BeyondTrust User Management Guide

• Model type: hybrid
• Description: BeyondTrust uses a hybrid model combining predefined roles (Administrator, Regular User) with highly granular group policies. Group policies control specific feature permissions (session types, vault access, reporting, etc.) and are assigned to users or synced from directory groups. In Password Safe, role-based assignments (Requester, Approver, Credential Manager, ISA) are layered on top of Smart Rules that define which managed accounts are accessible.
• Custom roles: Yes
• Custom roles plan: Available across standard licensing; group policies function as custom roles and can be created without additional cost
• Granularity: High granularity: individual permissions can be set per group policy including session recording access, file transfer, clipboard use, chat, reporting, vault access, jump item access, and more. Smart Rules in Password Safe provide dynamic, attribute-based access control.

1. Log in to the BeyondTrust administrative interface at https:///login.
2. Navigate to Management > Users & Security > User Accounts.
3. Click 'Create New User' (or 'Add' depending on product version).
4. Enter required fields: username, display name, email address, and password (for local accounts).
5. Select account type: Local, LDAP/Active Directory, RADIUS, SAML, or SCIM-provisioned.
6. Assign the user to one or more Group Policies to grant functional permissions.
7. Optionally configure two-factor authentication settings for the account.
8. Save the user account. The user can then log in with the configured credentials.

Required fields: Username, Display Name, Email Address, Password (for local accounts), Account Type (local or directory-based)

Watch out for:

• A user with no group policy assigned will have no functional permissions beyond basic login.
• For LDAP/AD users, the directory must be configured under Management > Users & Security > Security Providers before users can be added.
• SAML/SCIM users are provisioned automatically on first login or via SCIM push; manual creation is not required but group policy mapping must be pre-configured.
• Username must be unique across the appliance; duplicate usernames from different directories can cause conflicts.
• Two-factor authentication enforcement is configured at the group policy level, not per individual user.

• Can delete users: Yes
• Delete/deactivate behavior: BeyondTrust supports both disabling (deactivating) and deleting user accounts. Disabling prevents login while preserving the account record and associated audit logs. Deleting permanently removes the account. For audit and compliance purposes, disabling is generally recommended over deletion. SCIM-provisioned users are deprovisioned (disabled) when removed from the IdP.

1. Log in to the BeyondTrust administrative interface.
2. Navigate to Management > Users & Security > User Accounts.
3. Locate the user account to deactivate.
4. Click on the user account to open the edit view.
5. Uncheck or toggle the 'Account Enabled' option (or set account to disabled state).
6. Save changes. The user will be immediately unable to log in.

Watch out for:

• Deleting a user account is irreversible; audit log entries referencing the deleted user may show orphaned references.
• SCIM deprovisioning disables the account but may not fully delete it depending on configuration; administrators should verify the account state after IdP removal.
• If a user is the sole member of a group policy or Jump Group, removing them does not delete the group; orphaned groups should be reviewed periodically.
• Active sessions are not automatically terminated when an account is disabled; administrators should manually terminate active sessions before disabling.

• Where to check usage: Management > Licensing (within the BeyondTrust administrative console) shows current license usage, seat counts, and expiration dates.
• How to identify unused seats: Administrators can review the Last Login date column in Management > Users & Security > User Accounts to identify accounts that have not been used recently. No automated unused-seat reporting tool is documented in official sources.
• Billing notes: BeyondTrust licensing is quote-based and negotiated directly with BeyondTrust or authorized resellers. Discounts of 40-60% have been reported on Password Safe in community sources. License counts are enforced at the appliance level; exceeding licensed seat counts may prevent new user logins. Annual true-up or subscription renewal is standard.

BeyondTrust's permission model is hybrid: predefined roles (Administrator, Regular User) are combined with granular group policies that control session types, vault access, file transfer, reporting, and more. In Password Safe, Smart Rules add a dynamic, attribute-based layer on top of role assignments.

Misconfigured Smart Rules or missing group policy mappings are the most common source of unintended access grants or denials - and neither failure mode surfaces an obvious error to the end user.

Manual provisioning has no CSV import path for local accounts. LDAP/AD users require the directory to be pre-configured under Security Providers before any user can be added. Active sessions are not automatically terminated when an account is disabled, so administrators must manually kill sessions before deactivating an account to fully cut access.

Practitioners consistently flag BeyondTrust's initial configuration complexity, particularly around LDAP/AD integration and group policy mapping. The product-specific documentation split - separate docs for Remote Support, Privileged Remote Access, and Password Safe - makes cross-product deployments harder to manage than a single unified reference would.

Enterprise-only pricing with no self-serve tier means every licensing question requires direct sales engagement, which slows procurement and seat adjustments alike.

Common complaints:

• Complex initial configuration, particularly for LDAP/AD integration and group policy mapping.
• Enterprise-only pricing with no self-serve or SMB tier; all pricing requires direct sales engagement.
• SCIM provisioning requires both Enterprise licensing and SSO to be configured first, creating a dependency chain that complicates initial setup.
• Limited native bulk user import options; no CSV import documented for local accounts.
• Active sessions are not automatically terminated when an account is disabled, requiring manual intervention.
• Documentation is product-specific (Remote Support vs. PRA vs. Password Safe) and can be difficult to navigate when managing a multi-product deployment.
• Gartner Peer Insights reviewers note steep learning curve for administrators new to PAM concepts and BeyondTrust's specific policy model.

BeyondTrust is the right fit when an organization needs deep PAM controls - credential vaulting, dual-control approval workflows, endpoint privilege management - and is already operating at enterprise scale. It is not a lightweight directory or SSO tool; every app access decision flows through group policies and Smart Rules that require deliberate upfront design.

Teams that need rapid onboarding or self-serve provisioning will find the dependency chain (SSO → SCIM → group policy mapping) adds meaningful lead time before automation is functional.

Bottom line

BeyondTrust delivers high-granularity privileged access control across every app and managed endpoint in scope, but that control comes with real administrative overhead.

The hybrid role-plus-group-policy model is powerful when configured correctly and fragile when it isn't - orphaned groups, missing policy assignments, and non-terminated active sessions are recurring operational gaps.

Organizations that invest in upfront policy design and directory integration will get a defensible, auditable access model; those that treat it as a plug-and-play tool will accumulate configuration debt quickly.