How to use smart rules to link systems to users in Password Safe

Sounds like what you’re trying to do is link the assets to the managed accounts, correct?  That’s done with two smart rules:  an asset smartrule and a managed account smartrule.  For example: 

Create an asset smartrule that lists all your server(s).  This can be a query by attributes that you set during onboarding or regex or whatever.  It’s a good practice to keep your Onboarding smartrules separate from your asset ACL smartrules. 

Create a “managed account” smartrule:

Selection Criteria

• Your directory query of managed (or dedicated) accounts

Actions:

1. Show managed account as Smart Group
2. Link domain accounts to managed systems -- select the asset smartrule that lists all the servers they should be linked to. 

Hi Michael, 

Thanks for the reply.

I have an asset smart rule for the servers set to show as a smart group. This is working and I see the correct devices in the results.

When I create the “managed account” using a directory query rule the results are empty. If I go and edit the directory query and hit test it will find the users, so the query is correct. If I edit the smart rule to use another directory query it can see those users.

Its one selection criteria, include account from directory query. Should just work?

Thinking about this again. The directory query is targeting the std user accounts which they will log in to Password safe with ( or PRA). These are not managed and are not going to work in a managed account rule, I think.

When I try to use the selection criteria “dedicated account” I get the error, The "Dedicated Account" filter also requires a "Map Dedicated Account To" action. The dedicated accounts are already mapped in a rule that maps all Tier1 accounts and a second that maps all tier0, irrespective of team.

So I tried a managed account fields, with “account name - starts with.” This works OK for some scenarios e.g. third parties all have T1companyname prefix on their admin accounts. But I also want to do this for internal teams who don’t have this.

Am I going about this the wrong way?

I have done this. 

Most companies provide a security group in AD to add elevated accounts to the local admin groups.

mydomain\Admin-Myserver will be a member of the administrators group on Myserver.

An asset smart rule to define Myserver, a directory query to get all members of Admin-Myserver and a managed accounts smart rule to tie it all together.

Once that is done, the account and host will show up since you linked the managed account to the managed system. The owner of the dedicated managed account will then see the server in their list.

This only works if you have the user in the proper security group and the security group is mapped.

I’ve never tried doing the mapping with Administrators but it should work I think. I just don’t know that a nested group would be readable in BeyondTrust but again, I’ve not tried that yet.