BeyondTrust Password Safe

BeyondTrust Password Safe is an enterprise-grade privileged access management (PAM) solution that helps organizations manage and secure privileged credentials and access to critical systems. It is designed to control, monitor, and audit access to privileged accounts, such as those used by IT administrators, applications, and automated processes. More information can be found at BeyondTrust Official Document.

Integration Method: API

Tables: User Inventory info (5003), Device Inventory info (5001)

This integration supports the following events.

This integration supports the following versions.

Prerequisites

• The user should have to register API access policy for Oauth.

• The user should have to assign the features Password Safe Account Management and Password Safe System Management to the group to get all managed account and managed systems.

• The user needs to enable API option for all the managed accounts to get details of All managed accounts.

• The user should have access to DataBee console.

Configuration Overview

1. Generate client credentials on the BeyondTrust  platform.

2. Add the BeyondTrust Password Safe data feed integration in the DataBee console with the required Client credentials.

BeyondTrust Configuration

You will need to create the API Access Policy and get the necessary information for API authentication such as Client ID and Client Secret. These values are needed to configure the DataBee integration.

BeyondTrust Cloud Instance URL

1. Get the BeyondTrust Password Safe instance from the URL as highlighted below.
    

Configure API access policy registration

The API Access Policy registration is used specifically for OAuth. To create this in the BeyondInsight console:

1. Go to Configuration > General > API Registrations.
    

2. Click Create API Registration.

3. Select API Access Policy from the dropdown list. The Details screen is displayed.
    

4. Fill out the new API registration details, including the ‘Access Token Duration’. This field determines how long the OAuth token stays active.

5. Click Add Authentication Rule.
    

6. Select type CIDR and IP Rule. Add ‘CIDR’ 0.0.0.0/0 and click on Create Rule.
    

Create Group

1. From the left sidebar, click Configuration.

2. Under Role Based Access, click User Management.
    

3. Click the Groups tab to display the list of groups in the grid.

4. Click Create New Group above the grid.
    

5. Select Create a New Group from the drop-down list.

6. Add ‘Group Name’ and ‘Description’ and click on Create Group.
    

7. Assign the features to a group to access Managed Systems and Managed Accounts Details.

8. Click the vertical ellipsis for the group, and then select View Group details.
    

9. Click on Features tab > All Features.
    

10. Search for Password Safe Account Management and Password Safe System Management from the list of features and select checkbox.

11. Click on Assign Permissions and give Read Only permission.
     

12. Click on Smart Groups and search for All Managed Accounts and All Managed Systems. Select them and click on Assign Permissions and give Read only permissions.
     

13. To get all Managed Account we need to give Password Safe Roles like Requestor or Approver to All Managed Accounts smart group.

14. From the ‘Show’ filter select Enabled Smart Groups and click on vertical eclipse of the All Managed Accounts smart group and click on Edit Password Safe Roles.
     

15. Give Requestor Role and select Default Auto-Approve Access Policy from drop down. Then click on Save Roles.
     

Add Application User

Application users represent applications that interface with the BeyondInsight public API. Application users cannot log in to the BeyondInsight console. They can only authenticate and interact with the public API, using Client ID and Client Secret for credentials within the OAuth client credential flow.

An API Registration type of API Access Policy must be assigned to an application user and is used for processing IP rules. To create an application user, follow the below steps:

1. From the left sidebar, click Configuration.

2. Under Role Based Access, click User Management.
    

3. Click the Users tab to display the list of users in the grid.

4. Click Create New User above the grid.

5. Select Add an Application User from the drop-down list. The “Create New Application User” screen displays.
    

6. Add a ‘Username’.

7. Under ‘API Access Policy’, select the policy which we have created in the previous step.

8. Copy the information from the Client ID and Client Secret fields for later use.
    

9. Click Create User.

Assign User to Group

1. From the left sidebar, click Configuration.

2. Under Role Based Access, click User Management.
    

3. Click on Users tab and select the user which we have created in Step 6 of Add Application User section.

4. Assign the user to a group that has the required permissions to access BeyondInsight and Password Safe features.

5. Click the vertical ellipsis for the user, and then select View User Details.
    

6. From the User Details pane, click Groups.

7. Click the drop-down under ‘Show’ filter and select All Groups, now locate the group which we created, and click Assign Group above the grid.
    

Enabled API Option for all Managed Accounts

Note:

We will get all managed accounts in which API Enabled account setting is enabled.

Perform below steps to enable API Enabled settings.

1. Click on Managed Accounts from the side panel to get the list of Managed Accounts.
    

2. Click on Manage Smart Rules on the top right side to get a list of all smart rules.
    

3. Click on Create Smart Rule to create new rule.
    

4. Add the below details while creating new smart rule.

   • Category: Managed Accounts

   • Name: add the appropriate name of the smart rule.

   • Description: add the appropriate description of the smart rule.

   • Reprocessing limit: this is the time limit in that interval smart rule will be process on all the managed account and take the necessary action which will define later. So, we can set the limit to 6 or 12 hours. Make sure it will not be more than 24 hours because we are fetching data every 24 hours.

   • Selection Criteria: add selection criteria, based on that smart rule will be applied. As we want all Managed Accounts setting to be API enabled we must add filter in such a manner that rule will be applied to all the managed accounts and will be applied to newly created accounts as well.

     • Here we have added filter on ‘Account Name’ field as account name will always be not empty so all the managed accounts will match the regular expression “. +” and rules will be applied to all the Managed Accounts.

       Note:

       Since we must apply one filter and one action to create new rule, we must add above filter otherwise there is no need to add filter as we must apply rule to all the Managed Accounts.

       
        

5. Actions: select Manage Account Settings.

   • Account Options: select checkbox of Enable API Access.
      
      

6. Click on Create Smart Rule.
    

7. Now all Managed Accounts will be accessible via API.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    
   

2. Search for the BeyondTrust Password Safe and click it as shown below.
    
   

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • API Base URL: replace <cloud-instance-url> with your  BeyondTrust cloud instance URL.

   • Authorization Method: OAuth2

   • Client Key: paste the Client Id generated earlier in the BeyondTrust Platform.

   • Client Secret: paste the Client Secret generated earlier in the BeyondTrust Platform.

   • Token URL: replace <cloud-instance-url> with your BeyondTrust cloud instance URL

   • Event Types: preselected for all the event types that integration pulls.
      

   • Click Submit.

Troubleshooting Tips

• Ensure Password Safe System Management and Password Safe Account Management features to a group to access Managed Systems and Managed Accounts Details.

• Ensure we have given Password Safe Roles like Requestor or Approver to All Managed Account Smart group of group which we have created.

• Ensure all managed accounts has API Enabled option enabled to get all managed accounts.