Configure User Permissions for Remote Support Vault
BeyondTrust Vault provides two different permissions you can assign to Remote Support users. Assigning permissions grants users access to capabilities like modifying accounts or viewing Vault reports.
- Allowed to Administer Vault: This permission grants the user full rights to discover, add, modify, and manage privileged accounts stored on the B Series Appliance.
- If a user has not been granted this permission, they cannot view or add shared generic vault accounts. However, they can add and manage their own personal generic Vault accounts. If a user has not been granted this permission, they cannot view or add shared generic vault accounts. However, they can add and manage their own personal generic Vault accounts.
- Allowed to View Vault Reports: This permission indicates what level of rights a user has for viewing Vault reports:
- Not Allowed: The user does not have permission to view any Vault reporting events.
- View Only His/Her Events: The user has permission to view only their Vault reporting events and cannot view any other user account activity.
- View All Events: The user has permission to view all Vault reporting events for all users.
When BeyondTrust Vault is enabled, users with administrator privileges in BeyondTrust Remote Support automatically possess the Allowed to Administer Vault and the Allowed to View Vault Reports - View All Events permissions. For other users, these permissions need to be explicitly configured.
If a user wishes to rotate passwords on protected users such as domain admins, enterprise admins, etc., additional permission configuration is required.
By default, representatives are not given access to credentials. However, if an administrator grants a representative access to a credential, the representative can begin using the credential in BeyondTrust sessions and can check out the credential in /login (if enabled). Once the representative uses the credential, they are able to view reporting about their credential use.
Follow the steps below to set Vault permissions for a user:
- From the /login interface, navigate to Users & Security > Users.
- Locate the user you wish to assign the permission to. Click Edit Account (pencil icon).
- Click General Permissions to expand that section.
- Under Administration, check Allowed to Administer Vault.
- Under Reporting, select a permission from the Allowed to View Vault Reports dropdown.
- Click Save.
Vault administration and report privileges can also be configured via group policy at Users & Security > Group Policies.
Follow the process below to configure additional permissions for rotating passwords on protected users such as domain admins, and enterprise admins.
First, go to the Command Prompt as an admin on the domain controller.
Run the following commands, where dc=cps, dc=com is the information for your domain:
dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com" /G "<yourDomainName>\<yourAccountName>:CA;Reset Password"
Next, manually run the sdprop process, following these steps:
- Run ldp.exe as admin.
- Select Connection > Connect.... from the Ldp window.
- In the Connect window, make sure 389 is listed in the Port field.
- Click OK.
- Select Connection > Bind... from the Ldp window.
- Select Bind as currently logged on user.
- Click OK.
- Select Browse > Modify from the Ldp window.
- Configure the following fields in the Modify window:
- DN field: empty
- Attribute field: type RunProtectAdminGroupsTask
- Values field: 1
- Operation: click Add and then click Enter.
- Click Run.
For more information, please see Users: Add User Permissions for a Representative or Admin.