PowerBroker Password Safe

Privileged Password Management

Control and audit access to privileged accounts such as shared administrative accounts, application accounts, local administrative accounts, service accounts, database accounts, cloud and social media accounts, devices and SSH keys.

Secure Privileged Password Management and Privileged Session Management

PowerBroker Password Safe is an automated password and privileged session management solution offering secure access control, auditing, alerting and recording for any privileged account – from local or domain shared administrator, to a user’s personal admin account (in the case of dual accounts), to service, operating system, network device, database (A2DB) and application (A2A) accounts – even to SSH keys, cloud, and social media accounts. Password Safe offers multiple deployment options and broad and adaptive device support.

  • Reduce attack surfaces by eliminating credential sharing
  • Monitor and audit sessions for unauthorized access
  • Analyze behavior to detect suspicious user, account and asset activity
Comprehensive Enterprise Password Management

Comprehensive Enterprise Password Management

Secure and automate the process for discovering, managing and cycling privileged account passwords.

Enhanced Privileged Session Management

Enhanced Privileged Session Management

Live session management enables true dual control, allowing admins to record, lock, and document suspicious behavior without killing sessions – or productivity.

Learn More   

Application Password Management

Application Password Management

Eliminate hard-coded or embedded application credentials through an adaptable API interface that includes an unlimited number of Password Caches for scalability and redundancy.

Learn More   

Discovery-Driven Dynamic Policy

Discovery-Driven Dynamic Policy

Leverages a distributed network discovery engine to scan, identify and profile all assets. Dynamic categorization allows auto-onboarding, and the ability for access policies to self-adjust according to environmental changes.

Learn More   

Adaptive Access Control

Adaptive Access Control

Evaluate just-in-time context and simplify access requests by considering the day, date, time and location when a user accesses resources to determine their ability to access those systems.

Learn More   

Advanced Threat Analytics

Advanced Threat Analytics

Correlates the data, connects the evidence, and reveals clear cases of user and asset risk. Measures asset characteristics and user behaviors from one day to the next, noting the scope and speed of any changes to alert you to suspicious deviations.

Learn More   

Integrated Password and Privilege Management

Integrated Password and Privilege Management

PowerBroker Password Safe seamlessly integrates with PowerBroker for Unix & Linux, PowerBroker for Windows, and PowerBroker for Mac. This allows for a comprehensive privileged access management solution to control both what users can access, and what they can do once they have access.


Find and manage all accounts: Discover and profile all known and unknown assets, shared accounts, user accounts, and service accounts.

Stay organized: Quickly identify assets with common traits and automatically place them under Password Safe management via Smart Rules.

Auto Discover SSH Keys: Discover all SSH keys on host systems.


Keep passwords fresh: Randomize passwords on a scheduled basis or upon check-in to eliminate risk of passwords leaving the organization.

Rotate SSH keys: Automatically rotate keys according to a defined schedule and enforce granular access control and workflow.

Eliminate application credentials: Get control over scripts, files, code and embedded keys.

Ensure password strength: Define and enforce password policy to meet any complexity requirement.

Eliminate old passwords: Analyze password ages and proactively report policy violations.

Identify potential backdoors: Identify uncontrolled privileged accounts.

Solve the problem of remote and mobile users: Utilize PowerBroker for Windows as an agent to update passwords on remote and mobile devices.

Active/active targeted password change: Selectively process password change, password test, and account notification queue items for designated workgroups.


Enable true dual control: Live session management gives administrators the ability to lock, terminate or cancel a session.

Enforce accountability: Record privileged sessions in real time via a proxy session monitoring service for SSH and RDP – without the need for Java.

Adhere to compliance mandates: Meet password protection and audit regulations listed in SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and other mandates.

Communicate and comply: Build reports for usage, audit, forensics, and regulatory compliance purposes.

Application proxy for RemoteApp: Allow any Windows application usage to be monitored and recorded.

Audit and log privileged sessions: Access and watch a session, then log an acknowledgement of the review to meet audit compliance requirements.

Quickly search session logs: Index and text search using keystroke to pinpoint data, and then log an acknowledgement of the review for audit purposes.

Integrate with SailPoint IdentityIQ: Manage access for privileged and non-privileged accounts with privileged access management and identity and access management (IAM).

RDP enhanced session audit: Every click within the Windows interface, along with any keystrokes, is audited and recorded in a searchable session replay index.

Real-time activity alerting: Defined user activity can generate real-time email alerts, as well as block commands, lock, and terminate SSH sessions.

Command blacklisting: Connection profiles define keyword groups that can determine a specific course of action – block command, lock session, block and lock session, or terminate session.

Auto logoff and disconnect: Utilize ‘log off on disconnect’ feature to ensure sensitive data is not exposed in subsequent RDP sessions.


Streamline workflow: Leverage true Role-Based Access Controls (RBAC) with Active Directory and LDAP integration for assigning roles and rights to users.

Simplify requests: Manage checkout workflow with seamless connectivity to RDP & SSH via native desktop tools such as puTTY and Microsoft MSTSC.

Accommodate firecall requests: Ensure access to password-managed systems after hours, on weekends, or in other emergency situations.

Advanced workflow control: Provides additional context by considering the day, date, time and location when a user accesses resources to determine their ability to access those systems.

Bulk Changes: Filter and select multiple accounts to perform mass password changes, removal, and unlinking from a managed AD account.

Ad Hoc Groups: Create ad hoc groups of managed accounts in seconds.

Post-login command execution: Administrators can leverage a Unix or Linux Jumphost to run a specific command or script after a session connects.

Multi-system checkout: Allows admins to check out an account with a multi-system parameter, then launch sessions to linked systems.

Expedite checkout operations: Expedite checkout operations using OneClick for access to passwords, sessions and applications that would normally be approved automatically.

Connect to sessions without an agent: With DirectConnect, administrators can launch an SSH session by simply passing a connection string to the Password Safe proxy. No agents need to be installed on the hosts, and connection to any SSH system is supported, including Unix/Linux hosts, and network devices such as routers or firewalls.


One tool to deploy: Realize the benefit of a single solution for both password and privileged session management.

Simplify deployment: Implement hardware appliances, virtual appliances, or software.

Speed user adoption: Provide a modern, HTML-5 requester interface – no Javascript or agents required.

Support any system: Employ out-of-the-box connectors, plus a custom connector builder for all systems that support Telnet or SSH.

One user interface, multiple languages: Single user interface with localization for Spanish, Japanese, Korean, and Brazilian Portuguese


Ensure solution security: Rely on hardened appliances with FIPS 1402-validated components, AES256 encryption and HTTPS/TLS communications.

Understand risk: Analyze privileged password, user and account behavior with BeyondInsight Threat Analytics.

Increase uptime: Deploy appliance pairs and replicate settings for high availability.

Active-Active infrastructure support: Allow an unlimited number of Password Safe appliances to be connected to an external SQL AlwaysOn Availability Group for unparalleled high-availability and scalability.

Cache API passwords securely: Rely on password caching for APIs when administrators need access to credentials directly on a local host.

Ensure API credential stability: Create aliases for APIs to map to multiple accounts so that API access is not interrupted during password changes.

Reducing Password Risks with Password Safe

1 Control Third-Party Access

Many breaches result from attacks via third-party systems. Remote access by vendors and contractors needs controlled network separation and activity monitoring. Password Safe provides a secure connection gateway with proxied access to RDP, SSH and Windows applications; protects privileged credentials; and records all privileged sessions.

2 Reduce Cloud Risk

Cloud management interfaces are often left unmonitored with weak and/or uncontrolled password policy. Password Safe facilitates safe storage and session management for administrative credentials to Azure, Amazon, Google, Rackspace, and GoGrid, as well as to social networks including Facebook, LinkedIn and Twitter. Learn more about cloud security.

3 Use Context to Determine Access

Permissions are often granted globally to individuals based upon job role, without accounting for real-time risk factors such as location, day or time. Password Safe dynamically assigns just-in-time privileges via it’s Advanced Workflow Control engine. For instance, access policies can limit users to firecall accounts at night but afford a broader level of access during the day. These policies can also tie into BeyondInsight Threat Analytics to quarantine at-risk resources.

4 Manage Access For Privileged And Non-Privileged Accounts

While identity and access management (IAM) solutions help IT teams answer ‘who has access to what’, they do not account for privileged user access, addressing ‘is that access appropriate?’ and ‘is that access being used appropriately?’

PowerBroker Password Safe includes a dynamic, bi-directional certified integration with SailPoint IdentityIQ, allowing organizations to effectively manage user access for both privileged and non-privileged accounts.

Related Resources: Get the most out of Privileged Password Management