Vault for Privileged Remote Access

Accounts: Manage Vault Accounts

Vault

Accounts

View and manage information about all discovered and manually added accounts.

Vault can import, rotate, and manage up to 60,000 accounts.

Available information for shared accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Username: The username associated with the account.
  • Group: The name of the account group to which the account belongs.
  • Endpoint: The endpoint with which the account is associated.
  • Account Policy: The account policy the Vault account is using.
  • Description: Short description about the account.
  • Last Checkout: The last time the account was checked out.
  • Password Age: The age of the password.
  • Status: The status of the account. For example, warnings, errors, and if the account is checked out are indicated in this column. This column is auto-hidden when there aren't any statuses to indicate for any accounts. Multiple statuses are stacked and indicated in different colors. You can mouse-hover over a specific status to view more details about it.

You can filter the list of shared accounts displayed using the filters for Group and Password Age.

Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.

Available information for personal accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Owner: The name of the person who created and owns the account.
  • Description: Short description about the account.
  • Password Age: The age of the password.

You can filter the list of personal accounts displayed by Owner and Password Age.

Accounts

Add Account

Click Add, to manually add shared or personal generic accounts to the BeyondTrust Vault.

Rotate

Select one or more discovered (non-generic) accounts, click Rotate, and then click Start Rotation.

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault.

Search Shared Accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Select Visible Columns

Click the Select Visible Columns button (columns icon) above the Accounts grid and select the columns to display in the grid.

Check Out and Check In a Shared Account

Click Check Out to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

For more information, please see Check Out Credentials from the PRA /login Interface.

Ellipsis Menu for Shared Accounts

Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault.

Search Personal Accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View Password for Personal Account

Click View Password to view and use a personal credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.

Edit Personal Account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Add Shared Account

The Add > Shared Generic Account option allows you to add accounts without having to run a discovery job. Instead, you can manually enter information about the account. This option is helpful in situations where a shared account or username/password combination can be used to access many different systems.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password, SSH Private Key, or SSH Private Key With Certificate.

If you use an SSH private key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphase if applicable.

SSH Private Key With Certificate

If SSH Private Key With Certificate is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphrase if applicable. You must also provide the SSH public certificate for the account.

Account Policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the Default Group.

Group Policies

If the account was added to any group policies, they are listed here, along with their Vault account roles.

Account Users

New User Name

Select users who are allowed to access this account.

New Member Role

Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:

  • Inject: (default value) Users with this role can use this account in Privileged Remote Access sessions.
  • Inject and Checkout: Users with this role can use this account in Privileged Remote Access sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

The Vault Account Role is visible in the list of users added to the Vault Account.

When upgrading to a BeyondTrustPrivileged Remote Access installation with the Configurable Vault Checkout feature, all existing Vault Account Memberships that were configured in Group Policies before the upgrade will have their Vault Account Role set to Inject and Checkout by default after the upgrade.

 

Vault Account Role Precedence: Vault Account Roles can be assigned to both users and group policies. This means the same user can have different roles for a single Vault account. One role can be assigned by the user's group policies, while a different role can be assigned by the user's explicit access to the Vault Account. In such cases, the system uses the most-specific role for that user. Therefore, the system will let the role assigned on the Edit Vault Account page override the role assigned on the user's group policy. When the role is overridden in such a way, the word overridden appears on the Edit Vault Account page for the user's group policy membership. This behavior is consistent with the order of precedence for Jump Item Roles.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item Associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the access console during credential injection attempts. Select one of the following associations methods:

  • Inherited from the Account Group: Associations for this account are determined by the associations defined in this account's Account Group.
  • Any Jump Items: This account can be injected within any session started from a Jump Item in which the account is applicable.
  • No Jump Items: This account cannot be injected into any session started from a Jump Item.
  • Jump Items Matching Criteria: This account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable.
    • You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
    • You can further define the association between Vault accounts and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
      • Shared Jump Groups: Select a Jump Group from the list.
      • Name: This filter is matched against the value that appears in the Name column of the jump item in the access console.
      • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the access console.
      • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the access console.
      • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the access console.

Click the i icon for each option and attribute to view more specific information about it.

Local accounts are available for injection within the endpoints on which they were discovered.

Add Personal Account

The Add > Personal Generic Account option allows you to add accounts.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password,SSH Private Key, or SSH Private Key With Certificate.

If you use an SSH private key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphase if applicable.

SSH Private Key With Certificate

If SSH Private Key With Certificate is selected for authentication, you must enter the SSH private key for the account, and the SSH key passphrase if applicable. You must also provide the SSH public certificate for the account.

Edit Local Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Account Policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the Default Group.

Endpoint Name

View which endpoint or endpoints are associated with the account.

Endpoint Hostname

View the hostname of the associated endpoints.

Account Users

Select users who are allowed to access this account, as well as their Vault account role, and then click Add.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item Associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the access console during credential injection attempts. Select one of the following associations methods:

  • Inherited from the Account Group: Associations for this account are determined by the associations defined in this account's Account Group.
  • Any Jump Items: This account can be injected within any session started from a Jump Item in which the account is applicable.
  • No Jump Items: This account cannot be injected into any session started from a Jump Item.
  • Jump Items Matching Criteria: This account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable.
    • You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
    • You can further define the association between Vault accounts and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
      • Shared Jump Groups: Select a Jump Group from the list.
      • Name: This filter is matched against the value that appears in the Name column of the jump item in the access console.
      • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the access console.
      • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the access console.
      • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the access console.

Click the i icon for each option and attribute to view more specific information about it.

Local accounts are available for injection within the endpoints on which they were discovered.

Edit Domain Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Distinguished Name

View the distinguished name for the account.

Account Policy

Select a specific policy for the account or leave Account Policy set to the default value of Inherit Policy Settings, in which case the account inherits the policy settings of the account group. If no account group is selected for the account, the account inherits the policy settings set for the global default account policy on the Vault > Options page.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the Default Group.

Account Users

Select users who are allowed to access this account, as well as their Vault account role, and then click Add.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Jump Item Associations

Select the type of Jump Item Associations for the account. The Jump Item Associations setting determines which Jump Items the account is associated with, so the account is available only for relevant target machines in the access console during credential injection attempts. Select one of the following associations methods:

  • Inherited from the Account Group: Associations for this account are determined by the associations defined in this account's Account Group.
  • Any Jump Items: This account can be injected within any session started from a Jump Item in which the account is applicable.
  • No Jump Items: This account cannot be injected into any session started from a Jump Item.
  • Jump Items Matching Criteria: This account can be injected only within sessions started from Jump Items that match the criteria you define, in which the account is applicable.
    • You can define a direct association between Vault accounts and specific Jump Items by selecting the Jump Items from the list, and then clicking Add Jump Item.
    • You can further define the association between Vault accounts and Jump Items by specifying matching criteria based on the following Jump Item attributes. If configured, the account is available for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added as matching criteria.
      • Shared Jump Groups: Select a Jump Group from the list.
      • Name: This filter is matched against the value that appears in the Name column of the jump item in the access console.
      • Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item in the access console.
      • Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the access console.
      • Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the access console.

Click the i icon for each option and attribute to view more specific information about it.

Local accounts are available for injection within the endpoints on which they were discovered.

Edit Personal Generic (Password) Account

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Password and Confirm Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.