View and Check Out Credentials from the PRA /login Interface

 

Stored passwords can be retrieved for use outside of a BeyondTrust support session. The /login interface allows you to manually check out a password for a shared account, or view and copy a password for a personal account.

Check Out and Check In a Shared Account

  1. Navigate to Vault > Accounts.

The Check Out option for a generic Vault account in /login.

  1. From the Shared tab, locate the account you wish to check out.
  2. Click Check Out.

 

The Account Password dialog when checking out a Vault account

  1. The Account Password dialog appears, and you can see the password in plain text for one minute. During that time, you can copy the password by clicking the Copy icon.
  2. For SSH Certificate Authority accounts, the signed public key and the private key display. Users must authenticate within 5 minutes. The credentials can also be accessed via API using the bt vault subcommand of the Command Line Interface.

When an account is checked out, it's indicated in the Status column. You can hover over the Checked Out status to see who has it checked out.

  1. When you are finished using a credential, return to the Accounts page, and then click Check In to check the password back in to BeyondTrust Vault.
  2. For SSH Certificate Authority accounts, there is no need for check in, as the credentials are unique for each check out or injection.

 

If you check in a domain credential with automatic rotation configured, the password automatically rotates.

Non-administrative users can view and modify only credentials for which they have access.

Check Out a Service Account

The process for checking out service accounts is the same as other accounts; however, the password must be manually set by the administrator before checking out the account.

View and Copy a Personal Account Password

  1. Navigate to Vault > Accounts.

View Password Option for a Personal Vault Account

  1. From the Personal tab, locate the account you wish to use.
  2. Click View Password.

 

The Account Password dialog

  1. The Account Password dialog appears, and you can see the password in plain text for one minute. During that time, you can copy the password by clicking the Copy icon.

Only the owner of a personal account is able to view its password. A Credential Used event is logged when the owner views the password. Vault administrators can view this activity in a Vault report.