Hi everyone,
we’re currently running BeyondTrust PRA 25.1.x and are looking for a way to delegate vendor management tasks to an internal operations team.
We have several vendors in PRA, and we’d like to have an internal team that’s responsible for managing a subset of them. Ideally, this internal team should be able to:
-
Create and delete vendor user accounts
-
Extend or reactivate expired vendor accounts
-
Send password reset emails to vendor users
Basically, they should act as vendor administrators for specific vendor groups — but without being full PRA admins.
We’ve looked through the admin console and documentation, but it seems there’s currently no privilege or role that grants “vendor admin” rights — i.e., no way to delegate vendor user management without also granting global admin access.
Questions:
-
Is there any supported method to delegate vendor user management (create / extend / reset) to internal users without giving them full administrative rights?
-
Has anyone implemented something like this using automation or API scripts to bridge the gap (if necessary)?
-
Would this be considered for a future feature (a “Vendor Admin” role)?
For context:
-
We’re on the 25.1.x branch
-
Ideally, internal users would log in via federated SSO (SAML / OIDC)
-
If possible, we’d also like to leverage SCIM for provisioning
Any guidance, workarounds, or roadmap info would be appreciated!
Thanks,
Markus
