Work with Smart Rules
You can use Smart Groups to add assets, systems, and accounts into Password Safe management. The Smart Rule filters that you configure for the Smart Groups determine the assets that are added as managed systems and managed accounts in Password Safe.
There are three types of Smart Rules available with a Password Safe license: Asset, Managed Account, and Managed System.
You can use Smart Rules to add the following types of assets:
- Network Devices
- Local Linux and Windows accounts
- Active Directory accounts
- Dedicated accounts
The settings in a Smart Rule override the settings configured on the managed system.
For more information on using Smart Rules, please see the BeyondInsight User Guide.
Predefined Smart Groups
By default there are Smart Groups already defined and created.
The following tables list Smart Groups useful in Password Safe environments.
Asset Based Smart Groups
|All Assets in Password Safe||Assets and Devices||All assets under Password Safe management.|
|Recent Assets not in Password Safe||Assets and Devices||All assets discovered in the last 30 days that have not yet been added to Password Safe.|
|Recent Non Windows Assets not in Password Safe||Assets and Devices||All non Windows assets discovered in the last 30 days that have not yet been added to Password Safe.|
|Recent Windows Servers not in Password Safe||Servers||Windows servers discovered in the last 30 days that have not yet been added to Password Safe.|
|Recent Virtual Servers not in Password Safe||Virtualized Devices||Virtualized server assets discovered in the last 30 days that have not yet been added to Password Safe.|
Managed System Smart Rules
|Database Managed Systems||Types||Database Managed Systems|
|Directory Managed Systems||Types||Directory Manged Systems|
|Cloud Managed Systems||Types||Cloud Managed Systems|
|Asset Managed Systems||Types||All Managed Systems associated with BeyondInsight Assets|
|All Managed Systems associated with BeyondInsight Assets||Managed Systems||All Managed Systems associated with BeyondInsight Assets|
|All Managed Systems not associated with BeyondInsight Assets||Managed Systems||All Managed Systems not associated with BeyondInsight Assets|
|All Managed Systems||Managed Systems||All Managed Systems|
|Recently Added Managed Systems||Managed Systems||Managed Systems added less than 30 days ago|
Managed Accounts Smart Groups
|All Managed Accounts||All accounts managed by Password Safe.|
|Recently Added Managed Accounts||Filters on managed accounts added less than 30 days ago.|
|Database Managed Accounts||Filters on the database platform and includes SQL Server and Oracle platforms.|
|Hardware Device Managed Accounts||Filters on hardware devices including Dell DRAC and HP iLO platforms.|
|Linux Managed Accounts||Filters on the Linux platform.|
|Mac Managed Accounts||Filters on the macOS platform.|
|Unix Managed Accounts||Filters on the Unix platform.|
|Windows Managed Accounts||Filters on the Windows platform.|
Considerations When Designing Smart Rules
- The filter criteria is processed hierarchically. When creating the filter structure, place the filters that reduce the largest number of entities at the top of the hierarchy.
- When adding Active Directory accounts using a directory query, ensure the query is as restrictive as possible. For example, configure the query on a smaller set of data in your environment.
- When adding assets to Password Safe, be cautious about creating more than one Smart Rule with the same systems or accounts. If the Smart Rules have different actions, they will start continually overwriting each other in an endless loop.
- There can be delays when a Smart Rule depends on external data source, such as LDAP, as processing can take longer. For example, a directory query that uses the discover accounts feature (managed account Smart Rule) or discover assets feature (asset-based Smart Rule).
Smart Rule Processing
A Smart Rule processes and updates information in Smart Groups when certain actions occur, such as the following:
- The Smart Rule is edited and saved.
- A timer expires.
- You manually kick off the processing by selecting the Smart Rule from the grid on the Smart Rules page, and then click Process.
The Process action from the grid on the Smart Rules page does not apply to Managed Account Quick Group Smart Rules, because these only run once upon creation and cannot be triggered to run again.
- A Smart Rule with Smart Rule children triggers the children to run before the parent completes.
- Managed account Smart Rules with selection criteria Dedicated Account process when a change to a mapped group is detected. This can occur in the following scenarios:
- A new user logs on.
- The group refreshes in Active Directory by an administrator viewing or editing the group in Configuration > Role Based Access > User Management.
By default, Smart Rules process when asset changes are detected. The assets in the Smart Rule are then dynamically updated. For Smart Rules that require more intensive processing, you might want Smart Rules to process less frequently.
To provide more restrictive processing, you can select alternate frequency settings to override the default processing. The Smart Rules process in the selected time frame (for example, the rule processes once a week).
When creating a new Smart Rule or updating an existing one, select your desired frequency from the Reprocessing limit list in the Details section.
A Smart Rule is always process when first saved or updated.
View and Select Smart Rules Processing Statistics
The Smart Rules grid displays some processing statistics by default. Additional Smart Rules processing statistics, such as Processed Date, Successful Attempts, and Failed Attempts are available and can be displayed in the Smart Rules grid.
To add this information to the grid:
- From the left menu in the BeyondInsight Console, click Smart Rules.
- Click the Column chooser icon in the upper right of the grid.
- Click the desired column to add that information to the grid.
- Check marks indicate columns currently displayed.
- You can remove a displayed column by clicking the column name in the Column chooser list.
- If there are more columns displayed than can fit in the width of the screen, a scroll bar appears at the bottom of the grid. It may be necessary to scroll sideways to view any additional columns.
Use Dedicated Account Smart Rule
A dedicated account Smart Rule allows you to dynamically map dedicated administrator accounts outside of BeyondInsight to users in a BeyondInsight group.
- In the console, click Managed Accounts.
- Click Manage Smart Rules.
- Click Create Smart Rule.
- Under Selection Criteria, select Dedicated Account, and then define filter rules.
- Under Actions, select Map Dedicated Accounts To, and then select a user group.
- Click Add another action.
- Select Show managed account as Smart Group.
- Click Create Smart Rule.
After setting up the Smart Rule, you must assign permissions and roles to the group.
- In the console, click Configuration.
- Under Role Based Access, click User Management.
- Select the group.
- Click the More Options button for the selected group.
- Click View Group Details.
- In the Smart Group Permissions pane, select the newly created dedicated account Smart Group.
- Click Assign Permissions > Assign Permissions Read Only.
If there is more than one match to the usernames which match the criteria in the dedicated accounts Smart Group, you must edit the Smart Group to exclude the duplicate matches.
Use Quick Groups
For a simpler way to organize managed accounts, you can group them using a Quick Group. The default processing time on a Quick Group is Once.
- In the console, click Managed Accounts.
- From the Smart Group filter, select an existing Smart Group where the managed accounts are members.
- Check the boxes for the managed accounts that you want to add to the Quick Group.
- Click Add to Smart Group.
- Select Quick Groups from the Category list, and then select a Quick Group from the Smart Group list or create a new one.
- Quick Groups are displayed in a Quick Groups category on the Smart Rules page.
- You can change the name and description by clicking the More Options icon, and then selecting View Details.
You can add and remove accounts from Quick Groups on the Managed Accounts page. You cannot add or modify filters or actions for Quick Groups.
For more information about Smart Rule processing, please see Change the Processing Frequency for a Smart Rule.