Add and Manage Vault Accounts

You can add and manage credential accounts manually from the Accounts page.

Add Generic Credentials and SSH Keys

Outside of the discovery process, you can manually add individual credential accounts to BeyondTrust Vault. You can add shared generic accounts and personal generic accounts. Shared generic accounts may be used by all users who have been assigned to the account with the Inject or the Inject and Check Out Vault account role. Personal generic accounts may be used only by the account owner (the user who created the account). To add generic accounts, follow the steps below.

  1. From the /login interface, go to Vault > Accounts.
  2. Click Add.
  3. Select Shared Generic Account.
  4. Complete the information on the Add Shared Account page. The required fields are:
    • Name
    • Username
    • Authentication
    • Password
  5. Check Allow Simultaneous Checkout if you want to allow this credential to be checked out by multiple users at the same time.
  6. Select an Account Group from the list to add this account to a group.

Adding a credential account to an account group allows all users who have been assigned to that group to use this credential. If an account group is not selected, you must add account users individually to this new credential and assign their role.

  1. If you are not adding this new credential account to an account group, add users and their Vault role individually in the Account Users section.
  1. Click Save at the top of the page to save the new shared credential account.
  1. From the /login interface, go to Vault > Accounts.
  2. Click Add.
  3. Select Personal Generic Account.
  4. Complete the information on the Add Personal Account page. The required fields are:
    • Name
    • Username
    • Authentication
    • Password
  5. Click Save at the top of the page to save the new personal credential account.

Vault administrators can view personal accounts but cannot edit them, inject them, or view their passwords. Only the user who created the personal account can modify, inject, or view the account's password.

Users can create up to 25 Cloud Vault personal accounts.

Edit a Vault Account

  1. From the /login interface, go to Vault > Accounts.
  2. For shared accounts:
    • From the Shared tab, locate the account you wish to edit.
    • Click the Actions menu (ellipsis) for the account.
    • Select Edit.
  3. For personal accounts:
    • From the Personal tab, locate the account you wish to edit.
    • Click Edit Account (pencil icon) for the account.
  4. Modify options as necessary, and then click Save.

Delete a Vault Account

  1. From the /login interface, go to Vault > Accounts.
  2. For shared accounts:
    • From the Shared tab, locate the account you wish to delete.
    • Click the Actions menu (ellipsis) for the account.
    • Select Delete.
  3. For personal accounts:
    • From the Personal tab, locate the account you wish to delete.
    • Click Delete Account(trash can) for the account.
  4. Click Yes to confirm.

View the Status of a Vault Account

Screenshot showing the Status column on the Vault Accounts page in Privileged Remote Access.

On the Vault > Accounts page, a Status column displays when at least one of the accounts has a warning, error, or checked out status to indicate. Accounts managed by Azure Active Directory Domain Services accounts are identified in the status column, along with an alert if there is no service principal for the account. Multiple statuses for an account are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it.

 

The Status column is auto-hidden when none of the accounts have a status currently set.

For information about working with Azure Active Directory Domain Services accounts, please see Use BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account.