Vault for Privileged Access

Discovery: Discover Domains, Accounts, and Endpoints

Screenshot of the Bomgar PA /login header navigation highlighting Vault > Discovery

Bomgar Vault is an on-appliance credential store, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into Bomgar Vault.

For more information, please see Bomgar Vault Technical Whitepaper.

Domain Discovery

With the Bomgar Vault add-on, you can discover Active Directory accounts, local accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

To learn more about Jumpoints, please see Bomgar Privileged Access Jumpoint Guide.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management Account

Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation to be entered. Or, choose to use an existing account discovered from a previous job or added manually in the Accounts section. Once an account is selected, click Discover to start the discovery job.

Scope

Select the specific account types you wish Bomgar Vault to discover.

Discovery Jobs

View discovery jobs that are in progress for a specific domain, or review the results of successful and failed discovery jobs.

View Results

View the results of the discovery job from the Discovery Results section, which includes discovered endpoints, discovered local accounts, and discovered domain accounts found on the domain. For each discovered item, a Name and Description are provided. You can select which endpoints and accounts to import and store in your Bomgar Vault instance.For each list item you wish to import, check the box beside it and click Import Selected.

Endpoints: View and Managed Discovered Systems

Screenshot of the Bomgar PA /login header navigation highlighting Vault > Endpoints.

Endpoints

View information about all discovered endpoints, such as the name and hostname of the system, along with information about the accounts associated with those systems.

Search

Search for a specific endpoint or a group of endpoints based on Name, Hostname, Description, or Jumpoint Name.

Accounts

View the number of accounts found during discovery as well as the endpoints they are associated with. Click the Accounts option to view the accounts associated with the system.

Edit

Modify the endpoint's information, specifically Name, Description, Hostname, and Jumpoint.

Delete

Delete the endpoint from the Endpoints list.

Accounts: Manage Privileged Accounts Used on Endpoints

Screenshot of the Bomgar PA /login header navigation highlighting Vault > Accounts.

View and manage information about all discovered and manually added accounts. Available information includes:

  • Type: The type of account, specifically, whether it is a domain account or a local account
  • Name: The name of the account
  • Endpoint: The endpoint with which the account is associated
  • Last Checkout: The last time the account was checked out
  • Password Age: The age of the password

Based on this information, you can perform various actions, including credential check-out/check-in and credential rotation.

Accounts

Add New Account

Click Add New Account to manually add a new account to Bomgar Vault.

Search

Search for a specific account or a group of accounts based on Name, Endpoint Name, or Description.

Check Out/Check In

Click Check Out to view and use a credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

For more information, please see Check Out Credentials from the PA /login Interface.

...

Click ... to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

For more information, please see Rotate Privileged Credentials Using Bomgar Vault.

Generic Account :: Add

The Add New Account option allows you to add accounts without having to run a discovery job. Instead, you can manually enter information about the account. This option is helpful in situations where a shared account or username/password combination can be used to access many different systems.

Name

Enter a name for the account.

Description

Enter a brief and memorable description of the account.

Username

Provide the username for the account.

Authentication

Select the authentication method for the account: Password or SSH Private Key.

Note: If you select an SSH key for authentication, you must provide a private key for the account in OpenSSH format. Optionally, you can include the passphrase associated with the private key.

Password

If Password is selected for authentication, you must enter the password for the account and confirm the password.

SSH Private Key

If SSH Private Key is selected for authentication, you must enter the SSH private key for the account.

Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Account Users

Select users who are allowed to access this account.

Note: If SSH Private Key is selected, the following options become available: SSH Private Key, SSH Key Passphrase, Key Size, Key Fingerprint, and Key Format.

SSH Private Key

Provide the SSH private key information.

SSH Key Passphrase

If applicable, enter the SSH private key's passphrase.

Key Size

Provide the length of the key in bits.

Key Fingerprint

Provide the fingerprint associated with the SSH private key.

Key Format

Select the encryption algorithm of the SSH private key.

Note: User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Local Account :: Edit

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

Password Age

View the age of the existing password.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Endpoint

View which endpoint or endpoints are associated with the account.

Endpoint Hostname

View the hostname of the associated endpoints.

Account Users

Select users who are allowed to access this account.

Note: User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Domain Account :: Edit

Name

View or edit the name used for the account.

Description

View or edit the description of the account.

Username

View the username associated with the account.

Password

Enter a new password for the account, or leave the field blank to keep the existing password. Confirm the password entered.

View Password History

View the dates and times of password changes. Click Reveal to temporarily show the password. Click Use to set the password of this account to that password.

Password Age

View the age of the existing password.

Automatically Rotate Credentials

If you wish for the credential to be automatically rotated after it is checked in, select this option.

Note: Active Directory credentials are the only credential types which support automatic rotation.

Allow Simultaneous Checkout

If the account can be checked out and used by multiple users or sessions at the same time, select this option.

Distinguished Name

View the distinguished name for the account.

Account Users

Select users who are allowed to access this account.

Note: User accounts with the Allowed to Administer Vault permission are implicitly allowed to access every Vault account.

Domains: Add and Manage Domains

Add, view, and manage information about your domains.

Screenshot of the Bomgar PA /login header navigation highlighting Vault > Domains.

Domains

Add New Domain

Click Add New Domain to manually add a new domain to the Domains list.

Domain Name

View the name of the domain.

Jumpoint

View the Jumpoint used to discover accounts and endpoints on the domain.

Management Account

View the management account associated with the Jumpoint and domain.

Discover

Click Discover to initiate the Jumpoint to scan and discover endpoints and accounts on the domain.

Edit

Click Edit to modify domain information.

Delete

Click Delete to delete this domain from the Domains list.

Domain :: Add

DNS Name

Enter the DNS Name of the domain.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management Account

Select the management account needed to initiate a discovery job for this domain. Choose to use a new account, which requires a Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section.

Domain :: Edit

DNS Name

View or edit the DNS Name of the domain.

Jumpoint

View or edit the Jumpoint information for the domain.

Management Account

View or edit the management account needed to initiate a discovery job for this domain. Choose to use a new account, which requires a Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section.