Configure User Permissions for BeyondTrust Privileged Remote Access Vault

The Vault features and configuration options are available in the /login interface. There are two permissions you can assign to users to help manage your BeyondTrust Vault instance.

  • Allowed to Administer Vault: This permission grants the user full rights to discover, add, modify, and manage privileged accounts stored on the BeyondTrust Appliance B Series.

If a user has not been granted this permission, they cannot view or add shared generic vault accounts. However, they can add and manage their own personal generic vault accounts.

  • Allowed to View Vault Reports: This permission indicates what level of rights a user has for viewing Vault reports.
    • Not Allowed: The user does not have permission to view any Vault reporting events.
    • View His/Her Events: The user has permission to view only their own Vault reporting events and cannot view any other user account activity.
    • View All Events: The user has permission to view all Vault reporting events for all users.

By default, users are not given access to credentials. However, if a BeyondTrust administrator grants a user access to a credential, the user can begin using the credential in BeyondTrust access sessions and can check out the credential in /login (if enabled). Once the user uses the credential, they can view reports about their credential use.

By default, when BeyondTrust Vault is enabled, users with admin rights in BeyondTrust Privileged Remote Access automatically possess the Allowed to Administer Vault and Allowed to View Vault Reports - View All Events permissions. For other users, these permissions need to be explicitly configured. Follow the steps below to set these permissions.

  1. From the /login interface, go to Users & Security > Users.
  2. Locate the user you wish to assign the permission. Click Edit Account.
  3. Screenshot of the Allowed to Administer Vault checkbox and the Allowed to View Vault Reports dropdown

  4. Under the General Permissions > Administration section, check Allowed to Administer Vault.
  5. Under General Permissions > Reporting, select a permission from the Allowed to View Vault Reports dropdown.
  6. Click Save at the top of the page.

 

Vault administration and report privileges can also be configured via group policy at Users & Security > Group Policies.

For more information, please see Users: Add User Permissions for a User or Admin.