Configure Password Safe for Integration with Privileged Remote Access

The integration requires minimal setup within Password Safe and should work with your existing data as it stands. The following steps are required:

  • Create an API registration to be used by the integration.
  • Give users access to the API registration.
  • Create or identify an account with Approver permissions that can be used to automatically approve check-out requests. generated by the integration.
  • Enable managed account for API use.

Create an API Registration

Screenshot of the API Registrations option on the Configuration page in BeyondInsight.

  1. In the BeyondInsight console, under Configuration > General, click API Registrations.

If an API Registration already exists that you'd like to use for the integration, select it and skip to step 4 below.

 

Screenshot of Creating a New API Registration in BeyondInsight.

  1. Click Create New API Registration.
  2. Provide a name for the registration, such as ECM Integration, and then click Create API Registration.

     

Screenshot of Adding an Authentication Rule to an API Registration in BeyondInsight

  1. Click Add Authentication Rule to add source IP addresses to the registration.
  1. Add the IP Address of the server hosting the ECM, and then click Create Rule.

 

Grant Access to the API Registration

Permissions are handled at the group level. The group can be one that exists only within BeyondInsight or is managed by an outside source, such as Active Directory or LDAP. The following steps describe creating a local group within BeyondInsight, but the same can be done using an existing group:

  1. In the BeyondInsight console, under Configuration > Role Based Access, click User Management.

 

Screenshot of Create a New Group option in BeyondInsight.

  1. Under Groups, click Create New Group, and then select Create a New Group.

 

Screenshot of Create New Group window in BeyondInsight.

  1. Enter a descriptive Group Name and Description for the group, and then click Create Group.

 

Screenshot of Assign Users to Group in BeyondInsight

  1. Under Group Details, select Users, and then assign a user or users to the group.

 

Screenshot of Assigning Smart Groups Permissions to a User Group in BeyondInsight.

  1. Under Group Details, select Smart Groups, and then assign Read Only permissions on at least one smart group, such as All Managed Accounts.

Password Safe roles are not required for this access because access is based on the incoming user's permissions. However, it is acceptable to manage special access or permissions unique for users using this group.

 

Screenshot of Enabling ECM Integration API for a User Group in BeyondInsight.

  1. Under Group Details, select API Registrations, and then select the registration you created for the integration. This change is saved automatically and allows the integration to query the Password Safe APIs on behalf of any user added to this group.

 

Create Global Approver

A user with the Password Safe Approver role for All Managed Accounts is needed. This allows credentials checked out using the integration to be automatically approved. The following describes how to create the group, assign the Approver role, and add the user to the appropriate groups. The same can be accomplished with an existing group and user, as long as sufficient permissions are present.

  1. In the BeyondInsight console, under Configuration > Role Based Access, click User Management.

 

Screenshot of Create a New Group option in BeyondInsight.

  1. Under Groups, click Create New Group, and then select Create a New Group.

 

Screenshot of Create New Group window in BeyondInsight.

  1. Enter a descriptive Group Name and Description for the group, and then click Create Group.

 

Screenshot of Assign Users to Group in BeyondInsight

  1. Under Group Details, select Users, and then assign a user or users to the group.

 

Screenshot of Assign Smart Groups Permissions to Group in BeyondInsight

  1. Under Group Details, select Smart Groups, and then assign Read Only permissions on the All Managed Accounts smart group.

 

Screenshot of the Edit Password Safe Roles option for a Smart Rule in BeyondInsight

  1. Click the More Options button for the All Managed Accounts smart group, and then select Edit Password Safe Roles.
  2.  

    Assign Approver role for Global Approver account in Password Safe

  3. Check the Approver role box, and then click Save Roles.

 

  1. Assign the same user or users that were assigned to the global approvers group, to the group you created for the API registration in above steps.

Enable Managed Account for API use

By default, managed accounts are not accessible via the API. The accounts need to be configured to allow access through the integration.

  1. In the BeyondInsight console, select Managed Accounts from the left navigation.

Screenshot of the Edit Account option for a Managed Account in BeyondInsight

  1. Click the More Options button for the applicable managed account, and then select Edit Account.

 

Screenshot of the API Enabled Account Setting for a Managed Account in Password Safe.

  1. Under Account Settings, toggle the slider to API Enabled (yes).
  2. Click Update Account.

Admins also have the option to automate this step by adding Manage Account Settings under Actions in the smart rule, and setting the API Enabled option to yes.