or multiple accounts you want to delete, and then click the Delete button above the grid.

 

  1. Click Delete on the confirmation message.

Unlink Managed Accounts

You can unlink managed accounts from managed systems; however, this applies to Active Directory accounts only. If accounts included in the unlink selection are not domain accounts, no action is taken on those accounts.

  1. From the menu, select Managed Accounts.

Unlinking managed accounts

  1. Select the account or multiple accounts you want to unlink, and then click the Unlink button above the grid.

 

  1. Click Unlink on the confirmation message.

Change Passwords for Managed Accounts

  1. From the menu, select Managed Accounts.

Screenshot showing changing the password for selected managed accounts.

  1. Select the account or multiple accounts for which you want to change the password, and then click the Change Password button above the grid.

 

  1. Click Change Password on the confirmation message.

Configure Subscriber Accounts

Any managed account can be synced to multiple accounts. These synced accounts become subscribers to the managed account. The managed account and all of its subscribers always share an identical password. When the password of the managed account or any of the subscriber accounts is changed, Password Safe automatically changes the password of the primary managed account and all of its subscribers to a new password.

Once an account is synchronized as a subscriber account, settings modifications are limited to:

  • Enable API
  • Allow for scanning
  • Application

To sync an account:

  1. From the left menu in BeyondInsight, click Managed Accounts.

Screenshot of Go to advanced details menu option for a managed acccount.

  1. Select a managed account, and then click the vertical ellipsis button for the account.
  2. Select Go to advanced details.

 

Screenshot showing Sync Accounts for a managed account.

  1. Under Advanced Details, click Synced Accounts.
  2. Select the account or multiple accounts that you want to sync.
  3. Click Sync Accounts.

 

Unsync a managed account

  1. To remove a synced account, select the account, and then click the Unsync Accounts button above the grid.

Configure Password Reset for Managed Account Users

You can grant managed account users permission to reset the password on their own managed account, without granting them permission to reset passwords on other managed accounts. You can do this by creating a group, adding the managed account to the group, and then assigning permissions and the Credential Manager role to the group.

Screenshot of Create New Group in BeyondInsight

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management.
  2. Under Groups, click Create New Group.
  1. Select Create a New Group.
  2. Provide a name and description for the group, and then click Create Group.

 

Screenshot of Assign Users to Group

  1. From the Group Details pane, select Users, and then assign users to the group.

 

  1. From the Group Details pane, select Features.
  2. Select the Management Console Access and Password Safe Account Management features, and then click Assign Permissions.
  3. Select Assign Permissions Read Only. Do not grant Full Control.

Screenshot of Smart Groups Permissions > Edit Password Safe Roles

  1. From the Group Details pane, select Smart Groups.
  2. Filter the list of Smart Groups by Type > Managed Account.
  3. Select the Smart Group that contains the applicable managed accounts.
  4. Click the vertical ellipsis button for the Smart Group, and then select Edit Password Safe Roles.

 

Screenshot of Smart Group Permissions > Password Safe Credential Manager Role

  1. Select the Credentials Manager role, and then click Save Roles.

 

The managed account user can now log in to the console and reset the password for the managed account as follows:

  1. Go to the Managed Accounts page.
  2. Select the account.
  3. Click the vertical ellipsis button for the account.
  4. Select Change Password.

Use a Managed Account as a Discovery Scan Credential

A managed account can be used as a credential when configuring a Discovery Scan.

Once the Scanner option is enabled, the key must be specified again if the account is edited. It may be the same key or a new one.

The following credential types are supported:

  • Windows,
  • SSH
  • MySQL
  • Microsoft SQL Server.

The following platforms are supported:

  • Windows
  • MySQL
  • Microsoft SQL Server
  • Active Directory
  • Any platform with the IsUnix flag (AIX, HP UX, DRAC, etc.)

To add the managed account as a scan credential:

  1. Go to the Managed Accounts page.
  2. Select the managed account, and then click the vertical ellipsis button for the account.
  3. Select Edit Account.

Screenshot of Edit Managed Account >Scanner Settings

  1. Expand Scanner Settings.
  2. Click the toggle to enable the scanner.
  3. For the Scanner Credential Description, enter a name for the account that can be selected as the credential when setting up the scan details. The name is displayed on the Credentials Management dialog box when setting up the scan.
  4. Assign and confirm a key so that only users that know the key can use the credential for scanning.
  5. Click Update Account.

Managed Account Aliasing

Aliases are accessible using the API only. Account mappings can be changed without affecting the alias name. At least one managed account is required to be mapped for the alias to be active; when an alias has two or more managed accounts mapped, it is considered to be highly available. An account can only be mapped to one alias. Managed account aliases can be accessed from Configuration > Privileged Access Management > Managed Account Aliases.

Create a New Alias

New Account Alias

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Managed Account Aliases.
  2. Click Create New Alias.
  3. Enter a name, and then click Create Alias.

 

Unmapped alias

The new alias appears on the grid under Account Mappings, which displays all aliases ready to be mapped. New aliases show as Unmapped until they are associated with accounts.

Each managed account can only be mapped to a single alias.

You can use the dropdown to select which accounts to display: All Accounts, Mapped, or Unmapped Accounts only.

The Filter-by allows you to filter accounts by System, Account Name, Account Status, or Last Changed Date.

Unmap an account using the broken link icon

To unmap an account, select the account and click the broken link icon.

 

 

Alias Account Details

Mapped accounts have three status values:

  • Active: The account credentials are current and can be requested.
  • Pending: The account credentials are current but the password is queued to change.
  • Inactive: The account password is changing.

The list of mapped accounts is rotated in a round-robin fashion, typically in order of last password change date. The preferred account, or the account whose status is active and has the oldest change date, is returned on the Alias API model.