TTechclick ⚡ XP 0% All lessons
BeyondTrust · Password Safe · ArchitectureInteractive · L1 / L2 / L3

Password Safe Architecture: — Managed Systems, Managed Accounts & Functional Accounts

Every Password Safe deployment stands on three legs: the box (managed system), the credential being protected (managed account), and the worker that re-keys it (functional account). Mix up the last two once and rotation locks everyone out — this lesson makes sure you never do.

📅 2026-06-10 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The vault trinity

System vs account vs functional — who is what.

 2

Functional accounts

The worker, its rights, and the lockout mistake.

 3

Request lifecycle

Request, approve, checkout, rotate on check-in.

 4

Credential flow

Reveal vs proxy vs API — plus cloud brokers.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Password Safe must change the root password on a Linux server every 30 days. Which account actually logs in to make that change?

Answered in The vault trinity.

2. Sneha checks out a Windows password and checks it back in 25 minutes later. What should happen to that password?

Answered in Request lifecycle.

3. Password Safe Cloud needs to rotate passwords on servers inside your data centre. What do you open on the firewall?

Answered in Functional accounts.

Most engineers think…

Most engineers think Password Safe is a fancier encrypted Excel — a safer place to STORE admin passwords, with the same old copy-paste workflow on top.

Wrong — storage is the least interesting layer. Password Safe is a rotation and brokering machine: a functional account re-keys every credential after use, the session proxy logs admins in without ever showing them the password, and the API hands secrets to applications with no human in the loop. If your design still has humans reading passwords off a screen all day, you deployed a vault — not PAM.

① The vault model — Password Safe on BeyondInsight, and the trinity

First, get the layering straight, because interviewers test it in the opening minute. BeyondInsight is the platform — it owns assets, discovery, Smart Rules and reporting. Password Safe is the PAM module that runs on it — the vault, the request engine, the rotation agents and the session proxy. One console, two layers, one licence conversation. Old-timers still call it PowerBroker (PBPS) — the name survives in registry paths, so recognise it.

Now the trinity that this whole series leans on. A managed system is the box — the docs call it a "computer or device where one or more account passwords are to be maintained". A managed account is the credential being protected — root on db-prod-01, the local Administrator on a file server. And a functional account is the worker — the account Password Safe itself logs in with to change everyone else’s passwords. Think of an SBI branch: the branch building is the managed system, the gold in each locker is the managed account, and the bank’s own master-key custodian — who can re-key any locker but never owns the gold — is the functional account.

👉 So far: BeyondInsight = platform, Password Safe = the PAM module on it; managed system = box, managed account = protected credential, functional account = the worker. Next: what it can manage, and the setup order the docs make mandatory.
Figure 1 — One platform, one worker, many boxes
BeyondInsight platform box on the left contains the Password Safe module and the vault. An amber functional account node in the middle is the worker Password Safe uses. Arrows from the worker reach three managed systems on the right: a Windows server, a Linux database server and a Cisco switch, each holding managed accounts. A callout notes that vaulted passwords never travel to the user; the worker goes to the box. One platform, one worker, many boxes BeyondInsight platform Discovery · Smart Rules · Reports Password Safe module vault (AES-256) · request engine rotation agents · session proxy old name: PowerBroker (PBPS in registry) Functional account svc_psafe_rotate the worker — never checked out uses Windows · 10.20.5.41 managed system 🔑 Administrator Linux db-prod-01 · 10.20.5.52 managed system 🔑 root · 🔑 oracle Cisco switch · 192.168.40.2 managed system 🔑 enable15 logs in & re-keys ← vaulted passwords never travel to a user by default — the WORKER goes to the box and changes the lock there platforms it manages: Windows · Linux/Unix · AD & LDAP domains · databases · network devices, firewalls, routers, iLO · cloud untrusted/attackertrusted/vaultedpolicy/decisionkey insightallowed/audited
Follow the arrows: BeyondInsight hosts the Password Safe module and vault; the functional account (amber) is the only thing that travels to the managed systems — vaulted passwords stay home while the worker re-keys locks on the box.

The platform coverage is wide and a favourite Remember-tier exam line: Password Safe manages credentials on Windows, Unix/Linux, AD and LDAP domains, databases, network devices (firewalls, routers, iLO out-of-band cards) and cloud platforms. The thing that makes scale possible is that you never click systems in one by one for long — discovery scans find them and Smart Rules onboard them. That automation engine is lesson 5; today you only need to know it exists and that Smart Rule settings override per-account edits.

One more thing the docs say with unusual force: the setup steps "must be completed in the order presented"1) functional account → 2) password policy → 3) discover/add assets → 4) onboard managed systems → 5) onboard managed accounts → 6) Smart Rules, access policies, roles. You can onboard a system without a functional account, but the docs are blunt: you cannot onboard accounts until you have onboarded systems — and account onboarding is blocked until a functional account exists for that platform. The worker is hired before the lockers are filled.

Four words you will use every single day

Tap each card — these are the vocabulary anchors for the next 16 lessons.

🖥️
Managed system
tap to flip

The box: Windows, Linux, AD domain, database, switch, iLO, cloud. Onboarded BEFORE any of its accounts. So: no system, no accounts.

🔑
Managed account
tap to flip

The protected credential ON a system — vaulted, released on request, rotated after use. The gold in the locker.

🛠️
Functional account
tap to flip

The worker Password Safe logs in with to change OTHER passwords. Created first, never checked out, never managed itself.

🧠
BeyondInsight
tap to flip

The platform under Password Safe: assets, discovery, Smart Rules, reports. One console, two layers — not two products.

Quick check · Q1 of 10

Meera at Wipro onboards a Windows server so Password Safe can rotate its local Administrator password. In BeyondTrust terms, the server / the Administrator credential / the account PS logs in with are, in order — ?

Correct: b. The server is the managed system (the box), the Administrator credential is the managed account (the thing protected and rotated), and the worker PS logs in with is the functional account. Option a swaps the first two; c puts the worker in the vault; d mixes in workgroup and ISA, which are a routing unit and a role — not trinity members.

Pause & Predict

Predict: the docs let you onboard a managed SYSTEM without a functional account, but block onboarding managed ACCOUNTS until one exists. Why would account onboarding specifically be blocked? Type your guess.

Answer: Because a managed account is a promise: Password Safe commits to testing and rotating that password. Both jobs require logging in to the box with privileges — which is exactly what the functional account is. A system record is just inventory; an account without a worker is a promise PS cannot keep, so the platform refuses to make it.

② Functional accounts in depth — the worker behind every rotation

The docs define a functional account as the "account that can access the system with the privileges required to manage and change passwords". You create it at Configuration > Privileged Access Management > Functional Accounts > Create New Functional Account — two required choices drive the rest of the form: Entity Type (Asset or Directory) and Platform. Pick the Microsoft Entra ID platform and the fields change shape entirely: Azure Scope, Username (UPN), Application (Client) ID, Tenant ID, Client Secret — because in the cloud the "worker" is an app registration, not a username-password pair.

🖥️ This is the screen you’ll create the worker on — BeyondInsight → Configuration → Privileged Access Management → Functional Accounts → Create New Functional Account. (Recreated for clarity — your console matches this.)
bi.tcslab.local · Configuration → Privileged Access Management → Functional Accounts
1
Entity Type
Asset
2
Platform
Windows
Domain Name
tcs.local
3
Username
svc_psafe_rotate
Password
••••••••••••••••
Description
Rotation worker — never check out
4
Alias
ad-rotation-worker
Create Functional Account

How much privilege does the worker need? Less than most people give it. On a Windows member server: local admin, or just the change-password user right assigned via GPO. In AD: delegated reset-password rights plus read/write of the lockout attribute on the target OUs — not Domain Admin. (Managing protected groups like Domain Admins does need extra AD delegation steps, because AD strips delegated rights on protected objects — that is the only case with a real argument for more.) On Linux: root, or a sudo elevation command configured in the platform settings so the FA elevates only for the password change. Every extra right you grant the worker is blast radius if the worker is ever stolen.

Password Safe API · list the functional accounts (run from any API-registered client)
GET https://bi.tcslab.local/BeyondTrust/api/public/v3/FunctionalAccounts
Authorization: PS-Auth key=<128-char-api-key>; runas=tcs\rahul.v;
Expected output
HTTP/1.1 200 OK
[ { "FunctionalAccountID": 7, "PlatformID": 4,
    "DomainName": "tcs.local", "AccountName": "svc_psafe_rotate",
    "Description": "Rotation worker - never check out" } ]
👉 So far: the FA is created first, per platform, with the minimum rights to change passwords — local admin / delegated AD rights / sudo. Next: the confusion that takes down whole platforms.

Now the confusion that produces real outages: functional vs managed. Both live on the same screen family, both are privileged, and on a sleepy Friday someone — or an over-broad Smart Rule — onboards the functional account as a managed account. Password Safe then dutifully rotates the worker’s own password. But queued change jobs, and the platform’s stored copy of the FA credential, still hold the old secret. The docs’ warning is exact: functional accounts "have built-in management capabilities and passwords could fail to synchronize". Result: every rotation on that platform starts failing at once — the watchman’s own key was changed and nobody told him, so no lock in the building can be re-keyed.

Figure 2 — Functional vs managed — the two-column rule
Two columns compare the functional account, the worker used only by the Password Safe engine to change other passwords and never checked out, with the managed account, the protected credential humans and apps check out and which gets rotated. A red strip at the bottom shows the classic failure chain when the functional account is onboarded as a managed account, and a green strip shows the fix. The worker vs the protected credential — keep them apart FUNCTIONAL account — the worker • used ONLY by the Password Safe engine • job: log in and change OTHER accounts' passwords • never checked out, never given to a human • created FIRST — step 1 of the setup order • NEVER onboarded as a managed account analogy: the bank's own master-key custodian MANAGED account — the protected credential • used by humans / apps AFTER request + checkout • job: its password is vaulted, released, rotated • release rules apply: 120 min default, check-in, audit • onboarded LAST — after its managed system exists • rotated by the functional account, on schedule analogy: the gold inside the locker ☠ classic failure: FA onboarded as managed → PS rotates the worker's own password → queued change jobs still hold the OLD secret → every rotation on the platform fails at once ✓ fix: keep the FA off the managed list — docs: managing it means passwords could fail to synchronize. Watch its health with the Password Test Agent instead.
Left column is the worker (amber): engine-only, changes others, never checked out, never managed. Right is the protected credential (blue): checked out by humans/apps and rotated. The red strip is the failure chain you will one day be asked to explain in a postmortem.

Rahul at TCS faces this

Monday 06:10 IST: every scheduled rotation on the Windows platform failed overnight — dozens of accounts stuck in the failed-changes queue. Friday evening, a teammate had run a broad Smart Rule that swept service accounts into management — including svc_psafe_rotate, the platform’s functional account. PS rotated it at 23:30 UTC.

Likely cause

The functional account was onboarded as a managed account. Password Safe rotated the worker’s own password, but the functional-account record and queued change jobs still present the old secret — so every login the worker attempts now fails.

Diagnosis

Pattern is the tell: ALL accounts on ONE platform failing together points at the shared worker, not at individual accounts. Check the Managed Accounts grid for the FA’s name, then test the FA directly.

BeyondInsight > Managed Accounts (search svc_psafe_rotate) · then Configuration > Privileged Access Management > Functional Accounts > Test Functional Account
Fix

Remove svc_psafe_rotate from managed accounts and exclude it from the Smart Rule’s criteria. Reset its password in AD, update the same value on the functional-account record, and re-run Test Functional Account until green.

Verify

Force a password change on one managed account (Managed Accounts grid → Change Password) and watch it succeed; then confirm the failed-changes queue drains as the Password Change Agent retries.

Common mistake — "client credentials config not found"

Symptom: Test Functional Account fails on a Linux platform with Error: client credentials config not found, and rotations on those systems error out — while network and permissions test clean. Cause: the functional-account credential config is corrupted or incomplete (a real Beekeepers-forum case — not firewall, not sudoers). Fix: recreate the functional account record and re-assign it to the managed systems. Ten minutes of re-creation beats two days of packet captures.

Quick check · Q2 of 10

Karthik at ICICI wants "reliable" rotation, so he adds the AD functional account to Domain Admins AND onboards it as a managed account "so it rotates too". What is wrong?

Correct: d. Both moves are wrong. The FA needs delegated reset-password rights plus lockout-attribute read/write — Domain Admins is excess blast radius (only protected-group management needs extra delegation steps). And onboarding the FA as managed is the classic outage: PS rotates the worker’s own password and every rotation on the platform fails. Options a–c each bless at least one of the two mistakes.

Pause & Predict

Predict: a domain admin resets the functional account’s password directly in AD (outside Password Safe) during a security scare. What happens at the next scheduled rotation window, and where do you see it first? Type your guess.

Answer: Every rotation that uses that FA fails — Password Safe still presents the old password, so the worker can no longer log in anywhere. You see it first as a pile-up in the Password Change Agent’s failed-changes queue (and Test Functional Account goes red). Fix: update the FA record with the new password — and agree with the AD team that the worker’s credential changes only through a controlled process.

③ The request lifecycle — request, approve, checkout, rotate

Password Safe gives users one of four roles: Requestor (may ask), Approver (may grant), Requestor/Approver (both — though never self-approving the same request in a sane design), and ISAInformation Systems Administrator, the power-user role that skips approval entirely. A request names the system, the account, a Reason (maximum 200 characters — auto-filled from defaults, like a gate-pass register entry) and a duration.

The numbers to memorise, because MCQs and capacity planning both use them: default ReleaseDuration is 120 minutes, the hard ceiling is 525,600 minutes — exactly one year; the ISA’s own default is also 120. After approval, Retrieve Password displays the value for a maximum of 20 seconds per click (viewable again any time during the release). Check in early and the release ends early. If the account has Change Password After Release enabled, check-in queues an immediate rotation — the password Sneha saw is dead minutes later, like an OYO room code that changes the moment a guest checks out. Scheduled rotation, independently, fires at ChangeTime 23:30 UTC by default.

▶ Watch one credential go round the loop

Sneha at Infosys needs root on db-prod-01 (10.20.5.52) for a patch window. Press Play for the healthy path, then Break it to see the failure.

① Requestsneha.k → POST Requests { SystemID:124, AccountID:318, 120 min, "CHG0042117" }
② Approveaccess policy: Approvers=1 → karthik.r approves · Record session: ON
③ CheckoutGET Credentials/2231 → reveal 20 s · or proxy :4422 → db-prod-01
④ Check-inPUT Requests/2231/Checkin → Change Password After Release queues rotation
Press Play to step through the healthy path. Then press Break it.
Figure 3 — The request lifecycle, end to end
Four stages flow left to right: Sneha raises a request with reason and duration, an approver decision diamond, checkout where the password is revealed for 20 seconds or injected by the proxy, and check-in which queues immediate rotation by the functional account. A dashed ISA bypass lane skips the approval diamond. Leader lines call out the 200 character reason limit and the 20 second reveal window. Request → Approve → Checkout → Check-in + Rotate ① REQUEST Sneha picks system + account, gives reason, duration 120 min ② APPROVE access policy decides: 1 / dual / auto-approve ③ CHECKOUT reveal in portal, OR proxied SSH/RDP session exclusive or concurrent ④ CHECK-IN release ends — rotation queued, FA re-keys the account ISA role: POST ISARequests — no approval, straight to the credential Reason: max 200 characters Retrieve Password shows it for max 20 s defaults to memorise: ReleaseDuration 120 min · MaxReleaseDuration 525,600 min (1 year) · ISAReleaseDuration 120 min · scheduled ChangeTime 23:30 UTC · connection timeout 30 s key insight: with Change Password After Release ON, checking in early KILLS the password early — like an OYO door code that changes the moment the guest checks out.
Left to right: request (reason ≤200 chars) → approval diamond (the access policy decides) → checkout (20-second reveal or proxied session) → check-in queues rotation. The dashed blue lane is the ISA bypass — straight to the credential, zero approvals.

Who else can hold the same credential at the same time? That is the exclusive vs concurrent decision, set per access type on the access policy. The schedule block for each access type — View Password, RDP, SSH, Application — carries its own fields: Approvers (how many must say yes), Auto Approve, Record session, Keystroke Logging, Concurrent (1 = exclusive, or more, or Unlimited) and Force Termination. Exclusive checkout means the second engineer waits — exactly like a library book already issued. Concurrent suits read-only service consoles; production root should almost always be exclusive, so the audit trail maps one human to one session.

🖥️ The policy that decides approvals and exclusivity — BeyondInsight → Configuration → Privileged Access Management Policies → Access Policies, schedule block for the SSH access type. (Recreated for clarity — your console matches this.)
bi.icicilab.local · Configuration → Privileged Access Management Policies → Access Policies
1
Access Type
SSH
2
Approvers
1
Auto Approve
Off
3
Record session
Yes
Keystroke Logging
On
4
Concurrent
1 (exclusive)
Force Termination
On
Create Access Policy

The API mirrors the human flow one-for-one, which is why learning the portal teaches you the API for free: POST Auth/SignAppIn opens a session (state is kept between calls), POST Requests raises the request, GET Credentials/{requestId} retrieves the secret after approval, PUT Requests/{requestId}/Checkin releases it. The ISA shortcut is its own endpoint — POST ISARequests hands back the credential in one call, no approval. Think of the ISA as the senior doctor’s all-access hospital pass: reception (approvers) is for visitors.

Password Safe API · the full request lifecycle (base /BeyondTrust/api/public/v3)
# 1. sign in once - session state persists across calls
POST /BeyondTrust/api/public/v3/Auth/SignAppIn
Authorization: PS-Auth key=<128-char-key>; runas=icici\sneha.k;

# 2. raise the request (system 124, account 318, 120 minutes)
POST /BeyondTrust/api/public/v3/Requests
{ "SystemID": 124, "AccountID": 318, "DurationMinutes": 120,
  "Reason": "CHG0042117 - DB patch window" }

# 3. after approval: retrieve, work, then check in
GET /BeyondTrust/api/public/v3/Credentials/2231
PUT /BeyondTrust/api/public/v3/Requests/2231/Checkin
Expected output
200 OK            (SignAppIn - session established)
201 Created  →  2231              (the request ID)
200 OK       →  "vR9!xK...Qq2#"   (the released password)
204 No Content                    (checked in - rotation queued)
Pro tip — the lifecycle in one breath

For any checkout question ask three things in order: (1) who may ask and who must say yes? → roles + the access policy’s Approvers/Auto Approve; (2) how long and how many at once? → release duration + Concurrent; (3) what happens at check-in? → Change Password After Release. If you can answer those three for any account, you can answer almost every lifecycle interview question.

Quick check · Q3 of 10

Aditya at Airtel checks out a router credential with all defaults. How long is the release, and what is the absolute maximum a release duration could ever be configured to?

Correct: a. API-verified defaults: ReleaseDuration defaults to 120 minutes and the range tops out at 525,600 minutes — exactly one year. The other options are plausible-sounding round numbers, which is exactly why exams use them; "unlimited" is wrong because the ceiling is finite and enforced.

Pause & Predict

Predict: Sneha retrieves a password at 10:00 with a 120-minute release, finishes early and checks in at 10:25. Change Password After Release is ON. When does the password she saw stop working — 12:00 or ~10:25? Type your guess.

Answer: About 10:25 — check-in ends the release early AND queues the rotation immediately; the Password Change Agent picks it up within its cycle. She does not keep a live credential until 12:00. That is the whole point of rotate-on-check-in: the exposure window is the time she actually held it, not the time she booked.
👉 So far: request → approve (access policy decides) → checkout (120 min default, 20 s reveal) → check-in triggers rotation; ISA skips approval. Last stop: the three ways a credential physically reaches its consumer — and how cloud reaches on-prem.

④ Where credentials flow — reveal, proxy, API, and the road to cloud

A credential leaves the vault through one of three doors, and choosing the right door per consumer is real architecture work. Door 1 — portal reveal: the human reads the password (20-second display) and types it somewhere. Maximum exposure: it can be noted down, shoulder-surfed, keylogged. Door 2 — proxied session: the user connects to Password Safe’s session proxy — SSH on 4422, RDP on 4489 (session-monitoring listener on 4488) — authenticates as herself, and the proxy injects the managed credential into the connection. The admin never sees the password; there is nothing to leak, and the session is recorded. Door 3 — API retrieval: applications fetch secrets programmatically — which needs an API registration, Enable for API Access switched on for the account, and a Requestor or ISA role for the runas user. No human in the loop at all.

SSH Direct Connect · through the session proxy (port 4422 — never 22)
# pattern: ++@
ssh -p 4422 sneha.k+dbadmin@icici.local+db-prod-01@psafe.icicilab.local
Expected output
sneha.k@psafe.icicilab.local’s password: ********
[Password Safe] approved request found - injecting credential for dbadmin
[Password Safe] session recording: ON (keystrokes logged)
dbadmin@db-prod-01:~$
Figure 4 — Three doors out of the vault
The vault on the left has three exit paths: portal reveal where a human sees the password for 20 seconds, the session proxy on ports 4422 and 4489 which injects the credential so the admin never sees it, and API retrieval where applications fetch credentials with a PS-Auth header. A bottom strip shows Password Safe Cloud reached by an on-prem Resource Broker that dials outbound on port 443 only. Three doors out of the vault VAULT managed account passwords (AES-256) DOOR 1 · portal reveal — human SEES the password Retrieve Password shows it max 20 s · human can note it down → most exposure pair with Change Password After Release so the seen value dies on check-in DOOR 2 · proxied session — password NEVER seen user connects to the proxy: SSH 4422 · RDP 4489 (monitoring listener 4488) proxy injects the credential + records the session — nothing to keylog or leak DOOR 3 · API retrieval — applications, no human Authorization: PS-Auth key=…; runas=…; → GET /Credentials/{requestId} needs API registration + Enable for API Access on the account + a PS role PS Cloud · 203.0.113.10 site.ps.beyondtrustcloud.com Resource Broker (on-prem) runs discovery · rotation · proxy locally dials OUT · 443 only — zero inbound holes targets: 10.20.5.0/24 untrusted/attackertrusted/vaultedpolicy/decisionkey insightallowed/audited
Read top to bottom: reveal (amber — a human sees it), proxy (green — injected, recorded, never seen), API (blue — applications). The bottom strip shows the cloud pattern: the on-prem Resource Broker dials OUT on 443; nothing dials in.

Below the doors sits a routing layer you meet the day your deployment grows past one team: workgroups. Every managed system and account carries a WorkgroupID; worker nodes are assigned to workgroups so "a worker node only processes tasks for that group’s managed accounts". In multi-tenant builds each organization needs at least one worker node — and a worker node belongs to exactly one organization. Wipro running PAM-as-a-service for three clients = three organizations, three (or more) worker nodes, zero cross-tenant rotation traffic.

Finally, the question every firewall team asks about Password Safe Cloud: "what do we open inbound?" Answer: nothing. You install Resource Brokers on-prem; each dials outbound on 443 to your cloud site at <yoursite>.ps.beyondtrustcloud.com and pulls work down. A broker installs nine services covering the four local jobs: directory authentication, discovery, credential rotation and the session proxy. Brokers group into resource zones (the built-in Default zone cannot be edited; up to 50 more; 200 brokers max; run 2+ per zone for redundancy; 16 GB RAM minimum each). It is the Delhivery local-hub pattern: the warehouse (cloud) never enters your society — the hub inside the gate dials out to fetch jobs, and the gate stays closed inbound.

Quick check · Q4 of 10

Password Safe Cloud must rotate passwords on servers inside ICICI’s data centre. The firewall team asks which ports to open INBOUND from the cloud. What do you tell them?

Correct: c. The Resource Broker model is outbound-only: brokers connect out on 443 to .ps.beyondtrustcloud.com and do the rotation/proxy work locally. No inbound holes at all. Options a, b and d all reflect VPN-era thinking — if your answer to a SaaS PAM question involves opening inbound ports, re-check the connector architecture first.

Pause & Predict

Predict: in a proxied RDP session through port 4489, where does the real password actually travel — and what does Sneha type to authenticate? Type your guess.

Answer: The password travels only from the vault to the proxy, which injects it into the RDP handshake with the target. It never reaches Sneha’s laptop, screen or clipboard. She authenticates to Password Safe as HERSELF (her own identity, possibly with MFA) — which is also why the audit trail can say "Sneha did this", not "someone with the shared admin password did this".
Figure 5 — Password Safe architecture — your one-glance card
An eight-tile cheat sheet: the trinity of managed system, managed account and functional account; the mandatory setup order; the request lifecycle; the numeric defaults; the proxy ports; the API quick reference; the four Password Safe roles; and the console menu paths. Password Safe architecture — your one-glance card THE TRINITY managed system = the box · managed account = the credential functional account = the worker that rotates it never onboard the FA as a managed account SETUP ORDER (docs: must be in order) 1 functional account → 2 password policy → 3 assets → 4 managed systems → 5 managed accounts → 6 Smart Rules, access policies, roles — no accounts before systems LIFECYCLE request (reason ≤200 chars) → approve (per access policy) → checkout (reveal 20 s / proxy / API) → check-in → rotate on release · ISA = instant, approval-less DEFAULTS ReleaseDuration 120 min · max 525,600 min (1 yr) ChangeTime 23:30 UTC · connection timeout 30 s ChangeFrequencyType: first / last / xdays PORTS SSH proxy 4422 · RDP proxy 4489 · monitoring 4488 Resource Broker → cloud: outbound 443 ONLY never answer 22 / 3389 — the proxy fronts them API QUICK REF /BeyondTrust/api/public/v3 · PS-Auth key + runas SignAppIn → Requests → Credentials/{id} → Checkin ISARequests = credential with zero approval ROLES Requestor · Approver · Requestor/Approver · ISA (Information Systems Administrator — no approval) workgroup ties systems to ONE org's worker node CONSOLE PATHS Configuration → Privileged Access Management → Functional Accounts Configuration → Privileged Access Management Policies → Access Policies left menu: Managed Systems · Managed Accounts · Smart Rules
The whole lesson on one card: trinity, setup order, lifecycle, defaults, ports, API, roles, console paths. Keep it open during your first lab and revisit it the night before any PAM interview.
Prove you own the architecture

Take any real ask — "give the DB vendor 2 hours of root on db-prod-01, with full audit" — and answer cold: the trinity members involved (system db-prod-01, account root, the Linux FA), the door (proxied SSH via 4422 with injection, never reveal), the policy settings (1 approver, Record session ON, Concurrent 1, 120-min release), and what happens at check-in (rotation, because Change Password After Release). If you can do that without notes, section ⑤’s Smart Rules will feel easy.

🎮 Hands-on: BeyondTrust PAM Essentials roomRecap: BeyondInsight platform deep-dive
👉 Full picture: trinity (system / account / FA) → mandatory setup order → request-approve-checkout-rotate → three doors (reveal / proxy / API) → workgroups route work, Resource Brokers reach cloud targets outbound-only. Next lesson: the automation that onboards thousands of accounts — discovery and Smart Rules.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In Password Safe terms, what exactly is a managed account?

Correct: c. A managed account is the protected credential on a managed system — vaulted, released on request, rotated after use. Option a describes the functional account (the worker), b describes a console user, and d describes infrastructure plumbing, not a vaulted credential.
Q6 · Apply

Sneha at Infosys must bring 40 new Linux servers under Password Safe. Which sequence is the docs-mandated order?

Correct: a. The Getting Started guide is explicit that the steps must be completed in the order presented: functional account → password policy → assets → managed systems → managed accounts → Smart Rules/access policies/roles. Accounts cannot be onboarded before systems, and account onboarding is blocked until the platform has a functional account — which rules out every other option.
Q7 · Apply

Priya’s payment app at Flipkart must fetch a database password programmatically every night — no human, no approval click. What does she need?

Correct: d. API retrieval is door 3: an API registration supplies the 128-char key for the PS-Auth header, the managed account must have Enable for API Access switched on, and the runas user needs a Password Safe role — ISA fits the no-approval requirement. Option a misuses roles, b confuses the RDP proxy port with API access, and c re-creates the hard-coded-secret problem PAM exists to kill.
Q8 · Analyze

At 06:00 Monday, ALL Windows-platform rotations at TCS show failures piling up since 23:30 UTC — Linux rotations are fine. Friday, a teammate ran a broad Smart Rule that onboarded "all svc_* accounts" as managed. Most likely root cause?

Correct: b. One platform failing wholesale right after a scheduled change window, following a sweep of svc_* accounts, is the signature of the FA-onboarded-as-managed failure: the worker’s own password was rotated, so every job it runs now fails. The proxy port (a) affects sessions, not rotations; release duration (c) affects checkouts; broker disk (d) would not select only Windows rotations at exactly ChangeTime.
Q9 · Analyze

A user checked a Windows password back in an hour ago, but the old password still works on the target. Security is alarmed. What is the most likely explanation?

Correct: d. Rotation at check-in is a per-account setting (Change Password After Release) plus a queued job the Password Change Agent processes — it is not automatic magic on every account, and it is not instantaneous. Check the setting first, then the change-agent queue. Option a inverts how the agent works, b misstates what ISA does (skips approval, not rotation), and c invents a failure mode — the portal simply limits Reason to 200 characters.
Q10 · Evaluate

Two designs for 200 external DB vendors at ICICI: (A) vendors retrieve passwords via portal reveal with 8-hour releases for convenience; (B) vendors get proxied SSH sessions with credential injection, exclusive access, recording, and rotate-on-check-in. Which is stronger, and why?

Correct: b. Design B removes the secret from human hands entirely: nothing to keylog, note down or reuse after the window; exclusive access keeps the audit trail attributable; rotation on check-in closes the loop. Design A hands 200 external parties readable credentials for 8 hours — a leak surface no password policy compensates for, and contracts (c) do not stop a compromised vendor laptop. "Equivalent" (d) ignores exposure asymmetry entirely.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line: why must the functional account never be onboarded as a managed account? Then compare to the expert version.

Expert version: Because the functional account is the worker that performs every rotation — if Password Safe rotates the worker’s own password, the stored FA credential and queued change jobs drift out of sync (the docs say passwords could fail to synchronize), and every rotation on that platform fails at once.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Managed system
Any computer or device where Password Safe maintains account passwords — Windows, Linux, AD domain, database, network device, cloud.
Managed account
The privileged credential ON a managed system whose password Password Safe stores, releases and rotates.
Functional account
The worker credential Password Safe uses to log in and change other accounts’ passwords — created first, never checked out, never managed itself.
BeyondInsight
The management platform Password Safe runs on: assets, discovery, Smart Rules, reporting — one web console, two layers.
Access policy
Defines when and how users may request passwords or sessions — approvers, auto-approve, recording, concurrency, force-termination, per access type.
Release duration
How long a checked-out credential stays yours — default 120 minutes, maximum 525,600 minutes (one year).
Change Password After Release
Managed-account setting that queues a rotation the moment the credential is checked back in — the seen value dies.
ISA
Information Systems Administrator — Password Safe role that retrieves credentials instantly via ISARequests, with no approval step.
Session proxy
Password Safe’s man-in-the-middle for SSH (4422) and RDP (4489): injects the credential and records the session; the user never sees the password.
Resource Broker
On-prem worker for Password Safe Cloud — dials outbound 443 to the cloud site and runs discovery, rotation, directory auth and session proxy locally.
Workgroup
Assignment unit tying managed systems/accounts to a worker node — in multi-tenant builds, one organization per worker node.
Smart Rule
Continuously re-evaluated IF/THEN rule that auto-onboards discovered assets and accounts; its settings override per-account edits.

📚 Sources

  1. BeyondTrust Docs — Password Safe Getting Started (canonical setup order; managed system / managed account / functional account definitions). docs.beyondtrust.com/bips/docs/ps-getting-started
  2. BeyondTrust Docs — BeyondInsight & Password Safe API usage + Password Safe API reference (PS-Auth header, SignAppIn, Requests → Credentials → Checkin, ISARequests; defaults 120 / 525600 / 23:30 / 30 s). docs.beyondtrust.com/bips/reference/beyondinsight-and-password-safe-api-usage · docs.beyondtrust.com/bips/v24.3/docs/password-safe-api
  3. BeyondTrust Docs — Functional Accounts (create path Configuration > Privileged Access Management > Functional Accounts; Entity Type / Platform fields; Entra ID functional-account fields). docs.beyondtrust.com/bips/v24.3/docs/pathfinder-functional-accounts
  4. BeyondTrust Docs — Password Safe SSH/RDP connections (proxy ports 4422 / 4489 / 4488; Direct Connect string syntax). docs.beyondtrust.com/bips/docs/ps-ssh-rdp-connections
  5. BeyondTrust Docs — Password Safe Cloud Resource Broker installation (resource zones, nine services, outbound-443-only model, 16 GB RAM minimum, 200-broker cap). docs.beyondtrust.com/bips/docs/ps-cloud-resource-broker-install
  6. BeyondTrust Beekeepers community — functional account rights & never manage the FA (threads 5632 / 5880); "client credentials config not found" war story (thread 6090); FA password change breaking rotation (thread 7038). beekeepers.beyondtrust.com
  7. BeyondTrust Docs — BeyondInsight and Password Safe 25.2 release notes (current version line, Windows Server 2025 support). docs.beyondtrust.com/bips/changelog/beyondinsight-and-password-safe-25-2-release-notes
  8. BeyondTrust University — Get Certified (Password Safe Administration cert: 40 questions, 75% pass, two attempts) + PeerSpot Password Safe reviews (asset-based licensing vs CyberArk per-user). beyondtrust.com/services/beyondtrust-university/get-certified · peerspot.com/products/beyondtrust-password-safe-pros-and-cons

What's next?

You now know the trinity and the lifecycle — but nobody onboards 5,000 accounts by hand. Next: discovery scans that find every unmanaged credential in the estate, and the Smart Rules that onboard them automatically (and the overwrite loop that melts an Omni Worker).

Next · Discovery & auto-onboarding with Smart Rules → Practice on exam.techclick.in →