TTechclick ⚡ XP 0% All lessons
BeyondTrust · Platform · BeyondInsightInteractive · L1 / L2 / L3

BeyondInsight Deep-Dive: U-Series Appliances, Discovery & — the Smart Rules Engine

Password Safe gets the fame, but BeyondInsight does the housework: it finds every server and account you own, sorts them with Smart Rules, and decides who on your PAM team may touch what. This is the platform tour every interview assumes you have done.

📅 2026-06-10 · ⏱ 14 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The platform

What BeyondInsight is and the three ways to deploy it

 2

Discovery

How the scanner finds every asset and account you forgot

 3

Smart Rules

The IF→THEN engine that onboards thousands of accounts on autopilot

 4

People & roles

Groups, least privilege and reports for the PAM team itself

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Your company has 4,000 servers. How does a PAM tool even find the accounts it should vault?

Answered in The platform.

2. Password Safe Cloud must rotate a password on a server behind your firewall. What connects them?

Answered in Smart Rules.

3. Discovery just found 800 new service accounts. Who should sort and onboard them?

Answered in Discovery.

Most engineers think…

Most engineers think BeyondInsight is just Password Safe’s installer and admin UI — a wrapper you click through once during setup, then ignore.

Wrong — BeyondInsight is the platform: it owns assets, discovery, Smart Rules, user groups and reporting, and Password Safe is a module riding on it. Skip the platform layer and you will hand-onboard every account, by hand, forever.

① What BeyondInsight actually is — the platform under Password Safe

Sneha joined ICICI Bank's PAM team on a Monday. Her first ticket: onboard 1,400 Linux servers into Password Safe by month-end. She opened a spreadsheet. Her senior closed it. Nobody hand-onboards 1,400 servers — BeyondInsight discovers them, sorts them and onboards them while you sleep. This lesson is about that machine.

Think of a housing society: Password Safe is the locker room, but the society management office keeps the member registry, hires the staff, runs the visitor register and decides who may enter which wing. BeyondInsight is that office. In one web console its left menu gives you Assets (everything you own), Discovery (how you found it), Smart Rules (auto-sorting), Managed Systems and Managed Accounts (what Password Safe controls), Password Safe and Secrets Safe (the vault modules), Analytics & Reporting, and Configuration. Interviewers love the one-liner: BeyondInsight is the platform; Password Safe is a module running on it — one console, two layers.

👉 So far: BeyondInsight = the management platform; Password Safe rides on it. Next: the three places this platform can physically live.
Figure 1 — BeyondInsight — modules, platform, and the three deployment shapes
Layered architecture. Top row: Password Safe, Secrets Safe and Analytics and Reporting modules sit on a wide BeyondInsight platform bar containing Assets, Discovery, Smart Rules, Managed Systems and Configuration. Below are the three deployment shapes: a U-Series HA pair with heartbeat and replication, a software install on Windows Server with SQL Server, and Password Safe Cloud reached by a Resource Broker that dials out on port 443 with no inbound holes. Modules on top · platform in the middle · three ways to run it Password Safe Secrets Safe Analytics & Reporting BeyondInsight platform Assets · Discovery · Smart Rules · Managed Systems · Managed Accounts · Configuration where does this platform live? — pick one ↓ U-Series appliance primary secondary heartbeat ↑ decides failover DB replication ↑ copies data hardened box · you patch it Software install your Windows Server SQL Server 2016 SP2+ most control · most upkeep Password Safe Cloud yoursite.ps.beyondtrustcloud.com Resource Brokers (zone) inside YOUR data centre dials OUT · 443 only ← no inbound hole is ever opened Same console, same Smart Rules, same API in all three — only the plumbing changes. untrusted / failuretrusted / vaultedpolicy / decisionkey insightallowed / audited
Trace any module down to the platform bar, then pick where the platform runs. Note the Resource Broker arrow: it points OUT of your data centre — the red ✕ marks the inbound hole you never open.

Deployment is a day-one interview question, so learn all three shapes. (1) U-Series appliance — a hardened physical or virtual box that ships with BeyondInsight/Password Safe pre-installed. For high availability you pair two: internal database replication copies data, and a heartbeat from the primary tells the secondary when to take over. (2) Software install — your own Windows Server plus SQL Server 2016 SP2 or higher; version 25.2 (the current line) supports Windows Server 2025 and direct upgrades from 23.2+. (3) Password Safe Cloud — BeyondTrust hosts the console at yoursite.ps.beyondtrustcloud.com, and you install Resource Brokers inside your network to do the local work.

The broker model is the part students get wrong. Each broker installs nine services (including the Discovery Scanner, Password Services and Session Monitoring) and groups into resource zones. Everything is outbound TCP 443 to your cloud site — your firewall team opens zero inbound ports. Sizing reality: 4 cores, 16 GB RAM minimum (32 recommended) and a 64 GB disk for session caching — undersize that disk and session recording dies first. Limits: the built-in Default zone cannot be edited, you can add up to 50 more zones, 200 brokers total, and BeyondTrust recommends 2+ brokers per zone so one reboot does not stop rotations.

Going deeper for multi-team estates: workgroups bind worker nodes to specific managed systems and accounts, so a node only processes its own group's work. In multi-tenant setups each organization needs at least one worker node, and a worker node belongs to exactly one organization — a favourite trick question in BeyondTrust University discussions.

The three deployment shapes (plus the worker that makes cloud possible)

Tap each card — front is the name, back is the one fact interviews check.

🏢
U-Series appliance
tap to flip

Hardened box, BI/PS pre-installed. HA = two appliances + replication + heartbeat. So what: you own patching and failover drills.

💿
Software install
tap to flip

Your Windows Server + SQL Server 2016 SP2+. Most control, most upkeep. So what: DB health becomes YOUR pager duty.

☁️
Password Safe Cloud
tap to flip

BeyondTrust hosts the console and patches it (Dec 2024: cloud patched same week). So what: you still own the brokers.

📦
Resource Broker
tap to flip

Nine services in your DC: auth, discovery, rotation, session proxy. Outbound 443 only. So what: zero inbound firewall requests.

Password Safe REST API — sign in, then prove which version you run
curl -s -c cookies.txt -X POST \
  "https://bi.icici-lab.local/BeyondTrust/api/public/v3/Auth/SignAppIn" \
  -H "Authorization: PS-Auth key=c479a66f93a3...d2c9484d; runas=icici-lab\sneha.k; pwd=[S0meP@ss];"

curl -s -b cookies.txt \
  "https://bi.icici-lab.local/BeyondTrust/api/public/v3/Configuration/Version"
Expected output
HTTP/1.1 200 OK          <- SignAppIn: session established, state kept between calls
HTTP/1.1 200 OK          <- Configuration/Version
{"Version":"25.2.0"}
AFTER FAILOVER, PASSWORD SAFE DATA IS MISSING

Symptom: the secondary U-Series takes over and the vault is empty. Cause: HA only replicates databases for features that were enabled when HA was configured — Password Safe was switched on later, so its DB never joined replication. Fix: enable features first, then pair; if it is too late, re-establish HA.

Quick check · Q1 of 10

Sneha's firewall team at ICICI asks: "Which inbound ports must we open from BeyondTrust's cloud to the data centre for these Resource Brokers?" What is the correct answer?

Correct: c. The whole broker design exists so nothing dials in: brokers make outbound 443 connections and pull their work. (a) and (d) would be inbound holes the model deliberately avoids; (b) confuses the proxy listen ports users connect to locally with cloud connectivity.

Pause & Predict

Predict: your U-Series HA pair was configured in January. Password Safe (the feature) was enabled in March. The primary dies in June — what does the secondary have? Type your guess.

Answer: BeyondInsight data replicated since January, but NO Password Safe data — HA only syncs databases for features enabled at pairing time. The fix is procedural: enable features BEFORE pairing, or re-establish HA after enabling something new.

② Discovery — you cannot protect what you cannot see

Every PAM rollout fails the same way: the vault is perfect, but half the estate never entered it. That is why the docs force a setup order — and why discovery comes before any onboarding. The Discovery Scanner is the engine for every scan; in Password Safe Cloud it ships as one of the nine services inside each Resource Broker. Picture a census enumerator going door-to-door: list every house (asset) and every resident (account) before the government issues ration cards (onboarding).

You aim a scan with an Address Group (say 10.20.0.0/22 for the Bengaluru DC), attach a schedule (nightly, weekly), and choose how deep to look. An uncredentialed scan only knocks: which hosts answer, which ports are open. A credentialed (detailed) scan walks in with authority: on Windows it mounts the IPC$ share, pushes a temporary discovery agent service, and makes WMI and remote-registry calls. What comes back is the gold: assets, local accounts, services, software, scheduled tasks and open ports — the raw material Smart Rules will turn into managed accounts.

Figure 2 — The discovery pipeline — knock vs walk in, and what flows into the Assets grid
Flow diagram. An address group feeds the Discovery Scanner. Two paths go to a stack of target servers: a thin amber uncredentialed path that only finds live hosts and open ports, and a solid blue credentialed path that mounts the IPC dollar share, pushes a temporary agent and makes WMI and registry calls. The credentialed path returns assets, local accounts, services, software and ports into the Assets grid, where Smart Rules take over. Address group → scanner → targets → Assets grid Address Group 10.20.0.0/22 + schedule (nightly) Discovery Scanner the engine for ALL scans creds stored AES-256 10.20.30.41 · BLR-APP-07 10.20.30.42 · BLR-DB-02 10.20.30.43 · BLR-WEB-11 uncredentialed: ping + ports only credentialed: IPC$ → agent → WMI/registry what a detailed scan returns assets · local accounts · services · software scheduled tasks · open ports Assets grid left menu · Assets Smart Rules take over from here → ⚠ wrong creds = account lockouts + SOC alert noise on every target ⚠ status can say Completed while enumeration silently failed (UAC, firewall, NTLM) — check the tabs scan creds live at Configuration → Discovery Management → Credentials Knocking tells you a house exists. Walking in with authority tells you who lives there.
Follow the blue credentialed path: IPC$ → agent → WMI/registry. The amber path is the uncredentialed knock — it finds houses, not residents. Red text marks the two ways discovery silently lies to you.

Scan credentials deserve respect: they typically need local admin on Windows targets (that is what IPC$ + WMI + remote registry require) and they are stored AES-256 encrypted in BeyondInsight, set under Configuration → Discovery Management → Credentials. Treat them like the census officer's authority letter — with the wrong letter, doors stay shut, and worse: repeated wrong knocks lock accounts and light up the SOC. One more field-tested tip: since version 24.3 the Software collection checkbox ships unchecked, because software inventory often slowed or failed scans on big estates. Leave it off unless you genuinely need it.

🖥️ This is the screen you'll use — BeyondInsight → Configuration → Discovery Management → Credentials → Create New Credential. The scan account is stored AES-256 and pushed to scanner servers. (Recreated for clarity — your console matches this.)
bi.icici-lab.local · Configuration → Discovery Management → Credentials
1
Credential Name
ICICI-LAB Windows scan
2
Type
Windows
Domain
ICICI-LAB
Username
svc-discovery
3
Password
•••••••••••• (stored AES-256)
Description
Detailed scans — BLR DC estate (10.20.0.0/22)
Create Credential
👉 So far: address group + schedule + credential = a scan; credentialed scans return accounts/services/software, not just live IPs. Next: the gotcha where a scan "succeeds" and still returns nothing.
PowerShell on a scanner host — prove the scan account can do what the scanner needs
# Before blaming the Discovery Scanner, test its two prerequisites yourself:
net use \\10.20.30.41\IPC$ /user:ICICI-LAB\svc-discovery *

Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName 10.20.30.41 `
  -Credential (Get-Credential ICICI-LAB\svc-discovery) | Select Caption,Version
Expected output
The command completed successfully.

Caption                                   Version
-------                                   -------
Microsoft Windows Server 2022 Standard    10.0.20348

Rahul at Wipro faces this

The nightly detailed scan of 10.20.30.0/24 reports "completed successfully", but hours later the new assets show ZERO local accounts, services or software — and no accounts ever onboard.

Likely cause

The scan credential is not a true local admin on the targets — IPC$/WMI/remote-registry calls are silently blocked by UAC remote restrictions, Windows Firewall or NTLM hardening. Port-level discovery succeeded, so the scan status still says success.

Diagnosis

Manually test IPC$ and WMI as the scan account from the scanner host (the code block above). Then enable advanced scanner logging and re-scan one target.

BeyondInsight > Discovery (Scans grid) → scan details; credentials at Configuration > Discovery Management > Credentials
Fix

Grant the scan account real local admin on targets (GPO group), fix LocalAccountTokenFilterPolicy/UAC and firewall rules per BeyondTrust KB0017022, then re-run the detailed scan.

Verify

The asset's details now list local accounts, services and software — and your Managed Account Smart Rule starts matching candidates from the scan.

Quick check · Q2 of 10

A "detailed" credentialed discovery scan against Windows targets will…

Correct: b. Credentialed discovery is active and authenticated — IPC$ + agent + WMI/registry is exactly what it does (and why the scan account needs local admin). (a) describes passive monitoring tools, (c) is the uncredentialed knock, (d) describes a directory query, which is a Smart Rule criterion, not a scan.

Pause & Predict

Predict: a scan ends "completed successfully" but the asset's services and software tabs are empty. Success or failure? Type your guess.

Answer: Both — that is the trap. Ping/port discovery succeeded (so the status is green), but credentialed enumeration silently failed: wrong rights, UAC, firewall or NTLM hardening. Treat "Completed" + empty tabs as a failure and check scanner logs, not the status column.

③ Smart Groups & Smart Rules — the automation engine

Mumbai's dabbawalas route two lakh tiffins a day with painted codes: read the label, put the box in the right wagon, repeat at every station. A Smart Rule is that sorting code for your estate: IF the discovered thing matches my criteria, THEN group it, onboard it, configure it — and re-check forever. The output is a Smart Group, the unit you will later attach permissions and roles to. With a Password Safe license there are exactly four rule types: Asset, Managed Account, Managed System and Policy User.

Anatomy first, because every interview asks it. Selection Criteria (IF): for managed-account rules these include Directory Query, Microsoft Entra ID Query, Directory Attribute Match and Dedicated Account; asset rules match OS, name, IP range and more. Processing (WHEN): a rule runs when it is created or saved, on timer expiry, when asset changes are detected, or when you press Process on the grid — throttled by the Reprocessing Limit field in Details. Actions (THEN): the exact strings matter — Show managed account as Smart Group, Manage Account Settings, Link domain accounts to Managed Systems, Map Dedicated Accounts to a user group. That middle action is the auto-onboarder: it is how 1,400 servers' service accounts get rotation policies without a single manual edit.

Figure 3 — Smart Rule anatomy — criteria, processing triggers, actions
Three columns. Left amber column: selection criteria, the IF — directory query, Entra ID query, dedicated account, directory attribute match, asset attributes. Middle blue column: processing — triggers on save, timer expiry, asset changes and manual process, throttled by the reprocessing limit, child rules before parent. Right green column: actions, the THEN — show managed account as Smart Group, manage account settings, link domain accounts to managed systems, map dedicated accounts to a user group. A lime banner warns that rule settings override manual edits on every reprocess. Selection criteria → processing → actions IF — Selection Criteria • Directory Query (AD OU) • Microsoft Entra ID Query • Directory Attribute Match • Dedicated Account filter • Asset fields: OS, name, IP range narrow criteria = fast rules; LDAP/Entra queries = slower by design PROCESSING — when it runs • every create / edit + save • timer expiry (background) • when asset changes are detected • manual Process from the grid • child rules run before parent throttle: Reprocessing Limit (e.g. once per day) — Details section THEN — Actions • Show managed account as Smart Group • Manage Account Settings (auto-change, release duration…) • Link domain accounts to Managed Systems • Map Dedicated Accounts to [user group] this is how auto-onboarding happens 💡 The settings in a Smart Rule OVERRIDE the managed system / account settings — your manual edit survives only until the next reprocess. Change it IN the rule. 4 rule types: Asset · Managed Account · Managed System · Policy User 🔒 Built-in rules are locked (no delete) · a rule used by another rule cannot be deleted or deactivated Quick Groups: frozen Smart Rules — filters/actions cannot be modified afterwards
Read left to right: IF (amber) → WHEN (blue) → THEN (green). The lime banner is the #1 exam gotcha: the rule re-applies its settings on every reprocess, silently overwriting manual edits.

Three platform behaviours to memorise before you build anything: (1) the rule wins — "the settings in a Smart Rule override the settings configured on the managed system", so an account onboarded by a rule must be edited in the rule; (2) built-ins are locked — built-in Smart Rules show a lock icon and cannot be deleted, and any rule referenced by another rule cannot be deleted or deactivated; (3) Quick Groups are frozen — handy for ad-hoc grouping, but their filters and actions cannot be modified later.

▶ Follow one account from discovery to the vault

Watch svc-backup travel the full automation pipeline — scan, match, act, onboard. Press Play for the healthy path, then Break it to see the failure.

① Discovernightly scan finds svc-backup @ 10.20.30.41 (asset + local account land in the grid)
② MatchManaged Account rule criteria hit: Directory Query · OU=Service-Accounts
③ Actactions fire: Manage Account Settings → auto-change ON, release 120 min
④ Vaultaccount appears in Managed Accounts · password set now · next rotation 23:30 UTC
Press Play to step through the healthy path. Then press Break it.
🖥️ Where the automation lives — left menu Smart Rules → + Create Smart Rule. Criteria are the IF, Actions are the THEN; the Reprocessing Limit throttles how often it re-runs. (Recreated for clarity — your console matches this.)
bi.icici-lab.local · Smart Rules → Create Smart Rule
1
Category
Managed Accounts
Name
Onboard svc-* — Linux estate
2
Reprocessing Limit
Once per day
3
Selection Criteria
Directory Query · OU=Service-Accounts,DC=icici-lab
4
Action
Manage Account Settings · auto-change ON · release 120 min
Action
Show managed account as Smart Group
Create Smart Rule
THE OVERLAP LOOP — STRAIGHT FROM THE DOCS

Symptom: account settings flip back and forth, rotations storm, the Omni Worker is pegged. BeyondTrust's own warning: "be cautious about creating more than one Smart Rule with the same systems or accounts. If the Smart Rules have different actions, they will start continually overwriting each other in an endless loop." One population, one owning rule — use exclusion criteria and a naming convention like MA-LINUX-SVC-onboard so overlap is visible at a glance.

Figure 4 — Overlapping rules vs one-owner rules — the before/after that saves your weekend
Split comparison. Left red half: Rule A and Rule B both match the same svc accounts with different Manage Account Settings actions, shown with circular arrows — settings flip on every reprocess, rotation storms, Omni Worker pegged. Right green half: Rule A owns svc accounts, Rule B owns db accounts with an exclusion, each population has one owner and processing is calm and predictable. Overlapping rules vs one-owner rules ❌ two rules, same accounts Rule A release 120 min Rule B release 60 min + no auto-change svc-backup · svc-deploy same accounts in BOTH rules settings flip on EVERY reprocess rotation storms · Omni Worker pegged docs: continually overwriting, endless loop ✅ one population, one owner Rule A owns svc-* all svc account settings Rule B owns db-* excludes svc-* explicitly svc-backup … one writer, stable db-ora-prd … one writer, stable predictable membership · calm processing audit: every setting traces to exactly one rule fix pattern: exclusion criteria + naming convention failure / loopaccounts (vaulted)policy / decisionkey insighthealthy / audited
Left: two rules write different settings to the same accounts and loop forever. Right: each population has exactly one owning rule; the other rule explicitly excludes it.

Priya at Flipkart faces this

Service accounts keep jumping between two Smart Groups; release durations flip between 60 and 120 minutes overnight; rotation jobs spike every few hours and the console crawls.

Likely cause

Two Managed Account Smart Rules — one per sub-team — both match svc-* accounts but carry different Manage Account Settings actions. Every reprocess, each rule "corrects" the other's work: the documented endless overwrite loop.

Diagnosis

List all rules whose criteria touch the flapping accounts; compare their Selection Criteria and Actions side by side; check Last Processed timestamps ping-ponging.

BeyondInsight > Smart Rules (grid, sort by Last Processed) → open each rule → Selection Criteria + Actions
Fix

Make one rule the owner of svc-* (merge the needed settings into it); add an exclusion for svc-* in the second rule; set a sane Reprocessing Limit on both.

Verify

Settings stop flipping across two full processing cycles; rotation queue returns to normal; each account's settings now trace to exactly one rule.

Password Safe API — confirm what the Smart Rule onboarded (Enable for API Access required)
curl -s -b cookies.txt \
  "https://bi.icici-lab.local/BeyondTrust/api/public/v3/ManagedAccounts?systemName=BLR-APP-07"
Expected output
[{"PlatformID":4,"SystemId":112,"SystemName":"BLR-APP-07",
  "AccountName":"svc-backup","DomainName":null,
  "DefaultReleaseDuration":120,"MaximumReleaseDuration":525600,
  "ChangeTime":"23:30","AutoManagementFlag":true}]
Quick check · Q3 of 10

Aditya at HCL edits the release duration directly on an account that was onboarded by a Smart Rule using Manage Account Settings. Next morning his edit has reverted. Why?

Correct: d. Smart Rule settings override managed system/account configuration on every reprocess — the docs say so explicitly, and it is the #1 "why does my edit keep reverting" ticket. (a) HA replication copies data, it does not revert edits; (b) password policies govern password generation, not release settings; (c) is possible but not the systemic cause.

Pause & Predict

Predict: you save a new Entra-ID-query Smart Rule at 10:00. At 13:00 its Smart Group is still empty. Broken? Type your guess.

Answer: Probably not. Rules that depend on external directory data (LDAP/Entra queries) are documented to process more slowly. Press Process on the grid to force it, sanity-check the query itself, and avoid stacking many directory-dependent rules — they are the slowest movers in the engine.

④ Users, groups & roles — least privilege for the PAM team itself

Here is the uncomfortable truth your CISO already knows: the PAM console is the juiciest target in the building, because whoever controls it controls every password in it. So the same least-privilege discipline you enforce on others applies to your own team first. BeyondInsight grants nothing to individual users — permissions flow through groups, created under Configuration → Role Based Access → User Management. A group can be a BeyondInsight local group, or synced from Active Directory, LDAP or Microsoft Entra ID — so your existing IAM joiner/leaver process keeps working: HR removes Karthik from the AD group, and his vault access dies with it.

Rights come in two layers, and mixing them up fails interviews. Layer 1 — feature permissions: what a group may do in the console itself (full control, read-only or no access to areas like Smart Rules, Assets, Analytics & Reporting). Layer 2 — Password Safe roles, granted per Smart Group: Requestor (may ask for credentials/sessions), Approver (may grant), Requestor/Approver (both), and ISA (instant retrieval, no approval step at all). Think of a hotel's master-key register: housekeeping may request floor keys (Requestor), the duty manager signs the register (Approver), and the general manager's skeleton key (ISA) opens everything with no signature — which is exactly why you issue it to almost nobody.

👉 So far: groups (synced from AD/Entra) get feature permissions + per-Smart-Group roles; ISA bypasses approval entirely. Next: proving all of this to an auditor with Analytics & Reporting.

Karthik at HCL faces this

An internal audit at HCL finds a fresh L1 joiner retrieved 14 production root passwords last month — with zero approval records. The joiner did nothing sneaky: the console simply let him.

Likely cause

The "PAM-L1-Helpdesk" group was granted ISA (instead of Requestor) on the Linux-Production Smart Group during a long-forgotten incident night — ISA retrievals skip the request/approve workflow, so no approvals exist by design.

Diagnosis

Review the group's Password Safe roles per Smart Group, then pull the credential-release report and filter for releases without linked approval requests.

BeyondInsight > Configuration > Role Based Access > User Management > Groups > PAM-L1-Helpdesk → Smart Groups (roles)
Fix

Replace ISA with Requestor on production Smart Groups for L1; bind an access policy that requires one approver; keep ISA only in a break-glass group with 2-3 named senior members.

Verify

Next month's report shows every release linked to an approved request; a test retrieval by an L1 account now lands in an approver's queue instead of returning the password.

Now close the loop with evidence. Analytics & Reporting (left menu) is where the platform pays rent: start with three views — coverage (discovered accounts vs managed accounts — the gap is your risk backlog), rotation health (failed password changes trending up means a functional-account or rights problem), and activity (who requested, who approved, who used ISA). Schedule the coverage and activity reports to email your team weekly; when the auditor arrives, the answer to "prove it" is a subscription, not a scramble. Everything you learned today — discovery feeding Smart Rules feeding role-scoped Smart Groups — becomes measurable on these dashboards.

Figure 5 — The pin-this cheat-sheet — console map, rule anatomy, key numbers, four roles
Four-card cheat sheet. Card one: BeyondInsight left-menu map with key Configuration sub-paths. Card two: Smart Rule anatomy — details, IF criteria, THEN actions. Card three: numbers that matter — proxy ports, broker sizing, defaults like 120 minute release and 23:30 UTC change time, API base path. Card four: the four Password Safe roles with ISA marked as no-approval. BeyondInsight quick-card — screenshot this 🗺️ Console map (left menu) Assets · Smart Rules · Discovery · Managed Systems Managed Accounts · Password Safe · Secrets Safe Analytics & Reporting · Configuration Configuration → … Privileged Access Management → Functional Accounts Privileged Access Management Policies → Access Policies Privileged Access Management Agents → Password Change Agent Discovery Management → Credentials / Address Groups Role Based Access → User Management (groups) setup order: functional acct → password policy → assets → managed systems → managed accounts → rules/policies/roles ⚙️ Smart Rule anatomy Details Category · Name · Active · Reprocessing Limit IF — Selection Criteria Directory Query · Entra ID Query · attribute match THEN — Actions Smart Group · Manage Account Settings · link · map 1 population = 1 owning rule (no overlap!) types: Asset · Managed Account · Managed System · Policy User rule settings override manual account edits 🔢 Numbers that matter SSH proxy 4422 · RDP proxy 4489 · monitor 4488 broker: outbound 443 only · 16 GB RAM min · 64 GB cache zones: Default + 50 more · 200 brokers max · 2+/zone release 120 min · max 525600 · ChangeTime 23:30 UTC API /BeyondTrust/api/public/v3 · PS-Auth key+runas ver 25.2 · upgrade from 23.2+ · SQL 2016 SP2+ BTU cert: 40 Qs · 75% pass · 2 attempts only 👥 Password Safe roles Requestor — asks; approval workflow applies Approver — grants/denies requests Requestor/Approver — both (not own requests) ISA — instant retrieval, NO approval — break-glass only roles are granted per Smart Group, to user groups — never to one user
Console paths on the left, Smart Rule anatomy and the four roles on the right, interview numbers bottom-left. Screenshot it — this card answers half the BTU exam warm-ups.
PROVE LEAST PRIVILEGE IN 60 SECONDS

Open Configuration → Role Based Access → User Management → your group → check its Smart Group roles: production Smart Groups should show Requestor (with an approver-backed access policy), never ISA. Then open Analytics & Reporting and confirm zero approval-less releases last month outside the break-glass group. If both checks pass, your PAM team passes its own audit.

CAREER NOTE — THIS LESSON IS CERT MATERIAL

BeyondTrust University's Password Safe Administration track leads to a cert exam: 40 questions, 75% to pass, two attempts only — fail both and you repurchase training. The BI-vs-PS layering, Smart Rule loop gotcha and broker outbound-443 model in this lesson are exactly the kind of items its pools draw from.

🎮 Hands-on: BeyondTrust PAM Essentials room📚 Lesson 1: The BeyondTrust Universe
Quick check · Q4 of 10

During a Sev-1 at 2 AM, Meera needs a production root password NOW, with no approver awake. Which Password Safe role — held by a tiny break-glass group — makes that possible by design?

Correct: a. ISA is the approval-less role (API mirror: POST ISARequests returns the credential directly) — powerful, so it lives in a small break-glass group. (b) Requestors wait for approval unless the access policy itself has Auto Approve; (c) approving and retrieving are separate rights; (d) there is no credential-retrieving Auditor role in Password Safe.

Pause & Predict

Predict: you give the L1 helpdesk group ISA on the Windows-servers Smart Group "temporarily" during an incident and forget it. What does next month's audit report show? Type your guess.

Answer: A pile of credential releases with no approval records — ISA skips the request/approve workflow entirely, so the audit trail shows direct retrievals by junior staff. Time-box emergency grants, set a calendar reminder to revert, and keep ISA inside a named break-glass group.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which of these is NOT one of the four Smart Rule types available with a Password Safe license?

Correct: b. The four types are Asset, Managed Account, Managed System and Policy User. Functional accounts are configuration objects (the rotation worker accounts) — there is no Functional Account Smart Rule, which is exactly why it makes a tempting distractor.
Q6 · Apply

Meera’s team at Infosys runs Password Safe Cloud. They must rotate passwords on servers inside a private data centre with a strict "no inbound connections" firewall policy. What do they deploy?

Correct: c. Resource Brokers are built for exactly this: they sit inside the network, run discovery/rotation/session services locally, and make only outbound 443 connections to yoursite.ps.beyondtrustcloud.com. (a) abandons the cloud deployment unnecessarily; (b) and (d) both violate the no-inbound policy the broker model exists to satisfy.
Q7 · Apply

A detailed discovery scan finds the assets but lists no local accounts on them, so nothing onboards. What should you check FIRST?

Correct: a. Account/service enumeration needs an authenticated path: IPC$, the temporary agent and WMI/remote-registry calls all require local admin. UAC, firewall or NTLM hardening silently break it while the scan still reports success. (b) frequency does not add rights; (c) Software collection adds software inventory, not accounts — and it slows scans; (d) uncredentialed scans return LESS, not more.
Q8 · Analyze

Two Managed Account Smart Rules both match svc-* accounts with different Manage Account Settings. Symptoms: settings flip nightly, rotation storms, Omni Worker pegged. What is the best fix?

Correct: d. The documented endless overwrite loop only ends when each account population has exactly one rule writing its settings — ownership plus exclusions. (a) built-ins cannot be deleted and deletion is overkill; (b) throttling slows the flip-flop but the conflict remains; (c) stopping the change agent halts rotation estate-wide, treating the symptom by causing an outage.
Q9 · Analyze

An Entra-ID-query Smart Rule shows stale membership for hours after new accounts appear in the directory. What is the MOST likely explanation?

Correct: b. BeyondTrust’s docs warn that rules depending on external data sources (LDAP/Entra) can take longer to process; the grid’s manual Process button forces a run. (a) processing also triggers on save, timers and asset changes — not just nightly; (c) consent does not expire weekly; (d) there is no fixed 24-hour membership cache.
Q10 · Evaluate

ICICI’s audit committee asks Karthik to justify why the PAM admin group itself should NOT hold ISA on all Smart Groups. Which justification is strongest?

Correct: d. The strongest argument is the control argument: approval-less standing access for the very team that runs the vault collapses separation of duties and leaves no approval trail — keep ISA for break-glass only. (a) is false — ISA is faster, that is its purpose; (b) is false — ISA covers sessions too (ISASessions); (c) licensing is asset-based, and cost is the weakest audit justification anyway.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Your manager asks: we bought Password Safe — why are you spending the first week on BeyondInsight assets and Smart Rules instead of vaulting passwords? Then compare to the expert version.

Expert version: Because the vault is only as complete as the platform’s picture of the estate. Discovery builds the asset and account inventory (you cannot protect what you have not found), Smart Rules turn that inventory into auto-onboarded, consistently-configured managed accounts, and role-scoped groups decide who may touch them. Do that platform work first and the vault fills itself and stays current as servers come and go; skip it and you hand-onboard forever, miss half the estate, and fail the audit on coverage — with a perfectly configured vault.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

BeyondInsight
The management platform — assets, discovery, Smart Rules, users, reports — that Password Safe runs on.
U-Series appliance
Hardened physical/virtual appliance shipping BI/PS pre-installed; pair two for HA (replication + heartbeat).
Resource Broker
Outbound-443 worker in your network doing auth, discovery, rotation and session proxy for Password Safe Cloud.
Resource Zone
A named collection of Resource Brokers; the cloud round-robins work across the zone’s brokers.
Discovery Scanner
The engine that performs all discovery scans and feeds findings into the Assets grid.
Address Group
A saved list of IPs, ranges or names that a discovery scan targets.
Smart Rule
A continuously re-evaluated IF→THEN rule: selection criteria → processing → actions.
Smart Group
The dynamic group a Smart Rule maintains — membership recomputes on every reprocess.
ISA
Information Systems Administrator role — retrieves credentials instantly with no approval workflow.
Omni Worker
BeyondInsight’s background job service that processes Smart Rules and other queued work.
Functional account
The worker account Password Safe uses to change other accounts’ passwords — never checked out by humans.
Analytics & Reporting
BeyondInsight’s reporting layer — coverage, rotation health and activity evidence for audits.

📚 Sources

  1. BeyondInsight & Password Safe Getting Started Guide — mandatory setup order, core definitions. docs.beyondtrust.com/bips/docs/ps-getting-started
  2. Password Safe Admin Guide — Smart Rules: types, criteria, actions, processing triggers and the endless-loop warning. docs.beyondtrust.com/bips/docs/ps-smart-rules
  3. BeyondInsight Discovery docs — scans grid, scan credentials (AES-256), Discovery Management paths. docs.beyondtrust.com/bips/docs/bi-on-prem-discovery-scans
  4. Password Safe Cloud Resource Broker install guide — nine services, zones/limits, outbound-443 model, sizing. docs.beyondtrust.com/bips/docs/ps-cloud-resource-broker-install
  5. U-Series Deployment and Failover Guide — appliance roles, HA pair model, features-at-pairing replication gotcha. docs.beyondtrust.com/bips/docs/u-series-deployment-and-failover-guide
  6. BeyondInsight and Password Safe 25.2 release notes — Windows Server 2025 support, upgrade path from 23.2+, SQL Server 2016 SP2+. docs.beyondtrust.com/bips/changelog/beyondinsight-and-password-safe-25-2-release-notes
  7. BeyondTrust Beekeepers community — discovery scan reports success but returns no services/software data (KB0017022). beekeepers.beyondtrust.com/general-40/discovery-scan-issue-6424
  8. BeyondInsight & Password Safe API usage — PS-Auth header, SignAppIn lifecycle, ManagedAccounts/Configuration endpoints. docs.beyondtrust.com/bips/reference/beyondinsight-and-password-safe-api-usage
  9. PeerSpot — BeyondTrust Password Safe pros and cons: Smart Rules bulk onboarding praised, console complexity flagged. peerspot.com/products/beyondtrust-password-safe-pros-and-cons
  10. BeyondTrust University — Get Certified: 40-question exam, 75% pass mark, two attempts. beyondtrust.com/services/beyondtrust-university/get-certified

What's next?

You now know how accounts get FOUND and onboarded. Next: what Password Safe actually does with them — the functional account, managed system and managed account trinity that makes rotation tick.

Next · Password Safe Architecture: the managed-account trinity → Practice on exam.techclick.in →