PowerBroker Password Safe version 6.6 improves on key features and capabilities in session management, adaptive workflow, and password management with unmatched levels of security, scalability and control.

New Features PowerBroker Password Safe version 6.6

Secure Password Update Proxy for Unix and Linux

BeyondTrust PowerBroker Password Safe in conjunction with PowerBroker for Unix & Linux now offers the capability to change passwords on Unix and Linux hosts without the need for a functional account on each host. Leveraging remote command execution, PowerBroker for Unix & Linux will change managed account passwords on any remote system under its control. Setup is simple – just use the system elevation feature to point all requests to the Password Update Proxy (pbrun jumphost). Policy Rules in PowerBroker for Unix and Linux allow password updates to be securely passed to managed endpoints.

Custom Attributes for Managed Accounts

Custom attributes have long been available for Assets. In PowerBroker Password Safe v6.6, you can you apply custom attributes to managed accounts also. Custom attributes can be set from Smart Rules or via the API; once applied, they can be leveraged as a filter for Smart Groups to allow unordered lists of managed accounts to be created. Rather than create completely different attributes, we have made custom attributes for assets generic such that they can be applied to managed accounts. This means that accounts can be filtered or set via Smart Rule.

Protect Passwords with Copy to Clipboard

Rather than display passwords by default, Password Safe now obfuscates the password and allows users to copy the password to the clipboard by default. This prevents screen-scraping malware from capturing passwords and adds an additional layer of security by passing the password directly to the paste buffer thus ensuring that the password is never displayed on the screen. The password may be revealed for instances where pasting credentials is not supported.

Other Enhancements


  • Replay sessions from any node
  • Managed Account Password Test via PBW Agent
  • Enable SYSDBA privilege for an Oracle Functional Account
  • Password Safe user portal additional language support for German, French (Canada), French (France)
  • Added keystroke recording performance improvements
  • Added "LANG=en_US;" to custom platforms
  • Added "Set Attributes on each account" Smart Rule Action for Managed Accounts
  • Added ‘Attribute Assigned’ Smart Rule filter for Managed Accounts
  • Changed Session Monitoring Window Position to no longer default to center of the screen
  • Added Active Directory Functional Account Test improvements using UPN account names
  • Post Release password changes processing improvements
  • Removed the Change Password feature for PBPS web portal local users
  • Improved auditing for changes to Managed Systems, Managed Accounts, Password Complexity rules
  • Added support for Managed Account password test via the PBW Agent
  • Added login security improvements
  • Added a new configuration landing page with search capability
  • Added the ability to select an organization to the user profile section for a multiple organization
  • Added Asset Grid Improvements
  • Added Support Package creation improvements
  • Added Asset Purge Improvements
  • Added the ability to clone directory queries
  • Added the ability to sort directory queries
  • Added a catch all Smart Group for assets not belonging to of any other Smart Groups
  • Added the ability for multiple organizations to use one scanner
  • Added ability to export groups to SailPoint
  • Added UI improvements to the User Groups
  • Added UI improvements to the credentials screen
  • Added the ability to disable AD/LDAP/Local BI user login by user
  • Added the ability to scan multiple Oracle databases using a single Oracle credential
  • Added auditing for login/logout events and changes to security settings for local users
  • Added auditing for adding new AD users
  • Added Radius login improvements
  • Added support for Radius auto-failover
  • Replaced Asset Kind with Asset Type in Smart Rule Asset Attribute.

Analytics & Reporting

  • Added the ability to save scheduled reports to a network share
  • Added Entitlement by User report
  • Added the Database User Report
  • Added Last Login Date column to Asset User Account List
  • Added data and performance improvements to PowerBroker Password Safe reports
  • Added PowerBroker Password Safe user cluster data

API Enhancements

New APIs for Session Control & Quarantine

User Quarantine Quarantined users cannot sign-in to the API, and newly quarantined users will have any existing sessions terminated within a configurable time limit.
  • POST Users/{id}/Quarantine - Quarantines the User referenced by ID.
  • All /Users/ response bodies include property IsQuarantined:bool
Session Control Lock all active Sessions by Managed Account ID.
  • POST ManagedAccounts/{managedAccountID}/Sessions/Lock
Lock all active Sessions by Managed System ID.
  • POST ManagedSystems/{managedSystemID}/Sessions/Lock
Terminate an active Session
  • POST Sessions/{sessionID}/Terminate -.
Terminate all active Sessions by Managed Account ID.
  • POST ManagedAccounts/{managedAccountID}/Sessions/Terminate
Terminate all active Sessions by Managed System ID.
  • POST ManagedSystems/{managedSystemID}/Sessions/Terminate
Request Control Terminate all active Requests by Managed Account ID
  • POST ManagedAccounts/{managedAccountID}/Requests/Terminate -
Terminate all active Requests by Managed System ID
  • POST ManagedSystems/{managedSystemID}/Requests/Terminate -
Terminate all active Requests by Requestor User ID.
  • POST Users/{userID}/Requests/Terminate -

New APIs

Immediately process a Smart Rule by ID
  • POST SmartRules/{id}/Process -
Queue Credential changes for all active Managed Accounts for a Managed System.
  • POST ManagedSystems/{systemId}/ManagedAccounts/Credentials/Change -

API Enhancements

SSH Key Enforcement Mode support Response body now contains enforcement mode for SSH host keys: SshKeyEnforcementMode:
  • 0 - None
  • 1 – Auto - Auto Accept Initial Key
  • 2 – Strict - Manually Accept Keys
  • POST Assets/{assetId}/ManagedSystems
  • GET ManagedSystems, GET ManagedSystems/{id}, GET Assets/{assetId}/ManagedSystems, GET FunctionalAccounts/{id}/ManagedSystems, POST Assets/{assetId}/ManagedSystems
Ticket System support
  • GET TicketSystems - Returns a list of Ticket Systems.
  • POST Requests, POST Aliases/{id}/Requests, POST RequestSets
New Request body properties:
  • TicketSystemID - ID of the ticket system. If omitted then the default ticket system will be used.
  • TicketNumber - Number of the associated ticket. Can be required if the ticket system is marked as required in the global options.
  • GET Sessions, GET Sessions/{id} - ManagedSystemID added to response body
  • POST ManagedSystems/{systemID}/ManagedAccounts - New request body property: NextChangeDate
  • NextChangeDate (date format: YYYY-MM-DD) – UTC date when next scheduled password change will occur. If the NextChangeDate + ChangeTime is in the past, password change will occur at the nearest future ChangeTime.

Performance Improvements

Keystroke recording and managed session initialization
  • POST ManagedSystems/{id}/ManagedAccounts
  • GET Sessions, GET Sessions/{id}

Other API Changes

  • Deprecated GET Workgroups/{name} - superseded by new API: GET Workgroups?name={name}
  • Deprecated GET Workgroups/{workgroupName}/Assets/{assetName} - superseded by new API: GET Workgroups/{workgroupName}/Assets?name={name}
  • Deprecated DELETE Workgroups/{workgroupName}/Assets/{asetName} - superseded by new API: DELETE Workgroups/{workgroupName}/Assets?name={name}
  • Deprecated GET Aliases/{name} - superseded by new API: GET Aliases?name={name}
  • Deprecated PUT Workgroups/{workgroupName}/Assets/{assetName}/ManagedSystems/ManagedAccounts/{accountName}/Credentials - superseded by new API: PUT Credentials?workgroupName={workgroupName}&assetName={assetName}&accountName={accountName}
  • IIS module WebDAV no longer interferes with API HttpRequests.