Accounts: Manage Vault Accounts

Accounts

Add New Account

Click Add to manually add a new account to BeyondTrust Vault.

Search

Search for a specific account or a group of accounts based on Name, Endpoint Name, or Description.

Check Out

Click Check out to view and use the credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

For more information, please see Check Out Credentials from the /login Interface.

...

Click ... to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can edit the account's information, and the Delete option removes the account from the Accounts list.

Add Account

The Add option allows you to add accounts without having to run a discovery job. Instead, you can manually enter information about the account. This option is helpful in situations where a shared account or username/password combination can be used to access many different systems.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key.

If an SSH private key is selected for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Account Users

New User Name

Select users who are allowed to access this account.

New Member Role

Users can be assigned one of two roles:

  • Inject (default value): Users with this role can use this account in Remote Support sessions.
  • Inject and Checkout: Users with this role can use this account in Remote Support sessions and can checkout the account on /login. The "Checkout" permission has no affect on generic SSH accounts.

The Vault Account Role is visible in the list of users added to the Vault Account.

When upgrading to a BeyondTrustRemote Support installation with the Configurable Vault Checkout feature, all existing Vault Account Memberships that were configured in Group Policies before the upgrade will have their Vault Account Role set to “Inject and Checkout” by default after the upgrade.

 

Vault Account Role Precedence: Vault Account Roles can be assigned to both users and group policies. This means the same user could have different roles for a single Vault account. One role could be assigned by the user's group policies, while a different role could be assigned by the user's explicit access to the Vault Account. In such cases, the system uses the most-specific role for that user. Therefore, the system will let the role assigned on the Edit Vault Account page override the role assigned on the user's group policy. When the role is overridden in such a way, the word "overridden" appears on the Edit Vault Account page for the user's group policy membership. This behavior is consistent with the order of precedence for Jump Item Roles.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Edit Local Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Endpoint

View which endpoint or endpoints are associated with the account.

Endpoint Hostname

View the hostname of the associated endpoints.

Account Users

Select users who are allowed to access this account.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Edit Domain Account

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

View Password History

View the dates and times of password changes. Click Reveal to temporarily show the password. Click Use to set the password of this account to that password.

Password Age

View the age of the existing password.

Automatically Rotate Credentials

If you wish for the credential to be automatically rotated after it is checked in, select this option.

Active Directory credentials are the only credential types which support automatic rotation.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Distinguished Name

View the distinguished name for the account.

Account Users

Select users who are allowed to access this account.

User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.