Configure BeyondTrust Privileged Remote Access for Integration with Thycotic Secret Server


You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.

Several configuration changes are necessary on the BeyondTrust Appliance to integrate with Secret Server.

All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your BeyondTrust Appliance followed by /login (e.g.,

Create an API Service Account - BeyondTrust 16.1 and Earlier

The API user account is used from within the integration to make BeyondTrust Command API calls to BeyondTrust.

  1. Go to /login > Users & Security > Users.
  2. Click Create New User and name it Integration or something similar.
  3. Leave Must Reset Password at Next Login unchecked.
  4. Set Password Expires On to Never Expires.
  5. Check Administrator.
  6. Scroll to the bottom and save the account.

Create an API Service Account - BeyondTrust 16.2 and Later

Management > API
API :: Accounts

  1. Go to Management > API Configuration and create a new API account.


API :: Account :: Edit

  1. Under Permissions, check Full Access to the Command API.
  2. For the Reporting API, check Allow Access to Support Session Reports and Recordings and Allow Access to Presentation Session Reports and Recordings. Also be sure to copy the values for both the OAuth Client ID and OAuth Client Secret for use in a later step.


  1. Click Add API Account to create the account.

Allow ECM Connections

PRA 17.1 and Later

API :: Account :: Edit

  1. Go to /login > Management > API Configuration.
  2. Add or edit an API account.
  3. For Endpoint Credential Manager API, check Allow Access.


Prior to PRA 17.1

Security :: Options :: Allow Endpoint Credential Manager Connections

  1. Go to Management > Security.
  2. Ensure the box Allow Endpoint Credential Manager Connections is checked.