Most engineers think…
Most engineers think the approval workflow is just bureaucracy — a checkbox ritual that slows admins down, while the "real" security is the vault holding the password.
Wrong — the workflow is the security model. The vault only stores the secret; the access policy decides who may take it, when (schedule windows), from where (location restrictions) and with whose sign-off (one approver, or two for tier-0). Add ticket validation and rotate-on-check-in and you get the real prize: no standing secret exists between checkouts, and every release maps to a change ticket an auditor can replay.
① The request flow — what the requester sees, what the policy decides
It is 11:40 AM at Infosys, Bengaluru. Sneha (L1, infra team) needs the local admin password of Windows server 192.168.40.18 to restart a stuck service. She does not ping a senior on chat for it — she opens the Password Safe portal, finds the managed account, and clicks Request Access. The form asks for three things: a Reason (free text, maximum 200 characters — and it auto-fills from defaults so lazy admins still leave a trail), an optional ticket number, and a Request Duration (auto-filled from the account's default release duration — 120 minutes out of the box, with an absolute maximum of 525600 minutes, i.e. one year).
Whether that Request button even works is decided by the access policy. BeyondTrust's own definition is worth memorising: it “defines the time frame and frequency that users can request passwords, remote access sessions, or access applications.” In practice an access policy answers four questions. Who may request — the user groups the policy is assigned to, with the Requestor role on those accounts. What they may request — the schedule is built per access type: View Password, RDP, SSH or Application. When — schedule entries with day/time windows. From where — Enable Location Restrictions can pin requests to known networks (it matches on X-Forwarded-For, so only office or VPN ranges pass).
The detail that separates a working deployment from an angry NOC: one policy can hold multiple schedule entries with different rules. The classic pattern — a business-hours window (09:00–18:00) with Auto Approve ON for routine accounts, and an after-hours window where Approvers is set to 1 or more. Same accounts, same users; only the clock decides whether the credential releases instantly or waits for a human. Think of a gated society: registered residents walk in freely during the day, but a visitor at 11 PM triggers a phone call to the flat owner. Auto-approve is not “no security” — the request, the reason, the release and the session recording all still land in the audit trail.
The four Password Safe roles
Tap each card — every workflow question in interviews starts from these four.
May ask for passwords or sessions through the workflow. Most engineers live here. So: requests, never instant grabs.
Says yes/no to requests, with a comment. The Approvers count on the schedule sets how many must agree.
Both hats — can request AND approve others. Handy for small teams; keep tier-0 on dual control so nobody clears their own path.
Information Systems Administrator — retrieves credentials instantly, no approval (ISARequests API). Powerful; audit the member list quarterly.
Rahul at HCL faces this
At 02:10 IST during a P2, Rahul opens the portal to request RDP to a production DB server (172.16.8.21) — but there is no usable request window: the portal refuses the after-hours request outright.
The only access policy mapped to his user group has a single schedule entry: View/RDP, 09:00–18:00, Auto Approve ON. Nobody ever built an after-hours entry, so outside the window there is simply no rule that permits a request.
Find which access policy his group inherits (via the managed account's Smart Group role assignment) and read its schedule entries — the gap is visible immediately: the timeline stops at 18:00.
BeyondInsight > Configuration > Privileged Access Management Policies > Access PoliciesAdd a second schedule entry to the same policy: RDP, 18:00–09:00, Auto Approve OFF, Approvers = 1, Record Session ON. Routine daytime work stays instant; night access now exists but needs a human yes.
Rahul re-submits at night → the request goes to Pending Approval instead of being refused; a daytime test request still releases instantly; both events appear in the audit trail with his reason text.
Sneha submits a request at 11:45 AM: Reason “Restart print spooler — CHG0042118”, duration 4 hours. The matching schedule entry has Auto Approve ON. What actually happens?
Pause & Predict
Predict: the policy auto-approves, Sneha clicks Retrieve Password — and the password vanishes from her screen after a few seconds. Bug or feature? Type your guess.
② Approvals — one key, two keys, and the ticket that must be real
When a window is not auto-approve, the request lands with the Approver group mapped to that account. The number that matters sits right on the policy schedule: Approvers — how many must say yes. Set it to 1 and any one approver can release the credential. Set it to 2 and you have dual control — the SBI bank locker model: your key and the bank officer's key must turn together, or the locker stays shut.
Dual control is the default answer for tier-0: domain admin, root on the payments DB, the firewall enable account. The threat it kills is the single point of yes — one bribed insider, one compromised approver mailbox, one manager clicking too fast at 6 PM. Each approver sees the full request — who, which account on which system, the reason, the ticket, the duration — and approves or denies with a comment. Denials are not failures of the system; they are the system working, and they are first-class audit events.
Approvers do not live in the console all day — that is what email-based approval is for. The approval notification lands in the approver's mailbox with the request details, and they can act on it directly; an on-call manager can release a credential from a phone at midnight without VPN-ing into BeyondInsight. The flip side: your approval flow now depends on email delivery, which is the production gotcha below.
Symptom: requesters complain every after-hours request expires unactioned; approvers insist they were never notified. Cause: the approval notification emails are silently dying — SMTP relay misconfigured after a mail-server migration, or the messages are landing in spam/quarantine. Fix: verify the SMTP settings in BeyondInsight configuration, send a test notification, and get the PAM sender address allow-listed in your mail filter. An approval workflow is only as alive as its notifications.
Now the gate most teams skip: ticket validation. Anyone can type “CHG0048213” into a reason box — that proves nothing. With the ITSM integration (ServiceNow, Jira and similar), the policy can require a ticket number and validate it against the ticket system: the ticket must exist, and it must be open. A closed, cancelled or fictional ticket = automatic denial before any human even looks. It is the society gate-pass rule: the guard does not accept “owner ne bola hai” — he checks the slip number against the register book.
Priya at ICICI faces this
Priya attaches change ticket CHG0048213 to her request for the SQL sa-dbadmin account. The request is denied within seconds with a ticket-validation error — yet the ticket genuinely exists in ServiceNow.
The change ticket exists but was moved to Closed the previous evening when the original window lapsed. Validation requires the ticket to exist AND be open — a closed ticket fails exactly like a fake one.
Open the ticket in ServiceNow and check its state field first (it says Closed), then confirm the policy schedule marks the ticket number as required + validated, which explains the instant automatic denial.
BeyondInsight > Configuration > Privileged Access Management Policies > Access Policies (schedule entry: reason/ticket required)Raise a fresh change ticket for tonight's window (or have the change manager reopen the original), then resubmit the request referencing the open ticket.
The resubmitted request passes validation and moves to Pending Approval; the audit trail shows both attempts — the denied one with the closed ticket and the approved one with the open ticket. That pair of entries is exactly what an RBI auditor wants to see.
Karthik (HCL) requests the tier-0 domain-admin account at 10:00. His manager approves at 10:02. At 10:30 the request still shows Pending. The ServiceNow ticket is open and the schedule window is correct. Why?
Pause & Predict
Predict: an approver DENIES a request. What does the requester see, and what does the auditor see six months later? Type your guess.
③ Just-in-time — design it so there is nothing to steal afterwards
Standing privilege is any admin credential that is valid 24×7 and known to humans — the domain-admin password in passwords.xlsx, the root password every senior “just knows”, the firewall enable secret in a team chat from 2023. Every standing secret is a permanent attack surface: steal it once, use it for months. JIT (just-in-time) flips the model — privilege is manufactured when needed and destroyed when returned, so between checkouts there is no usable secret anywhere outside the vault.
Password Safe implements JIT with two settings you already met: the time-boxed checkout (release duration, default 120 minutes) and Change Password After Release — rotate-on-check-in. The moment Sneha checks the account back in (or the window expires), the rotation engine sets a fresh random password per the password policy. The library analogy: the book is issued for a fixed period, and the librarian re-jackets it the moment you return it — your photocopy of the old cover opens nothing. Pair it with Check Password tests so out-of-band changes get caught too (you saw that machinery in the rotation lesson).
▶ Follow one tier-0 checkout end-to-end
Watch a dual-control request travel the full loop — and watch where it breaks when the approver design is lazy. Press Play for the healthy path, then Break it to see the failure.
One pattern deliberately sits outside the request-approval loop: break-glass. What if BeyondInsight itself is unreachable at 3 AM — appliance failure, network partition — or a P1 needs domain admin and both approvers are on a flight? Break-glass is the fire-alarm box: a separate emergency account (never anyone's daily account), its password sealed — printed and locked in a physical safe, or held in a secondary sealed store — with alarms wired to any use: a SIEM rule on its logon events, instant notifications to security leadership, immediate rotation after use, and a mandatory post-incident review. Smashing the glass is allowed; smashing it quietly must be impossible.
Routine work → auto-approve windows (fast, still audited). Tier-0 → dual control + validated ticket. Vault-down emergencies → sealed break-glass with alarms + post-use rotation. If your break-glass account is used monthly, it is not break-glass any more — it is a backdoor, and it means your access policies are mis-designed for how the team actually works. Fix the policy, not the glass.
What specifically makes a Password Safe JIT checkout end with “no standing secret afterwards”?
Pause & Predict
Predict: the break-glass account was used at 02:40 to fix a P1. It is now 09:00. Name the TWO things that must already have happened. Type your guess.
④ ISA, API automation & the audit trail end-to-end
Some power users skip the queue by design. The ISA role (Information Systems Administrator) retrieves credentials instantly, with no approval step — the senior doctor's all-access hospital pass, while everyone else signs the visitor register at reception. Releases still get time-boxed (ISAReleaseDuration, default 120 minutes) and still audit, but nobody says yes first. Grant it the way hospitals grant master passes: a small senior team, only on the accounts they own, membership reviewed quarterly — because every ISA grant is a standing ability to bypass the approval layer you spent section ② building.
The second queue-skipper is automation. An Ansible patch run or a backup script should never hold a hardcoded password — it should request one. The whole human workflow you just learned has a REST mirror under /BeyondTrust/api/public/v3: authenticate with POST Auth/SignAppIn (the PS-Auth header carries an API key from the API registration plus a runas Password Safe user), then POST Requests → GET Credentials/{requestId} → PUT Requests/{requestId}/Checkin. Application-type users can use OAuth client-credentials instead. Point the API caller's group at an API-friendly access policy window (auto-approve, View Password) so no human has to wake up at 01:00 to approve a backup job.
# 1. Sign in — API key + runas user (key from the API registration)
curl -s -c /tmp/ps.jar -X POST \
-H "Authorization: PS-Auth key=8c1f0d2e...d2e9; runas=techclick\\svc-ansible;" \
https://techclick.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/Auth/SignAppIn
# 2. Create the request (account 2031 on system 118, 30 min, View)
curl -s -b /tmp/ps.jar -X POST -H "Content-Type: application/json" \
-d '{"SystemId":118,"AccountId":2031,"DurationMinutes":30,"Reason":"CHG0048213 nightly patch run","AccessType":"View"}' \
https://techclick.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/Requests
# 3. Retrieve the credential, then check it back in (rotation fires per policy)
curl -s -b /tmp/ps.jar https://techclick.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/Credentials/8412
curl -s -b /tmp/ps.jar -X PUT -H "Content-Type: application/json" -d '{}' \
https://techclick.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/Requests/8412/Checkin200 OK (SignAppIn — session established, cookie stored) 8412 (Requests — the new request ID, auto-approved by the API window) "vK9#mQ2!xT7@pL4z" (Credentials/8412 — returned to the caller, never logged) 204 No Content (Checkin — release ended, rotation queued)
# ISA users skip Requests entirely — ISARequests returns the credential directly
curl -s -b /tmp/ps.jar -X POST -H "Content-Type: application/json" \
-d '{"SystemId":118,"AccountId":2031,"DurationMinutes":15,"Reason":"INC0099231 — emergency diag"}' \
https://techclick.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/ISARequests200 OK "qF3$wN8&jR5*hB2y" (credential returned immediately — no approver involved) # release is still time-boxed by ISAReleaseDuration (default 120 min) # and the retrieval still lands in the audit trail
Symptom: GET ManagedAccounts comes back empty, or POST Requests throws 403, though the account is right there in the console. Three causes, in the order to check: (1) the managed account does not have Enable for API Access set; (2) the runas user lacks the Requestor / Requestor-Approver / ISA role on that account; (3) directory accounts were queried in the wrong format — use UPN or Domain\AccountName. Fix the setting, the role, or the format — not the URL.
Now zoom out and read the audit trail end-to-end — the hotel master-key register, but automatic. One request ID stitches together six events: the request (who, which account/system, reason, ticket, requested duration) → the decision (approver names, comments, or “auto-approved by policy”) → the release (timestamp, window) → the session evidence (recording + keystrokes, if RDP/SSH) → the check-in → the rotation event. When the auditor asks “who touched the payments DB on the 14th and under which change?”, you answer with one request ID and replay the whole story — including the recording. That closed loop is what makes the workflow defensible, not just convenient.
Designing the matrix for a real org is a classification exercise, not a tooling one. Step 1: tier the accounts — tier-0 (domain admin, root on payment systems, firewall/network device admin), tier-1 (production servers, databases), routine (test/lab, low-blast-radius). Step 2: per tier, decide the five dials — window, Auto Approve or Approvers count, ticket required + validated, record + keystrokes, rotate-on-check-in (the answer to that last one is always yes). Step 3: implement each row as ONE access policy and let Smart Groups map thousands of accounts onto the four rows — a Flipkart-scale estate of 3,000 managed accounts genuinely runs on four or five well-named policies, not forty.
Meera (Airtel) must give an Ansible playbook the sa-backup password nightly at 01:00 — zero humans awake. Best design?
File a test request with a reason and ticket → approve it from a second (approver) account → Retrieve Password (watch the 20-second timer) → check in → then pull the audit trail for that request ID and count the events: request, decision, release, check-in, rotation. Finally try the OLD password against the target — it must fail. If you can demo that chain cold, you can answer every workflow question a PAM interviewer has.
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: In one line: why does time-boxed checkout + rotate-on-check-in beat a strong standing admin password? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Access policy
- Defines the time frame and frequency users can request passwords, sessions or applications — the who/what/when/where rulebook.
- Requestor
- Password Safe role that may ask for credentials or sessions through the request workflow.
- Approver
- Role that approves/denies requests with a comment; the Approvers count on a schedule sets how many must agree.
- Dual control
- Two (or more) approvers required before release — no single person can free a tier-0 credential alone.
- ISA
- Information Systems Administrator — instant, approval-less retrieval (ISARequests); ISAReleaseDuration default 120 min.
- Release duration
- How long a checkout lasts. Default 120 minutes; absolute maximum 525600 minutes (one year).
- Check-in
- Returning access before expiry; with rotate-on-check-in enabled it triggers immediate password rotation.
- Change Password After Release
- The rotate-on-check-in setting — the password used during a checkout is replaced the moment it ends.
- JIT (just-in-time)
- Privileged access exists only inside a time-boxed, on-demand window — no standing secret in between.
- Standing privilege
- Permanently-valid credentials held by humans — the attack surface JIT and rotation eliminate.
- Break-glass account
- Sealed emergency credential outside the normal workflow; any use fires alarms and forces immediate rotation + review.
- Ticket validation
- ITSM integration (ServiceNow/Jira) that checks the attached change ticket exists and is open before access releases.
📚 Sources
- BeyondTrust Docs — Configure Password Safe Access Policies (schedule access types View/RDP/SSH/App; Approvers, Auto Approve, Record, Concurrent, Force Termination, Location Restrictions). docs.beyondtrust.com/bips/docs/ps-configure-access-policies
- BeyondTrust Docs — Password Safe API v3 (Requests, ISARequests, Credentials, Checkin; ReleaseDuration default 120, max 525600; ISAReleaseDuration). docs.beyondtrust.com/bips/v24.3/docs/password-safe-api
- BeyondTrust Docs — BeyondInsight and Password Safe API usage (PS-Auth header: key + runas + pwd; SignAppIn/Signout; OAuth client-credentials for application users). docs.beyondtrust.com/bips/reference/beyondinsight-and-password-safe-api-usage
- BeyondTrust Password Safe 24.1 User Guide — end-user request flow: Reason max 200 characters, Retrieve Password displays max 20 seconds, Reason/Duration auto-populated. beyondtrust.com/docs/archive/password-safe-beyondinsight/24-1/ps-user-24-1.pdf
- Security Scientist — 12 Questions and Answers about BeyondTrust Password Safe (checkout model: request → approval tiers → time-boxed release → rotation; ServiceNow/Jira ticket-gated checkout). securityscientist.net/blog/12-questions-and-answers-about-beyondtrust-password-safe/
- BeyondTrust press — BeyondTrust acquires Entitle (Apr 2024): just-in-time access across cloud, the kill-standing-privilege strategy behind Pathfinder adaptive JIT. beyondtrust.com/press/beyondtrust-acquires-entitle
- BeyondTrust University — Get Certified (Password Safe Administration track: 40-question exam, 75% pass, two attempts — the cert this series preps you for). beyondtrust.com/services/beyondtrust-university/get-certified
What's next?
The password is released — now Sneha actually has to RDP in. Next: how the session proxy puts Password Safe in the middle of every RDP/SSH session, records everything she types, and lets you watch or kill a live session.