# Beyondtrust
SureCloud connects to BeyondTrust Privileged Remote Access and Password Safe to retrieve managed account inventory, session activity records, privileged access policy configuration, and access request audit trails. This allows SureCloud to verify that privileged access is controlled and monitored — confirming that privileged accounts are vaulted, that sessions are being recorded, and that access to critical systems is gated through an approved workflow.
## Authentication and setup
BeyondTrust authenticates API requests using an API key associated with a dedicated API service account. SureCloud uses a read-only key generated within your BeyondTrust environment.
{% tabs %}
{% tab title="BeyondTrust Password Safe" %}
{% stepper %}
{% step %}
**Create a dedicated API user in Password Safe**
Log in to the BeyondTrust management console. Navigate to **Configuration → User Management → Users** and create a user (e.g. `surecloud-api`) with the **API** user type. Assign the **Auditor** role, which provides read-only access to account and session data.
{% endstep %}
{% step %}
**Generate an API key**
In the user's settings, navigate to **API Registration** and create a new API key. Name it `SureCloud CCM`. Copy the **Client ID** and **Client Secret**.
{% endstep %}
{% step %}
**Enter the credentials in SureCloud**
Navigate to **SureCloud → Integrations → BeyondTrust → Connect (Password Safe)**. Enter your BeyondTrust instance URL, the Client ID, and the Client Secret. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% endtab %}
{% tab title="BeyondTrust Privileged Remote Access" %}
{% stepper %}
{% step %}
**Create an API account in PRA**
Log in to the BeyondTrust Privileged Remote Access admin UI. Navigate to **Management → API Configuration** and create a new API account named `SureCloud CCM` with **Read-Only** permissions. Note the **Client ID** and **Client Secret**.
{% endstep %}
{% step %}
**Enter the credentials in SureCloud**
Navigate to **SureCloud → Integrations → BeyondTrust → Connect (PRA)**. Enter the PRA appliance URL, Client ID, and Client Secret. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% hint style="warning" %}
Store the Client Secret securely. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days and update it in **SureCloud → Integrations → BeyondTrust → Edit Connection**.
{% endhint %}
{% endtab %}
{% endtabs %}
## Endpoints
| API Call | Use Case |
| ------------------------------------------------ | ------------------------------------------------------------------------- |
| `GET /BeyondTrust/api/public/v3/ManagedAccounts` | Enumerate managed privileged accounts and their configuration |
| `GET /BeyondTrust/api/public/v3/ManagedSystems` | List managed systems to confirm PAM scope coverage |
| `GET /BeyondTrust/api/public/v3/Requests` | Retrieve access request records including requester, approver, and status |
| `GET /BeyondTrust/api/public/v3/SessionLogs` | Retrieve session recording logs for privileged session evidence |
| `GET /BeyondTrust/api/public/v3/Policies` | Retrieve access policy definitions |
| `GET /BeyondTrust/api/public/v3/Users` | Enumerate BeyondTrust users and their role assignments |
## Pagination
`GET /BeyondTrust/api/public/v3/ManagedAccounts` and `GET /BeyondTrust/api/public/v3/Requests` use offset-based pagination. SureCloud increments the `offset` parameter by the page size until all records are retrieved.
```json
GET /BeyondTrust/api/public/v3/ManagedAccounts?limit=500&offset=500
```
## Required permissions
SureCloud requires a BeyondTrust API account with **Auditor** or **Read-Only** access, providing:
* Read access to managed accounts and systems
* Read access to access requests and approvals
* Read access to session logs
* Read access to policies and users
No account checkout, session initiation, or configuration-change permissions are required.
## Polling frequency
| Data Type | Interval |
| ------------------------------------ | -------------- |
| Managed account and system inventory | Every 24 hours |
| Access requests and approvals | Every 6 hours |
| Session activity records | Every 6 hours |
| Policy configuration | Every 24 hours |
## Troubleshooting
Authentication fails or returns 401
The Client ID or Client Secret is incorrect, or the API account has been disabled. Navigate to the BeyondTrust management console and confirm the API account is active. Regenerate the Client Secret if necessary and update it in **SureCloud → Integrations → BeyondTrust → Edit Connection**.
Session logs are empty despite recorded sessions existing
Session log access requires the Auditor role and may be subject to a time-range filter. SureCloud queries within a defined lookback window. Confirm the API account's role includes session log read access and that recorded sessions exist within the lookback period.
BeyondTrust appliance is unreachable
BeyondTrust Password Safe and PRA are typically deployed on-premises or in a private cloud. Confirm the appliance URL is accessible from the SureCloud collector network over HTTPS. Contact SureCloud Support for firewall and connectivity requirements.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/beyondtrust.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.