BeyondTrust
This connectivity package provides support for BeyondTrust Privilege Management. This is a cloud-only service.
Supported objects and operations
| System objects | Omada Identity Data Model | Operations |
|---|---|---|
| Users | Accounts | Create, read , update, delete |
| Groups | Resources | Read |
| Containers/Safes | Resources | Read |
| Privileged Data/Managed accounts | Resources | Read |
| Group memberships | Resource Assignments | Create, read, update, delete |
| Groups to Safes relationships | Resource parent/child | Read |
| Privileged Data to Container relationships | Resource parent/child | Read |
Minimum required permissions
The service account used by Omada to connect to BeyondTrust must have sufficient API permissions assigned to the SCIM endpoint. Set the following permissions:
| Endpoint | Permission | Description |
|---|---|---|
| /SCIM | Full Access | Grants permission to perform all HTTP methods (GET, POST, PUT, PATCH, DELETE) required for user and group provisioning. |
See the BeyondTrust API documentation for details.
Implementation notes
The connectivity package includes two Resource parent/child mappings. These ensure that Omada can properly calculate and report on inherited access stemming from group memberships.
This connectivity package will be enhanced by including Feature memberships once the REST API of BeyondTrust allows for token-based authentication.
Network requirements
N/A
Prerequisites
-
In BeyondTrust, create an API Registration (under Configuration) for Omada to integrate. Once the API Registration is created, assign an IP Rule. This ensures the Omada Platform IP is recognized and accepted for integration to the BeyondTrust application.
-
In BeyondTrust, create a Connector (under Configuration) using
SCIMas the connector type. Note down the Client ID and the newly created Client Secret. -
The following details are required to authenticate:
- Base URL
- Token endpoint
- Client ID
- Client Secret