Use Case Preparation

The use cases provided in this document use Smart Groups to accomplish the following:

  • Discover assets and accounts using a Discovery Scan.
  • Add assets and accounts into Password Safe management.
  • Assign permissions and roles to user groups.

Required Service Accounts

Password Safe uses the following three types of service accounts that you must create in BeyondInsight prior to implementing the use cases in this guide:

Credentials for Discovery Scans: Detailed and advanced Discovery Scans require a credential that has privileges to discover the details for services, tasks, systems, devices, users, and databases from Active Directory or LDAP. To implement the use cases in this guide, you must create a credential that has sufficient privileges to retrieve this information from your directory. You can create credentials from the BeyondInsight Console, by navigating to Configuration > Discovery and Vulnerability Management > Credentials.

  • Functional Accounts: Smart Groups for adding assets into Password Safe management require a functional account that can access the assets with the privileges required to manage and change passwords on the accounts associated with those assets. To implement the use cases in this guide, you must create a functional account for each of the following:
    • Windows servers
    • Linux servers
    • Network devices
  • Directory Credentials: Smart Groups for discovering Windows servers and directory accounts use a directory query for the Discovery Scan to pull details from Active Directory or LDAP and populate the Smart Group. A directory query requires a directory credential that has privileges to access the directory and request this information. To implement the use cases in this guide, you must create a directory credential for each of the following:

    • Windows servers
    • Windows directory accounts
    • Linux directory accounts

    Preparation for Smart Groups

    A Smart Group provides a way of grouping systems and accounts using filter conditions and actions called Smart Rules.

    The following items must be configured in BeyondInsight prior to creating the smart groups for each use case:

    • Directory Query: Smart Groups for discovering Windows servers and directory accounts use a directory query for the Discovery Scan to pull details from Active Directory or LDAP and populate the Smart Group. You must create a directory query for each of the following:
      • Windows servers
      • Windows directory accounts
      • Linux directory accounts
    • Address Group: Smart Groups for discovering Linux servers and network devices use address groups for the Discovery Scan to discover and pull details for these assets from Active Directory or LDAP and populate the Smart Group.You need to create an address group for each of the following:
      • Linux servers
      • Network devices
    • Access Policy: An access policy to allow approved RDP and SSH sessions must be configured so it can be assigned to user groups when assigning roles and permissions for each of the use cases.
    For more information on creating credentials, Smart Rules, functional accounts, address groups, access policies, directory credentials, and directory queries, please see the following:
    • "Add Credentials for Use in Scans, Use Smart Rules to Organize Assets, Create and Edit Directory Credentials, Create a Directory Query" in the BeyondInsight User Guide
    • "Work with Smart Rules, Create a Functional Account, Create an Address Group, Configure Access Policies" in the Password Safe Admin Guide