Configure Password Safe for Integration with Remote Support

The integration requires minimal setup within Password Safe and should work with your existing data as it stands. The following steps are required:

  • Create an API registration to be used by the integration.
  • Give users access to the API registration .
  • Create or identify an account with Approver permissions that can be used to automatically approve check-out requests. generated by the integration.
  • Enable managed account for API use.

Create an API Registration

BeyondInsight Console - Configuration > General > API Registrations

  1. In the BeyondInsight console, under Configuration > General, select API Registrations.

If an API Registration already exists that you'd like to use for the integration, select it and skip to step 4 below.

 

Create API Registration page in BeyondInsight Console

  1. Click Create API Registration.
  2. Provide a name for the registration, such as ECM Integration, and then click Create.

     

Add Authentication Rule to API Registration

  1. Click Add Authentication Rule to add source IP addresses to the registration.
  1. Add the IP of the server hosting the ECM in the IP address field for the IP Rule, and then click Create Rule.

 

Grant Access to the API Registration

Permissions are handled at the group level. The group can be one that exists only within BeyondInsight or is managed by an outside source, such as Active Directory or LDAP. The following steps describe creating a local group within BeyondInsight, but the same can be done using an existing group:

  1. In the BeyondInsight console, under Configuration > Role Based Access, select User Management.

Create New Group for in BeyondInsight for access to API registration.

  1. Under Groups, click Create New Group, and then select Create a New Group.

 

Enable Application API Access to ECM Users Group in Password Safe

  1. Enter a descriptive Group Name and Description for the group, and then click Create Group.

 

Screenshot of Assign Users to Group in BeyondInsight

  1. Under Group Details, select Users, and then assign a user or users to the group.

 

Assign Smart Groups Permissions in BeyondInsight

  1. Under Group Details, select Smart Groups, and then assign Read Only permissions on at least one smart group, such as All Managed Accounts.

Password Safe roles are not required for this access because access is based on the incoming user's permissions. However, it is acceptable to manage special access or permissions unique for users using this group.

 

Enable Integration API for Group in BeyondInsight

  1. Under Group Details, select API Registrations, and then select the registration you created for the integration. This change is saved automatically and allows the integration to query the Password Safe APIs on behalf of any user added to this group.

 

Create Global Approver

A user with the Password Safe Approver role for All Managed Accounts is needed. This allows credentials checked out using the integration to be automatically approved. The following describes how to create the group, assign the Approver role, and add the user to the appropriate groups. The same can be accomplished with an existing group and user, as long as sufficient permissions are present.

  1. In the BeyondInsight console, under Configuration > Role Based Access, select User Management.

Create New Group for in BeyondInsight for access to API registration.

  1. Under Groups, click Create New Group, and then select Create a New Group.

 

Enable Application API Access to ECM Users Group in Password Safe

  1. Enter a descriptive Group Name and Description for the group, and then click Create Group.

 

Screenshot of Assign Users to Group in BeyondInsight

  1. Under Group Details, select Users, and then assign a user or users to the group.

 

Screenshot of Assign Smart Groups Permissions to Group in BeyondInsight

  1. Under Group Details, select Smart Groups, and then assign Read Only permissions on the All Managed Accounts smart group.

 

Screenshot of the Edit Password Safe Roles option for a Smart Rule in BeyondInsight

  1. Click the More Options button for the All Managed Accounts smart group, where you granted the read only permission in above steps, and then select Edit Password Safe Roles.
  2.  

    Assign Approver role for Global Approver account in Password Safe

  3. Check the Approver role box, and then click Save Roles.

 

  1. Assign the same user or users that were assigned to the global approvers group, to the group you created for the API registration in above steps.

Enable Managed Account for API use

By default, managed accounts are not accessible via the API. The accounts need to be configured to allow access through the integration.

  1. In the BeyondInsight console, select Managed Accounts.

Screenshot of the Edit Account option for a Managed Account in BeyondInsight

  1. Select the managed account, and then click the More Options button; select Edit Account.

 

Enable API Access for Managed Account in Password Safe

  1. Under Account Settings, toggle the slider to API Enabled (yes).
  2. Click Update Account.

Admins also have the option to automate this step by adding Manage Account Settings under Actions in the smart rule, and setting the API Enabled option to yes.