Configure Password Safe for Integration with Privileged Remote Access

The integration only requires minimal setup within Password Safe and should work with your existing data as it stands. The following steps are required:

  • Create an API registration to be used by the integration
  • Give users access to the API registration
  • Create or identify an account with Approver permissions that can be used to automatically approve check-out requests generated by the integration
  • Enable managed account for API use

Create API Registration

  1. Under Configuration > General, select API Registration.

If an API Registration already exists that you'd like to use for the integration, select it and skip to step 4 below.


  1. Click the plus sign to Create New API Registration.
  2. Provide a Source Name, such as ECMIntegration.


  1. Add the IP of the server hosting the ECM to the Source Addresses.


  1. Click Create or Update to save the changes.

Grant Access to API Registration

While these permissions can be handled at the user level, it's easiest to do this with a single group. The group can be one that exists only within BeyondInsight or is managed by an outside source such as Active Directory. The following steps describe creating a group within BeyondInsight, but the same could be done using an existing group.

  1. Under Configuration > Role Based Access, select Users & Groups.


  1. Make sure the toggle at the top of the list is set to Groups and click the plus sign to add a group.
  2. Enter a name for the group, such as ECM Users, and give the group Read permissions on at least one Smart Rule, such as All Managed Accounts. No roles are required for this access because all access is based off of the incoming user's permissions. However, it is possible and acceptable to manage special access or permissions unique for users using this group.
  3. Check the Enable Application API box.


  1. Check the box next to the API Registration.
  2. Click Create to save the changes. This permission will allow the integration to query the Password Safe APIs on behalf of any user added to this group.


Create Global Approver

A user with the Approver role for All Managed Accounts is needed. This allows credentials checked out using the integration to be automatically approved. The following describes how to create the group and the user, and how to add the user to the appropriate groups. The same can be accomplished with an existing user or group as long as sufficient permissions are present.

  1. Under Configuration > Role Based Access, select Users & Groups.
  2. Make sure the toggle at the top of the list is set to Groups and click the plus sign to add a Group.
  3. Enter a Name for the group such as Global Approvers and give the group Read permissions on the Smart Rule for All Managed Accounts.


  1. Click the Roles button next to this Smart Rule and check the box to give the group Approver permission.
  2. Click Save and then Create to create the group with the selected permissions.
  3. Next, in the User Groups list, select the new group and click the plus sign at the bottom of the Users column to create a new user for this group.
  4. Enter the desired details for the user's name, username, password, etc.


  1. Click the Add button next to the Associated Groups, and select the ECM Users group to allow the integration to make API calls on behalf of the user.
  2. The Global Approvers group should already be in the list of Associated Groups, but if not add it.
  3. Click Create to save the changes.



Enable Managed Account for API use

By default, managed accounts are not accessible via the API. The accounts need to be configured to allow access through the integration.

  1. In the Managed Accounts view, select the Smart Group for the managed account.
  2. Select and edit the managed account that needs to be available through the API.
  3. Check the Enable for API access box, and click Save.

Admins also have the option to go to Managed Accounts > Smart Rules to automate this step by clicking Perform Action > Manage Account Settings.