Connection Guide

Connect BeyondTrust Password Safe Without Breaking the Audit Trail

Use this guide to connect BeyondTrust Password Safe or confirm the export-based path that fits your environment. Aurora keeps source, timestamps, ownership, and collection history attached so the first run becomes reusable proof instead of one-off setup work.

Connector Summary

Connection typeDirect connection

CategoryPam

Checklist4 steps

Want help with rollout?

We'll confirm what can be automated, what stays export-based, and how to keep the first evidence record clean.

First-Run Checklist

Use this sequence to connect BeyondTrust Password Safe and make sure the first collection lands cleanly.

1
Provision a dedicated BeyondTrust Application user tied to an API Access Policy API registration and keep the connector on OAuth 2.0 client credentials.
2
Set base_url to the public API root ending in /BeyondTrust/api/public/v3 and store client_id plus client_secret for the application user.
3
Add run_as_user only when the customer explicitly requires impersonation; otherwise keep the connector on direct application-user permissions.
4
If the API registration requires a client certificate, provide client_certificate as a PEM path or inline PEM and keep client_certificate_password empty unless the customer can supply an unencrypted PEM bundle.

Credentials and Secrets

The keys, secrets, or tokens Aurora uses to authenticate and collect proof.

client_secretclient_certificateclient_certificate_password

Recommended Access

Aurora only asks for the minimum read access needed for collection and checks.

Access requirements depend on the collection mode and scope you choose.