Configure User Permissions for BeyondTrust Vault
The Vault features and configuration options are available in the /login interface. There are two permissions you can assign to users to help manage your BeyondTrust Vault instance.
- Allowed to Administer Vault: This permission grants the user full rights to discover, add, modify, and manage privileged accounts stored on the Secure Remote Access Appliance.
- Vault Reporting Permissions: This permission indicates what level of rights a user has for viewing Vault reports.
- View All Events: The user has permission to view all Vault reporting events for all users.
- View His/Her Events: The user has permission to view only their Vault reporting events and cannot view any other user account activity.
- Not Allowed: The user does not have permission to view any Vault reporting events.
By default, representatives are not given access to credentials. However, if an administrator grants a representative access to a credential, the representative can begin using the credential in BeyondTrust sessions and can check out the credential in /login (if enabled). Once the representative uses the credential, they are able to view reporting about their credential use.
By default, when BeyondTrust Vault is enabled, users with administrator privileges in BeyondTrust Remote Support will automatically possess the Allowed to Administer Vault and Vault Reporting Permissions - View All Events permissions. For other users, these permissions need to be explicitly configured. Follow the steps below to set these permissions.
- From the /login interface, go to Users & Security > Users.
- Locate the user you wish to assign the permission. Click Edit.
- Under the General Permissions section, check Allowed to Administer Vault.
- Locate Vault Reporting Permissions and make a selection from the dropdown.
- Click Save Changes.
Allowed to Administer Vault and Vault Reporting Permissions can also be configured via group policy at Users & Security > Group Policies.
For more information, please see Users: Add User Permissions for a Representative or Admin.