Authentication to BeyondTrust Remote Support (On-Premises)
BeyondTrust may be provisioned for locally defined BeyondTrust user accounts or can be integrated into existing authentication sources. For instance, a commonly integrated authentication source is Microsoft Active Directory. When using a directory such as this, all authentication follows the existing controls and processes in place for safeguarding user accounts.
Additional security providers are available that allow for representative authentication using Kerberos or SAML (for single sign-on) or using RADIUS (for multi-factor authentication). Each of these providers can be configured to use LDAP groups to set the permissions for the support representative, allowing you to map existing LDAP groups to support teams in BeyondTrust.
There are a large number of granular permissions that can be granted to support representatives. These permissions determine which features in BeyondTrust a representative has access to and can require end-user prompting so that the user receiving support must approve representative actions.