This process only outlines the creation of the Team within AD and PS. Not the users themselves. If you require users to be onboarded, follow this process.
Active Directory
Services > Groups > AAD synced > Beyond Trust
Right click, add new team.
Input team name, and then the same for admin team.
Add non-priv team into BT-All-Non-Priv-Users grp
Azure Active Directory
Enterprise Applications > BeyondTrust PRA Cloud
Expand manage, go to Users and Groups
Add in new Team
Password Safe
Config > User Management
Create New Group
Active Directory Group Search
Credentials as Bind account
Input grp name as
stated in AD.
Select Add group.
Directory Query
Config> Role Based Access > Directory Query
Clone a directory query
Update LDAP have new team name.
Smart Rules - Onboard
Config > Smart rules
Select managed account
Clone relevant 3.Onboard Admin accounts
Change name
Change query to the above one that was just created
Check/change required access - any reference to 'link domain account to managed system'.
Add required access here.
Smart Rules - Map account
Config > Smart rules
Clone relevent 4. Account Mapping smart rule
Change name
Change dedicated smart group to map to
Save and process as required.
PRA
Jump Tab
Jump Groups
- Add jump group
- Follow standardised naming convention
Configuration Tab
Teams
- +add team
- Follow standardised naming convention
Users and Security Tab
Security Providers
- Add team (BT-Team-***) to Authorisation settings in SAML - this is assuming the team is already on-boarded.
Group Policies
- Copy policy, change name, remove teams, remove jump group.
-Ad Team and jump group
- Set session policy to internal/vendors