Use Case 5: Add Directory Admin Accounts for Linux Servers

This use case walks through configuring automatic password rotation for directory admin accounts on Linux servers with auto-approval for SSH sessions enabled.

Directory accounts that have elevated (privileged) access exist within Active Directory. These accounts have permissions to all domain joined Windows servers and should be controlled, audited, and rotated on a regular schedule. For this use case, Password Safe is already managing all Linux domain joined servers by implementing Use Case 2, and a specific set of users are allowed to use these shared accounts.

Since you have already configured asset Smart Groups for discovering assets, asset Smart Groups for adding systems to Password Safe management, and managed systems Smart Groups for granting system access from previous use cases, you do not need to create any additional Smart Groups for these purposes.

If you need to add additional servers to Password Safe, you can create new Smart Groups using different address groups or directory queries as applicable, and run new scans as applicable, following the steps outlined in previous use cases.

Additionally, if you require only a subset of systems to be allowed to use these directory accounts, you can create a new managed system Smart Group using more specific selection criteria to provide access to a smaller selection of systems.

For this use case, you will create a managed account Smart Group to add the directory accounts to Password Safe and to link the directory accounts to managed systems.

You must also associate the managed account Smart Group with user groups, and then assign roles and permissions to the associated managed account Smart Group.

For more information, please see Use Case 2: Add Local Root Accounts for Linux Servers.

Create Managed Account Smart Group to Add Directory Accounts to Password Safe and Configure Account Linking

  1. From the left menu in BeyondInsight, click Smart Rules.
  1. Select Managed Account from the Smart Rule Type filter list.
  2. Click Create Smart Rule.

Create New Managed System Smart Rule to add Directory Admin account to Password Safe

  1. Select Managed Accounts from the Category list.
  2. Enter a meaningful Name and Description for the Smart Rule.
  3. Set Selection Criteria as:
    • Directory Query, Include Accounts from Directory Query, <query name>, Discover Accounts for Password Safe Management: enabled

If Password Safe already manages the privileged accounts, you can use criteria of Managed Account Fields > Account Name in the Smart Rule instead of using a directory query. For an example of this option, please see Use Case 6: Add Directory Admin Accounts for Network Devices.

  1. Set Actions
    • Link domain accounts to Managed Systems, Asset or Managed System Smart Group: <Smart Group that contains Linux servers that the accounts will be associated to for session management>
    • Manage Account Settings, Password Rule: <password policy>, Enable Automatic Password Management: no
    • Show managed account as Smart Group

The Manage Account Settings action onboards the specific account, if found in the system’s scan results. This action also dictates whether the account is rotated immediately or not.

These actions can be separated into multiple managed account Smart Groups with criteria of Child Smart Rule or other specific criteria for the linking rule action, if desired.

  1. Click Create Smart Rule.

 

Assign User Group Permissions and Roles for Account Access

Associate a user group with the Smart Group that you created for adding accounts to Password Safe management, and then assign permissions, roles, and an access policy to the Smart Group. In this use case, the Password Safe users are Requestors with an access policy to allow auto-approved RDP sessions.

  1. From the left navigation in the BeyondInsight console, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Locate the group in the grid, and then click the vertical ellipsis button for that group.
  4. Select View Group Details.

Assign Permissions and Password Safe Roles to User Group Using a Smart Group

  1. From the Group Details pane, select Smart Groups.
  2. In the Smart Groups Permissions grid, select the Smart Group you created for adding directory accounts for Linux servers to Password Safe, and then click Assign Permissions above the grid.
  3. Select Assign Permissions Read Only.
  4. Click the vertical ellipsis button for the Smart Group, and then select Edit Password Safe Roles.

 

Assign Password Safe Role and Access Policy to User Group Using a Smart Group

  1. Select the Requestor role, and then select the Access Policy.
  2. Click Save Roles.