Vault for Privileged Remote Access

Accounts: Manage Vault Accounts

Vault

Accounts

View and manage information about all discovered and manually added accounts.

Available information for shared accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Group: The name of the account group to which the account belongs.
  • Endpoint: The endpoint with which the account is associated.
  • Description: Short description about the account.
  • Last Checkout: The last time the account was checked out.
  • Password Age: The age of the password.

You can filter the list of shared accounts displayed using the filters for Group and Password Age.

Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.

Available information for personal accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Owner: The name of the person who created and owns the account.
  • Description: Short description about the account.
  • Password Age: The age of the password.

You can filter the list of personal accounts displayed by Owner and Password Age.

Accounts

Add Account

Click Add, to manually add shared or personal generic accounts to the BeyondTrust Vault.

Search Shared Accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Check Out and Check In a Shared Account

Click Check Out to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

For more information, please see Check Out Credentials from the PRA /login Interface.

Ellipsis Menu for Shared Accounts

Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault.

Search Personal Accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View Password for Personal Account

Click View Password to view and use a personal credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.

Edit Personal Account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Add Shared Generic Account

The Add > Shared Generic Account option allows you to add accounts without having to run a discovery job. Instead, you can manually enter information about the account. This option is helpful in situations where a shared account or username/password combination can be used to access many different systems.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key.

If you use an SSH private key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password and Confirm Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

SSH Private Key

Provide the SSH private key information.

SSH Key Passphrase

If applicable, enter the SSH private key's passphrase.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the None system group.

Account Users

New User Name

Select users who are allowed to access this account.

New Member Role

Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:

  • Inject (default value): Users with this role can use this account in Privileged Remote Access sessions.
  • Inject and Checkout: Users with this role can use this account in Privileged Remote Access sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

The Vault Account Role is visible in the list of users added to the Vault Account.

When upgrading to a BeyondTrustPrivileged Remote Access installation with the Configurable Vault Checkout feature, all existing Vault Account Memberships that were configured in Group Policies before the upgrade will have their Vault Account Role set to Inject and Checkout by default after the upgrade.

 

Vault Account Role Precedence: Vault Account Roles can be assigned to both users and group policies. This means the same user can have different roles for a single Vault account. One role can be assigned by the user's group policies, while a different role can be assigned by the user's explicit access to the Vault Account. In such cases, the system uses the most-specific role for that user. Therefore, the system will let the role assigned on the Edit Vault Account page override the role assigned on the user's group policy. When the role is overridden in such a way, the word overridden appears on the Edit Vault Account page for the user's group policy membership. This behavior is consistent with the order of precedence for Jump Item Roles.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Add Personal Account

The Add > Personal Generic Account option allows you to add accounts.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key.

If you select an SSH key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password and Confirm Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

SSH Private Key

Provide the SSH private key information.

SSH Key Passphrase

If applicable, enter the SSH private key's passphrase.

Edit Local Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Automatically Rotate Credentials After Check In

Set local accounts to automatically rotate after use.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the None system group.

Endpoint Name

View which endpoint or endpoints are associated with the account.

Endpoint Hostname

View the hostname of the associated endpoints.

Account Users

Select users who are allowed to access this account, along with their vault account role, and then click Add.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Edit Domain Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Automatically Rotate Credentials After Check In

If you wish for the credential to be automatically rotated after it is checked in, select this option.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Distinguished Name

View the distinguished name for the account.

Account Group

Select a group from the list to add the shared account to an account group. If a group is not selected, the account is added to the None system group.

Account Users

Select users who are allowed to access this account, along with their vault account role, and then click Add.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Edit Personal Generic (Password) Account

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Password and Confirm Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.