BeyondTrust
Description
The BeyondTrust connector uses the BeyondTrust Password Safe REST API to discover managed accounts across all managed systems. It discovers the systems registered in Password Safe and the accounts managed within each, recording managed-system membership as entitlements in OrbisID.
System Type Classification
| Field | Value |
|---|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Set System Type = PAM Platform to feed scan results into PAM Inventory/Reconciliation (the default for new BeyondTrust systems). Set System Type = Application instead to list the same accounts on the Accounts/Entitlements pages, like any other target system.
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
BeyondTrust scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| Password Safe REST API (HTTPS) | 443 TCP | Default; configurable via pamPlatformUrl |
What OrbisID Discovers
| Data | Source |
|---|---|
| Managed systems | GET /BeyondTrust/api/public/v3/ManagedSystems |
| Managed accounts | GET /BeyondTrust/api/public/v3/ManagedAccounts |
| Account usernames | UserName property |
| Managed system names | SystemName property — recorded as BEYONDTRUST_SYSTEM entitlements |
| Account status (active/inactive) | IsActive property |
Connection Requirements
Authentication
BeyondTrust Password Safe uses a two-factor API authentication model:
- An Application Registration API key identifies the calling application
- A run-as user credential authenticates the operator
Create an Application Registration in Password Safe (Configuration → Application & API Registrations) and note the API key.
The run-as user must have the Password Safe Operator role with at minimum:
| Permission | Purpose |
|---|---|
| Requestor or ISA access | Required to list managed accounts |
| Auditor | Alternatively grants read access without request rights |
Credential Mapping
| OrbisID Field | BeyondTrust Value |
|---|---|
credential.username | Run-as username |
credential.password | Run-as password |
system.pamPlatformUrl | Base URL of Password Safe (e.g., https://ps.example.com) |
system.attributes.btApiKey | Application Registration API key |
Network Requirements
| Requirement | Detail |
|---|---|
| HTTPS to Password Safe | OrbisID server (or On-Premise Agent) must reach Password Safe on port 443 |
| Application Registration enabled | The application registration must be active and have the API enabled |
Configuration Steps
- Create an Application Registration in Password Safe and note the API key
- Create or identify a run-as user with the required role
- Create a Credential in OrbisID:
- Username: Run-as username
- Password: Run-as password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., BeyondTrust Password Safe – Production) |
| PAM Platform URL | Base URL of Password Safe (e.g., https://ps.example.com) |
| OS Type | BeyondTrust |
| System Type | PAM Tool |
| Credential | The run-as credential created above |
- Add the
btApiKeysystem attribute with the Application Registration API key - Click Test Connection to verify authentication
- Click Save
The btApiKey attribute is required. The scan will fail to start if it is missing. Add it via Systems → Edit System → Attributes → Add Attribute.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Scan fails: "BeyondTrust API key is required" | btApiKey attribute not set | Add btApiKey in system attributes with the application registration API key |
401 Unauthorized on sign-in | Invalid API key or run-as credentials | Verify the API key, username, and password |
403 Forbidden | Run-as user lacks required role | Assign the Requestor, ISA, or Auditor role in Password Safe |
| No accounts returned | No managed accounts accessible | Verify the run-as user has access to at least one managed system |
| Connection refused | Password Safe URL incorrect or port blocked | Verify pamPlatformUrl; check firewall rules on port 443 |