Hi Team, The customer has a requirement to maintain segregation for administrators across different sites. Could you please advise how this can be achieved? Currently, we have five sites (A, B,C,D,E,F configured in an Active-Active setup. Each site has its own set of administrators. The customer now requires segregation of duties so that administrators from one site are restricted from viewing or accessing assets, groups, or directory queries belonging to other sites. For example, administrators from the Asite should only be able to view and manage assets, groups, and directory queries related to A, and should not have visibility into resources from the other sites. Please let us know the possible approach to implement this requirement.
Question
Multiple Site Active Active Setup - Segregation for Admin access based on Sites
Just to let you know I got to know from BT support that we can achieve it through organization setting i.e creating dedicated organization for dedicated sites but I am still not able to achieve what I am looking for
let me know if anyone has done it before and were able to achieve it
I have 3 vault administrators and 2 people who work for the identity team. The two people on the identity team have access to All Managed Accounts, All Managed Assets and they have the Account Admins group.
The Administrators group can manage and see everything. That’s just the way it is.
The account admins group can see all assets and all managed accounts. What they cannot do is manage any of the BeyondTrust stuff such as directories, smart rules, etc.
What they can do is, onboard new accounts, test and change passwords. I also gave them access to review sessions, both active and recorded.
When you permission the smart rule for the accounts in the site, you can grant them Credentials Manager. That will allow you to see the accounts under Managed Accounts, but you will not be providing them access to the account passwords, only test and change password.
You can add features to the group to give them what you feel they need. My sudo admins have 35 features. I gave them these by using a secondary account I have, I added it to the group and then added things until I had the permissions I felt the account admins needed.
I do like the idea of having multiple organizations, you can just give them the permissions based on the organization instead of everything. In my environment however, I only have the one org so for me it isn’t needed.
If they are going to be onboarding accounts, they may need the rights for smart rules. I haven’t had the need to play with this yet though.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.