Configure User Permissions for BeyondTrust Vault in the BeyondTrust PRA /login Interface
There are two permissions you can assign to users to help manage your BeyondTrust Vault instance.
- Allowed to Administer Vault: This permission grants the user full rights to discover, add, modify, and manage privileged accounts stored on the BeyondTrust Appliance.
- Vault Reporting Permissions: This permission indicates what level of rights a user has for viewing Vault reports.
- View All Events: The user has permission to view all Vault reporting events for all users.
- View His/Her Events: The user has permission to view only their own Vault reporting events and cannot view any other user account activity.
- Not Allowed: The user does not have permission to view any Vault reporting events.
By default, users are not given access to credentials. However, if a BeyondTrust administrator grants a user access to a credential, the user can begin using the credential in BeyondTrust access sessions and can check out the credential in /login (if enabled). Once the user uses the credential, they can view reports about their credential use.
By default, when BeyondTrust Vault is enabled, users with admin rights in BeyondTrust Privileged Remote Access will automatically possess the Allowed to Administer Vault and Vault Reporting Permissions - View All Events permissions. For other users, these permissions need to be explicitly configured. Follow the steps below to set these permissions.
- From the /login interface, go to Users & Security > Users.
- Locate the user you wish to assign the permission. Click Edit.
- Under the Permission section, check Allowed to Administer Vault.
- Locate Vault Reporting Permissions and make a selection from the dropdown.
- Click Save Changes.
Allowed to Administer Vault and Vault Reporting Permissions can also be configured via group policy at Users & Security > Group Policies.
For more information, please see Users: Add User Permissions for a User or Admin.