@Arno I am not gonna lie, i have a enviroment that exactly the same you have explained, they have domain account for each system, if the system name is srvfgh0211 on the domain exist a “USR-srvfgh0211”.
The only way to work on this enviroment was to create a smart rule for each account and each asset and link them, there is no other way that i know of you could work with Smart Rules.
Otherwise, you could work with API scripts to link the accounts with some names to specific Managed System, you would need to have a planner with all server and all the accounts that should be linked to them, it would need manual intervention as well, but it would be more “automatic”.
The API approach its “better” but on my case the enviroment did not have the means to continue with the scripts, so Smart Rules was it.
As Paulo144 mentioned, using the API is likely the best way to automatically onboard these types of systems. To get started with the API, you can find example scripts in the Password Safe Resource Kit under the folder \API Samples\. You can download the Resource Kit from the Downloads section of the Customer Portal.
Additionally, the API documentation is available in the Docs section. Here’s a direct link to the Password Safe API: https://docs.beyondtrust.com/bips/docs/password-safe-api. and the BeyondInsight API: https://docs.beyondtrust.com/bips/docs/beyondinsight-api
Depending on your environment, you may be able to use Quick Rules (“Add to SmartGroup” in the UI) to provision Password Safe users access to managed accounts and systems. For more details, refer to the tAPI: POST QuickRules] in the API documentation.
We have this same issue. My solution is to link every elevated rights account (server admin accounts) with every system in BeyondTrust. Roughly 1800 servers and 300~400 or so elevated rights accounts. I then wrote a Word document explaining how to Favorite your server list from the Directory Linked Accounts list.
I did, however, manage to get the domain admin accounts to only show the domain controllers. I created a smart rule to get all the domain controllers and a group to give the results of the smart rule to the domain admin accounts. In short, it doesn’t have to be a 1 for 1 mapping, you can get a group of servers belonging to an application and map the application support staff to those servers with one or two smart rules.
My go-forward plan is to only deal with people who request it. Those who request it will get just their servers the same way I did the domain admins.
My stretch goal is to figure out a way to automate it so that the current security groups that control admin rights on servers are mapped properly.
The one thing that bit me in the backside was the smart rules. If your asset belongs to a default smart rule to link the asset to everyone and you try to link your account to just a couple systems, the default give it to everyone smart rule will still hand you all the systems. I dealt with this by creating security groups in AD and adding assets to the groups and then running a smart rule to manage from that. I’m handling service accounts the same way for password management.
