Summary
This guide covers how an Owner of a Secrets Safe folder can manage the users that have access to the secrets stored in their safe.
What is Secrets Safe?
BeyondTrust's Secrets Safe is a tool for managing access to sensitive credentials that need to be shared between USNH staff for externally-managed resources. Examples of shared sensitive credentials might be:
- Social Media Accounts
- Non-Managed Root Application Users
- Cloud Service Providers
- Website Hosting and Domain Registrars
- Email Marketing Platforms
- Payment Processors
- CRM Systems
- Project Management Tools
- File Storage and Sharing Services
- VPN Services
- API Keys
- Database Services
- Development Tools
- Analytics Platforms
- Subscription Services
Secrets Safe Owners manage who has access to the secrets stored in their safe.
Note: Access is controlled via Active Directory group membership; the groups are present in the Secrets Safe as "folders". To access secrets, a user must be a member of the AD group associated with that folder.
Accessing Secrets Safe
Instructions
Step 1 - Login to BeyondInsight by BeyondTrust with your USNH username@usnh.edu, password, and MFA if required. Your home screen should look similar to this:
Step 2 – Click on "Secrets Safe" with the icon of a safe.
On the left of the Secrets Safe screen will be a list of folders for each AD security group. Each folder can contain multiple different types of secrets.
Note: If the folder does not appear in the list, then the security group doesn’t exist yet. Submit a TeamDynamix ticket request to create the desired new security group. Once the security group is created, it will show up as a folder in the list.
Generally speaking, AD security groups are based on factors such as employment type, department, security clearance, or membership in a collaborative team. However, the security group can also be related to the specific type of access a user is granted when they're added to it, i.e. read-write access to a Word document.
Managing Users
To View Who Has Access To The Group
Step 1 - Login to BeyondInsight by BeyondTrust and navigate to the Secrets Safe, then click the folder you wish to inspect
Step 2 - Click on the three dots on the far right
Step 3 - Click Edit Secret in the drop-down menu
Step 4 - Click the Manage Ownership link.
- This screen will show a list of all users with access.
- Owners of that secrets folder have a check mark by their name; people who can only use (not manage) items in that secrets folder do not have a check mark.
Step 5 - Click Discard Changes on both screens to back out of viewing the group membership.
To Add or Remove a User
To add or remove a user from a group, first identify the folder associated with the user. Then, submit a TeamDynamix ticket requesting the addition or removal of the user from the relevant security group. The name of the folder must be included in the ticket.
In the TDx ticket, please include:
- Folder name
- Username of the user
- Action: addition or removal
For example, the folder name is all text that follows "ad.unh.edu\". This is what must be included in the TD request.
Need additional help?
If you have any additional questions, please submit a TeamDynamix ticket request with as much detail as possible.