Use Case: No Centralised PAM Team

Question

Hey Guys,I have got a use case where my client does not have a centralise PAM team to control end to end asset/accounts onboarding to Password Safe (PS) and manage the BT upgrade. I can think of a solution as BT tool related tasks (patching/upgrading etc.) can be taken by Infra/ IT team and 1 person from each application team (Linux, Windows, Database etc.) can be given permission to perform a set of actions like onboard asset/account, manually trigger update/change password, approve request etc.Application Team owners will be provided with End User Guide explaining each task they can perform so they have all the resources they need.I see there is ISA role which I can leverage for Application Owners but it gives a lot of unwanted permission.Is there any other way where I can create another role in BeyondTrust Password Safe to cater my specifics?Thanks in advance!   :)Disclaimer: I have worked in other PAM tools where this was achievable but not sure in BT aspect as I’m new to BT.

tclowater · Answer

Hey ​@Varuns29- absolutely!This is managed by Role Based Access.For managing assets, and accounts in the admin console:In user groups, the features assigned may need to be full-control. The scopeof that full control depends on the Smart Groups assigned.Documentation →Assign Permissions for BeyondInsight AuthenticationFor managing who is an approver:This depends on the PasswordSafe role for the Smart Group assigned to the user group. Requestor, Approver, etc. are all options.Documentation →Configure Approvals for Password Safe Cloud[Disclaimer: While I will link documentation, the goal isn’t to be to tell you to read the manual; there’s a lot of ‘manual’ on our site and KB articles! A good chunk of the time myrole as a TAMis finding the relevant supporting documentation to suggestnext steps, and then exploring the next set of questions that then arise]

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded