Skip to main content

BeyondTrust Password Safe

· 37 min read
Pradeep Kadambar
Pradeep Kadambar
Creator
BeyondTrust Password Safe is an enterprise solution for privileged account, credential, and secrets management. It automates password rotation, enforces strong security policies, monitors and audits privileged sessions, and manages access for human and machine identities across traditional, cloud, and DevOps environments.

Versions: 8.0.0 P10

Introduction

BeyondTrust Password Safe is an enterprise-grade privileged access management (PAM) solution designed to secure, manage, and audit privileged credentials and access.

The BeyondTrust Password Safe Plugin uses the BeyondTrust API (v3) to support the automated credential retrieval. The credential will be used for collectors and connectors and will be discarded after use. There will be no caching of credentials, allowing the PAM to rotate the password if the policy defines so. Every run will get the latest password.

Prerequisites

Before you begin, ensure you have the following:

  • Administrative access to your BeyondTrust Password Safe instance.
  • A list of managed accounts that will be accessed by RSA G&L.
  • The IP address or CIDR range of the RSA G&L instance for API access rules.

Application Setup

This section provides step-by-step instructions to configure BeyondTrust Password Safe Cloud for OAuth-based API access. Following this setup, RSA G&L can authenticate as a service account, create an automated access request, and retrieve stored passwords for use with the PAM plugin for collectors and connectors.

info

The application setup section is provided for reference purposes only. You must contact your BeyondTrust SME to optimally and securely setup the BeyondTrust Password Safe to work with RSA G&L.

Step 1: Create a User Group and Smart Group

First, create a user group and a smart group to manage access for RSA G&L.

  1. Create a User Group:

    1. Navigate to Configuration > Role Based Access > User Management.
    2. Click the Groups tab and select Create New Group > Create a New Group.
    3. Enter API Access as the Group Name, provide a Description, and click Create Group.

  2. Create a Smart Group:

    1. Navigate to Managed Accounts.
    2. Select the accounts RSA G&L will access.
    3. Click Add to Smart Group.
    4. In the Add To Manual Smart Group dialog, enter G&L in the Smart Group (manual) field.
    5. Click Add As New Option.

    6. Set Category to Managed Accounts, provide an optional Description, and click Add Selected Accounts To Smart Group.

Step 2: Configure API Access and Permissions

Next, configure API access policies and assign permissions to the user group.

  1. Configure API Access Policy:

    1. Go to Configuration > General > API Registrations.
    2. Click Create API Registration and select API Access Policy.
    3. Fill in the registration details, including the Access Token Duration.

    4. Click Add Authentication Rule, select CIDR and IP Rule, and add the appropriate CIDR (e.g., 0.0.0.0/0 for initial testing).
    5. Click Create Rule.

  2. Assign Permissions and Features:

    1. Go to the API Access group details and select the Features tab.
    2. Select All Features, search for and select Password Safe Account Management and Password Safe System Management.
    3. Click Assign Permissions and grant Read Only access.

Step 3: Create an Access Policy

Create an access policy to govern how credentials are released.

  1. Go to Configuration > Privileged Access Management Policies > Access Policies.
  2. Click Create Policy.
  3. Enter G&L API Auto Approve Policy for the Access Policy Name and provide a Description.

  4. Click Create Policy.
  5. On the Schedule tab, click Create Schedule.

  6. Enable All Day and verify the Recurrence settings.

  7. Under Policy Types, select View Password, Auto Approve, and API Only Access.

  8. Click Create Schedule.

Step 4: Assign Smart Group Roles

Assign the Requestor role to the smart group and associate it with the access policy.

  1. Go to User Management > Groups > API Access.
  2. Click the Smart Groups tab, find the G&L smart group, and select Edit Password Safe Roles.
  3. Check the Requestor role.
  4. For Access Policy, select G&L API Auto Approve Policy.

  5. Click Save Roles.

Step 5: Create and Configure an API User

Finally, create an API user and assign it to the user group.

  1. Go to Configuration > Role Based Access > User Management.
  2. Click the Users tab and select Add an Application User.
  3. Enter svc_gl_pam for the Username.
  4. Under API Access Policy, select the policy you created.
  5. Important: Copy the Client ID and Client Secret for later use.

  6. Click Create User.
  7. Assign the user to the API Access group.

Step 6: Enable API Access on Managed Accounts

Ensure that API access is enabled for the managed accounts you want to access.

  1. Go to Managed Accounts.
  2. For each account, ensure Enable API Access is toggled to Yes in the Account Settings.

Troubleshooting

Here are some common issues and their solutions:

  • API authentication errors:
    • Verify that the Client ID and Client Secret are correct.
    • Ensure the API user is assigned to the correct user group.
    • Check that the API access policy is correctly configured with the right IP address or CIDR range.
  • Unable to retrieve passwords:
    • Confirm that the Requestor role is assigned to the smart group.
    • Verify that the access policy is correctly configured to auto-approve requests.
    • Ensure that API access is enabled on the managed accounts.
  • Access denied errors:
    • Check that the user group has the necessary Read Only permissions for Password Safe Account Management and Password Safe System Management.

References