Session Policies: Set Session Permission and Prompting Rules

Users & Security

Session Policies

Session Policies

With session policies, you can customize session security permissions to fit specific scenarios. Session policies can be applied to users and all Jump Items.

The Session Policies section lists available policies. Click the arrow by a policy name to quickly see where that policy is being used; its availability for users, access invites, and Jump Clients; and the tools configured.

Add, Edit, or Delete Session Policy

Create a new policy, modify an existing policy, or remove an existing policy.

Copy

To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.

Add or Edit Session Policy

Display Name

Create a unique name to help identify this policy. This name helps when assigning a session policy to users and Jump Clients.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

Description

Add a brief description to summarize the purpose of this policy. The description is seen when applying a policy to user accounts, group policies, and access invites.

Availability

Users

Choose if this policy should be available to assign to users (user accounts and group policies).

Access Invite

Choose if this policy should be available for users to select when inviting an external user to join a session.

Jump Items

Choose if this policy should be available to assign to Jump Items.

Dependents

If this session policy is already in use, you will see the number of users and Jump Clients using this policy.

Permissions

For all of the permissions that follow, you can choose to enable or disable the permission, or you can choose to set it to Not Defined. Session policies are applied to a session in a hierarchical manner, with Jump Clients taking the highest priority, then users, and then the global default. If multiple policies apply to a session, then the policy with the highest priority will take precedence over the others. If, for example, the policy applied to a Jump Client defines a permission, then no other policies may change that permission for the session. To make a permission available for a lower policy to define, leave that permission set to Not Defined.

Set which tools should be enabled or disabled with this policy.

Allow Elevated Access to Tools and Special Actions on the Endpoint

If enabled, access to elevated functionality is provided in the access console for this session without needing the explicit rights of a logged-in user on the remote endpoint.

If disabled, this setting restricts users from gaining full access to the file transfer and command shell functions when they jump to an elevated Jump Item but do not have elevated rights. To do this, special actions and power control actions are hidden and not available. It also restricts File Transfer, Command Shell, and Registry Access when there is no user present in the session. This setting applies where allowed by the endpoint's platform.

Screen Sharing
Screen Sharing Rules

Select the representative's and remote user's access to the remote system:

  • If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
  • Deny disables screen sharing.
  • View Only allows the representative to view the screen.
  • View and Control allows the representative to view and take action on the system. If this is selected, endpoint restrictions can be set to avoid interference by the remote user:
    • None does not set any restrictions on the remote system.
    • Display, Mouse, and Keyboard disables these inputs. If this is selected, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump item, or a Local Jump item. We recommend using privacy screen for unattended sessions. The remote system must support privacy screen.
Allowed Endpoint Restrictions

Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.

Clipboard Synchronization Direction

Select how clipboard content flows between users and endpoints. The options are:

  • Not allowed: The user is not allowed to use the clipboard, no clipboard icons display in the access console, and cut and paste commands do not work.
  • Allowed from Rep to Customer: The user can push clipboard content to the endpoint but cannot paste from the endpoint's clipboard. Only the Send clipboard icon displays in the access console.
  • Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the access console.

For more information about the Clipboard Synchronization Mode, please see Security: Manage Security Settings.

Application Sharing Restrictions

Limit access to specified applications on the remote system with either Allow only the listed executables or Deny only the listed executables. You may also choose to allow or deny desktop access.

This feature applies only to Windows operating systems.

Add New Executables

If application sharing restrictions are enforced, an Add New Executables button appears. Clicking this button opens a dialog that allows you to specify executables to deny or allow, as appropriate to your objectives.

After you have added executables, one or two tables display the file names or hashes you have selected for restriction. An editable comment field allows administrative notes.

Enter file names or SHA-256 hashes, one per line

When restricting executables, manually enter the executable file names or hashes you wish to allow or deny. Click on Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Browse for one or more files

When restricting executables, select this option to browse your system and choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.

Choose either Use file name or Use file hash to have the browser derive the executable file names or hashes automatically. Click Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

This option is available only in modern browsers, not in legacy browsers.

Allowed to log in using credentials from an Endpoint Credential Manager

Enable connection of a user to your Endpoint Credential Manager to use credentials from your existing password stores or vaults.

Use of the Endpoint Credential Manager requires a separate services agreement with BeyondTrust. Once a services agreement is in place, you may download the required middleware from the BeyondTrust Support Portal.

Prior to 15.2, this feature is available only in sessions started from an elevated Jump Client on Windows®. Starting with 15.2, you also may use an Endpoint Credential Manager in Remote Jump sessions, Microsoft® Remote Desktop Protocol sessions, VNC sessions, and Shell Jump sessions. You may also use this feature with the Run As special action in a screen sharing session on a Windows® system.

Annotations
Annotation Rules

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

File Transfer
File Transfer Rules

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on the endpoint's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

Accessible paths on user's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

Command Shell
Command Shell Rules

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Command shell access cannot be restricted for Shell Jump sessions.

Configure command filtering to prevent accidental use of commands that can be harmful to endpoint systems.

For more information on command filtering, please see Use Shell Jump to Access a Remote Network Device.

System Information
System Information Rules

Enables the user to see system information about the remote computer. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to use system information actions

Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.

Registry Access
Registry Access Rules

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.

Canned Scripts
Canned Script Rules

Enables the user to run canned scripts that have been created for their teams. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Session Termination Behavior

If unable to reconnect within the time you set by Reconnect Timeout, choose what action to take. To prevent an end-user from accessing unauthorized privileges after an elevated session, set the client to automatically log the end user out of the remote Windows computer at session end, to lock the remote computer, or to do nothing. These rules do not apply to browser sharing sessions.

Allow users to override this setting per session

You can allow a user to override the session termination setting from the Summary tab in the console during a session.

Export Policy

You can export a session policy from one site and import those permissions into a policy on another site. Edit the policy you wish to export and scroll to the bottom of the page. Click Export Policy and save the file.

Import Policy

You may import those policy settings to any other BeyondTrust site that supports session policy import. Create a new session policy and scroll to the bottom of the page. Browse to the policy file and then click Import Policy. Once the policy file is uploaded, the page will refresh, allowing you to make modifications. Click Save Policy to make the policy available.

Save

Click Save to make this policy available.

Session Policy Simulator

Because layering policies can be complex, you can use the Session Policy Simulator to determine what the outcome will be. Additionally, you could use the simulator to troubleshoot why a permission is not available when you expected it to be.

User

Start by selecting the user performing the session. This dropdown includes both user accounts and access invite policies.

Session Start Method

Select the session start method.

Jump Client / Jump Shortcut

Search for a Jump Client or Jump Shortcut by name, comments, Jump Group, or tag.

Simulate

Click Simulate. In the area below, the permissions configurable by session policy are displayed in read-only mode. You can see which permissions are allowed or denied as a result of the stacked policies, as well as which policy set each permission.