does anyone have any recommendations for service account? I have them on boarded based on Directory Query looking for members of an AD group called Interactive logon. they are onboarded but I need to link them to Managed system and present them only to the users that have access to the server they are linked to. I have an Idea on how to do this but it is not pretty.
Hi Frank,
Service account are the same as any managed account. They follow the same workflow where you would discover these accounts (manually, API or discovery scan) and then link them to the managed systems. You would then configure the smart rules to allow specific domain users have access to these service account. You can refer to the admin guide on Page 15 for the workflow.
Password Safe 24.2 Admin Guide (beyondtrust.com)
There are some KB articles you might be interested in with Managed Service account.
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019091
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018171
First: Understand and identify your assets. Service accounts are only going to be affecting assets based on their identity, such as the software that is installed on the server and that the service account is created for. Build asset smart groups based around those asset identities (Asset Access Control Smart Groups are smart groups with identity-based critera and only the action “show as smart group”).
Next, I bring accounts into password safe (Onboard) based on properties that match to the Onboarding rules. I effect these by placing the accounts into AD security groups based on those properties. The defaults I start with are:
svc-pws-rotation-false
svc-pws-rotation-long
svc-pws-rotation-short
svc-pws-propagation-true
svc-pws-propagation-false
svc-pws-api-true
svc_pws_api-false
Then I can put accounts into the “false” rotation grup with the appropriate propagation and API groups, knowing they’ll come into PWS safely, but we can either have the application team work with us to type the password into PWS, or just click “change now” when they’re ready for the change.
We give teams *access* to the accounts by building “Account Access Control Smart Groups” (where the only action is “show as smart group”) and giving the RBAC role rights to those smart groups. In particular, these groups always have the critieria “Asset Smart Group” so that the related accounts only show up against that team’s servers by server identity.
When you’re ready for greater management, now all you have to do is change the group membership of the group in AD from the “false” rotation group to a long or short rotation group.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
