BeyondInsight and Password Safe 22.3.0 Release Notes

October 6, 2022

New Features and Enhancements:


  • Updated multiple areas of the UI to abide by newer UX recommendations and improve accessibility.
  • Added support for Amazon RDS to be used as backend database for BeyondInsight (requires U-Series 4.0 or later).
  • Added support for BeyondInsight installation on Windows Server 2022 (Software installations only).
  • Added support for up to 250 ports to be included on database and SSH scan credentials (except Oracle).
  • Added support for non-standard LDAP strings in AD and LDAP group sync.
  • Discovery credential key can now be made optional for edits and use during scanning.

Analytics and Reporting

  • Made the Password Safe cube the default when Password Safe is licensed in the environment.
  • Removed Event Review - Malware report from the Clarity folder.
  • Removed Cluster Analysis-related fact and dimension processing from SQL Server Analysis Services.
  • Set SQL compatibility mode to automatically match the SQL Server version that the database is installed on.
  • Updated Password Safe reports to exclude system defined group from results for the following reports:
    • Activity
    • Admin Session Activity
    • Entitlement by User
    • Password and Session Activity
    • Remote Session Activity

Endpoint Privilege Management

  • Added new feature permissions for Privilege Management Reporting and Policy Editor.

Password Safe

  • Added new directory-managed platform: Azure AD with account discovery and auto-management capabilities.
  • Added new managed system Smart Rule action for known account onboarding.
  • Added ability to randomly generate a password when creating or editing Team Passwords credentials.
  • Added additional Notes field to Team passwords credentials.
  • Improved session auto-reconnect capability between the session proxy and the endpoint.
  • Added configuration setting for controlling automation admin email notifications for failed password events.
  • Added new managed system Smart Rule selection filter: Asset Smart Group.


  • Added support for random password generation and Notes field in Team Passwords. The following API calls are affected:
    • GET PasswordRules
    • GET PasswordRules/{id}
    • POST TeamPasswords/Folders/{id}/Credentials
    • PUT TeamPasswords/Credentials/{id}
    • GET TeamPasswords/Folders/{id}/Credentials
  • Added support for Azure AD managed platform. The following API calls are affected:
    • GET FunctionalAccounts
    • GET FunctionalAccounts/{id}
    • POST FunctionalAccounts
    • GET ManagedAccounts/{id}
    • PUT ManagedAccounts/{id}
    • POST ManagedSystems/{systemID}/ManagedAccounts
    • GET Platforms
    • GET Platforms/{id}
    • GET EntityTypes/{id}/Platforms

Issues Resolved:

  • Resolved issue in which an unnecessary success toast message, Changes have been discarded, appeared when creating a new password policy or DSS key policy.
  • Resolved issue in which an error occurred when modifying a Set attributes on account Smart Rule action and changing the attribute type from one that is a numeric name (i.e. 1) to a different attribute type.
  • Resolved issue in which a custom install location could be specified upon upgrade, resulting in an error.
  • Resolved issue in which scan data users grid incorrectly displayed Password Expired for some accounts.
  • Removed the Retina Product Usage Details by Organization report, resolving issue in which it would never return results in an environment that had no Retina scanners.
  • Resolved issue displaying the Description property of the user.
  • Resolved rare issue in which installing BeyondInsight 22.2 on a U-Series Appliance could crash due to BIAdmin service not starting.
  • Resolved issue in which the Configure HSM Credentials utility could crash when testing a new HSM credential if the Key Name field was left empty.
  • Resolved issue in which selecting the Hardware Security Module User Guide from the Help menu of the Configure HSM Credentials utility resulted in an error.
  • Improved error messaging upon attempting to delete a user that has an active Password Safe request or related SSH session.
  • Resolved issue in which the first attempt to edit a BeyondInsight user from the User Details Edit form resulted in a form validation error.
  • Resolved issue in which unchecking the Unlimited Users box in the Scan Wizard prevented the No Enumerations Selected banner from displaying.

Known Issues:

  • Amazon and Salesforce functional accounts: secret keys are not applied properly from the Functional Account Configuration screen. Workaround: Assign functional account details from the Managed System Advanced Details screen.
  • When navigating away from a managed account scan credential that has been viewed but not changed, the user is prompted that they have unsaved changes. Workaround: Click Discard Changes to close the prompt. Nothing will be discarded as nothing was changed.
  • In some sections of the configuration area, the first time you select a different option from a dropdown, the update button may not enable. Workaround: Change the option at least one more time and this will enable the save changes button.
  • When creating or editing an Oracle database managed system, the Load button does not load the aliases. This issue will be addressed in a hotfix.
  • When rotating an SAP account credential, only the IP address of the system is used even if DNS is specified. Workaround: Ensure the SAP managed system IP address is correct.
  • In the Scan Wizard, the scan restrictions setting to abort a scan if it runs longer than N minutes does not abort the scan when N minutes have passed. Workaround: Allow the scan to finish, or use the Abort Scan function from the Active/Completed Scans grid to abort the scan.
  • The first attempt to Test Connector in the Connectors screen may report one or more fields are invalid. Workaround: The second attempt will run the test and the user can click the Test Connector button again.
  • Completing the Analytics and Reporting configuration but not running the sync job, and then attempting to launch the Analytics and Reporting configuration may incorrectly tell the user they cannot launch the Analytics and Reporting configuration because the sync job is running. Workaround: Run the sync job manually and wait for it to complete before launching the Analytics and Reporting Configuration Wizard again.
  • In the SAML configuration area, if you edit the Identifier field, the form may not save. Workaround: Delete the SAML config entry and create it again.
  • Some column adjustments on the Smart Rule grid may result in the grid size being reduced. Workaround: refresh the page to restore the correct grid proportions.
  • Toast messages, if not dismissed in a timely manner, can stack up and fill the page to the point that the Dismiss All button is no longer visible. Workaround: prevent by dismissing toast messages in a timely manner, or dismiss them one at a time until the Dismiss All button returns to view.
  • Pivoting the pivot grid can result in a column header displaying MDX code rather than English text. Workaround: avoid pivoting by ensuring you place the columns and rows where you want them to be.
  • Under certain circumstances, performing an account test on an HP-UX system may fail with a timeout.
  • If an Okta or SAML login fails, the error page shows a broken image link. Workaround: none; this is informational. We will have a resolution in a future release. Successful logins are not affected.
  • Accessibility: navigating via keyboard into an editable field within a radio button does not automatically select the radio button. Screen reader does not indicate to the user that there is a field within the radio button text. Workaround: use the mouse to select the radio button. This UX pattern will be revised in an upcoming release.


  • Direct upgrades to 22.3.0 are supported from BeyondInsight versions 7.1 or later.
  • This release is available by download for BeyondTrust customers ( and by using the BeyondTrust BT Updater.
  • The MD5 signature is: 0ddfdac2e72b5ead34877d0ebbc5ece5
  • The SHA-1 signature is: 763e2dca083d9a4b47e46ac0c44d2b2137daf8c6
  • The SHA-256 signature is: e1b136f4b364c53b80074a671c07bce6a99a793028374bfde83da1a434093559