Skip to main content

BeyondTrust Privilege Management for Unix and Linux integration

Use this guide to integrate Arculix with BeyondTrust Privilege Management for Unix and Linux.

With Arculix by SecureAuth, you can get push notifications for MFA.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • User account with administrative privileges for BeyondTrust Privilege Management for Unix and Linux.

BeyondTrust Privilege Management configuration

Once you configure a role-based or server-based policy in BeyondTrust, you need to add a script policy for the corresponding allowed commands.

  1. In BeyondInsight, go to Policy > Server Details > Role Based Policy > Command Groups.

  2. On the Command Groups page, you need to create a group of allowed Commands.

    For example, you can allow changes to a configuration file and run test commands.

  3. In the Role Based Policy, create a Role name.

    For example, the role name is DatabaseAdmins.

  4. Assign a user (Who) to the DBA Commands group (What).

    For example, in this demo environment, the user is beyondtrust.demo assigned to DBA Commands.

  5. Optional. Enable accept and reject messages.

  6. Create a Script Policy to interact with Arculix and send a push notification to Arculix Mobile.

  7. Save your changes.

Test your integration with Arculix

  1. In Unix or Linux, run test commands like whoami and pbrun.

    Result: When the application prefixes the command with pbrun, it runs the policy script for an assigned role like beyondtrust.demo.

  2. Make sure it sends a push notification to your Arculix Mobile app to authenticate your access.

  3. Tap to accept the request in the Arculix Mobile app and press Enter in Linux to confirm.

    Result: The terminal window in Unix or Linux shows you accepted the push request on Arculix Mobile.

  4. Now that your user account is authenticated in Unix or Linux, you have privileged access.

    For example, you can now edit the file and change the Port number like the following example.


Take note that if you deny the push request to Arculix Mobile or leave it in a pending state, it rejects the authentication request.