Admin able to see other users Account and can also use to launch session

good morning, I have a few questions about this. 

1. is the account logging into PWS an AD account?
2. is there a smart rule/group for this account?
3. how have you dedicated the accounts to each other. 

here are some thoughts 

To block admin users from viewing or accessing non-dedicated mapped/shared IDs in BeyondTrust Password Safe, you can use a combination of role-based access controls, Smart Rules, and Access Policies. Here's how to approach it:

Steps to Restrict Access to Shared or Non-Dedicated Accounts

1. Use Role-Based Access Groups

• Create specific roles for different user types (e.g., Admins, DBAs, Helpdesk).
• Assign minimal permissions to roles that should not access shared accounts.
• Ensure that only designated roles have access to Password Safe Account Management and Session Access features. [docs.beyondtrust.com]

2. Configure Smart Rules for Account Segmentation

• Use Smart Rules to categorize accounts:
  • Dedicated Accounts: Use naming conventions or metadata to tag these.
  • Shared Accounts: Tag separately using account attributes.
• Assign Smart Rules to Smart Groups, which can then be linked to specific user groups. [docs.beyondtrust.com]

3. Apply Access Policies

• Create Access Policies that define who can:
  • View account details.
  • Request password checkout.
  • Initiate sessions.
• Apply these policies to Smart Groups containing shared accounts, and exclude admin roles from these policies. [docs.beyondtrust.com]

4. Use Managed Account Aliasing (Optional)

• If needed, use Managed Account Aliasing to abstract shared account access, allowing only specific users to access them without revealing actual credentials. [beyondtrust.com]

Best Practices

• Audit regularly to ensure access controls are enforced.
• Avoid assigning Full Control to general admin roles unless absolutely necessary.
• Document account ownership and access justification for shared accounts.

I believe we can work with some smart rule filter and/or access policies to help with this.

Hi frank,

 thank you so much for reply. below are my comments 

1. for shared accounts we dont have any matching attributes to map hence we are using one to one mapping. i.e. creating smart rule with only show as smart group setting and then assigning it to group which has user who needs to access it. 

2.yes users login to password safe are using AD account using saml sso. form login is disabled for all

3.Apply these policies to Smart Groups containing shared accounts, and exclude admin roles from these policies.  can you please elaborate how can i exclude adminstrator group so that they dont see non dedicated account or shared id?

awaiting your response. thanks in advance

Regards 

Imran

Hello ​@immi563 

The builtin Administrators group has access to all smart rules. You can not exclude a rule from this group.  I would recommend limiting who is added to the administrators group and for the users that need to perform administrative tasks create a new group and delegate just the permissions they require.

Regards,

John

Assumptions:

By admin users, are you referring to users who are admins in BeyondTrust? i.e. in the administrators group under account management\groups?

If yes, keep reading. If no, this will not help you.

I created a new group called vault admins and I added my elevated rights account to that group.

Next,  I assigned it all the roles except for 6 roles I don’t think I will ever need.

Next, I added the All Assets, All Managed Systems and All managed Accounts smart rules.

I added the btadmin accounts for my environment to a smart group and added that smart group to the list. I also set it up so I could retrieve the btadmin accounts for logging into things that require it. 

For the All Managed Accounts smart rule, I gave it Credentials Manager, Recorded Session Reviewer and Active session reviewer. I did NOT give the group Requestor rights.

Once this is all complete and tested, I then removed my elevated rights account from the default administrators group. If I need more than what I have, I will need to log in with btadmin but there is not a whole lot that would make me want to do that.

After testing, I was only missing the ability to run any of the reports under Reports-->Password Safe. (the 25 reports located there) The Password Safe category is missing and only shows up when I give the Requestor rights to the managed accounts. Again though, I can use btadmin to run those reports if I need to..

From here, you can add some extra smart groups to each user so they can see just their accounts but be careful of that. As mentioned above, I do see the btadmin accounts for all my appliances because I need those but nothing else. I do it wrong, I could end up with everyone's accounts. 

The one thing I just noticed is that I can’t see all the smart rules. I only see the All Managed Systems smart rule, All Assets smart rule and I see all of the managed account smart rules. I will need to play with that