Users and Security
Users: Add Account Permissions for a User or Admin
Users & Security
Users
User Accounts
View information about all users who have access to your B Series Appliance, including local users and those who have access through security provider integration.
Add User, Edit, Delete
Create a new account, modify an existing account, or remove an existing account. You cannot delete your own account.
Search Users
Search for a specific user account based on username, display name, or email address.
Security Provider
Select a security provider type from the dropdown to filter the list of users by security provider.
Synchronize
Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day. Clicking this button forces a manual synchronization.
Reset Failed Login Attempts and Unlock Account
If a user has one or more failed login attempts, click the Reset button for their user account to reset the number back to zero.
If a user becomes locked due to too many failed consecutive login attempts, click the Unlock Account button for their user account to reset the number back to zero and unlock their account.
Add or Edit User
Username
Unique identifier used to log in.
Display Name
User's name as shown in team chats, in reports, etc.
Email Address
Set the email address to where email notifications are sent, such as password resets or extended availability mode alerts.
Password
Password used with the username to log in. The password may be set to whatever you choose, as long as the string complies with the defined policy set on the /login > Management > Security page.
Email Password Reset Link to User
When checked, admins can send a password reset link to a user.
Must Reset Password at Next Login
If this option is selected, then the user must reset their password at next login.
Password Never Expires
Check this box to set the user's password to never expire.
Password Expiration Date
Set a date for the password to expire.
Memberships
Group Policy Memberships
Listing of the group policies to which the user belongs.
This section allows you to search or select from a dropdown of Available Group Policies, and Add the policy to the user. Policies selected for the user display in a list which can be filtered.
The user can be removed from one or more group policies by selecting the policy or policies and clicking Remove. The default policy cannot be selected.
Unsaved changes to the list are identified as Addition or Removal. Changes can be undone by selecting the policy or policies and clicking Undo.
If the user is a member of multiple group policies, the priority of the policies can be modified by selecting one or more policies and clicking Priority, at the upper right of the list.
Group policies selected for a user can be edited by clicking the name of the policy in the list.
Other memberships do not display while a new user is being created. Once the new user has been saved, the other memberships appear, listing any to which the user may have been added, with links for updating these memberships and for reviewing or editing details about the memberships.
Team Memberships
Listing of the teams to which the user belongs.
Jumpoint Memberships
Listing of the Jumpoints which the user can access.
Jump Group Memberships
Listing of the Jump Groups to which the user belongs.
Vault Account Group Memberships
Listing of the Vault Account Groups to which the user belongs.
Account Settings
Two Factor Authentication
Two factor authentication (2FA) uses an authenticator app to provide a time-based, one time code to login to the administrative interface, as well as the access console. If Required is selected , the user will be prompted to enroll and begin using 2FA at the next login. If Optional is selected, the user will have the option to use 2FA, but itis not required. Click Remove Current Authenticator App if you want a user to stop login in with a specific authenticator.
Account Never Expires
When checked, the account never expires. When not checked, an account expiration date must be set.
Account Expiration Date
Causes the account to expire after a set date.
Account Disabled
Allows you to disable the account so the user cannot log in. Disabling does NOT delete the account.
Comments
Add comments to help identify the purpose of this object.
Passwordless Authenticators
Listing of the passwordless authenticators registered for this user. Admins can view the name, type, registration timestamp, and last used timestamp. Admins can remove one or more authenticators from this list.
General Permissions
Administration
Administrative Privileges
Grants the user full administrative rights.
Allowed to Administer Vault
Enables the user access to the Vault.
Password Setting
Enables the user to set passwords and unlock accounts for non-administrative local users.
Jumpoint Editing
Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which is configured per Jumpoint or group policy.
Team Editing
Enables the user to create or edit teams.
Jump Group Editing
Enables the user to create or edit Jump Groups.
Canned Script Editing
Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.
Custom Link Editing
Enables the user to create or edit custom links.
Allowed to View Access Session Reports
Enables the user to run reports on access session activity, viewing only sessions for which they were the primary session owner, only sessions for endpoints belonging to a Jump Group of which the user is a member, or all sessions.
Allowed to View Access Session Recordings
Enables the user to view video recordings of screen sharing sessions and command shell sessions.
Allowed to View Vault Reports
Enables the user to view his or her own vault events or all Vault events.
Allowed to View Syslog Reports
Enables the user to download a ZIP file containing all syslog files available on the appliance. Admins are automatically permissioned to access this report. Non-admin users must request access to view this report.
Access Permissions
Access
Allowed to access endpoints
Enables the user to use the access console in order to run sessions. If endpoint access is enabled, options pertaining to endpoint access will also be available.
Session Management
Allowed to share sessions with teams which they do not belong to
Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended availability permission, this permission expands session sharing capabilities.
For more information, please see Control the Remote Endpoint with Screen Sharing.
Allowed to invite external users
Enables the user to invite third-party users to participate in a session, one time only.
For more information, please see Invite External Users to Join an Access Session.
Allowed to enable extended availability mode
Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the access console.
For more information, please see Use Extended Availability to Stay Accessible When Not Logged In.
Allowed to edit the external key
Enables the user to modify the external key from the session info pane of a session within the access console.
For more information, please see Access Session Overview and Tools.
User to User Screen Sharing
For more information, please see Share your Screen with Another User.
Allowed to show screen to other users
Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if the user is not in a session.
Allowed to give control when showing screen to other users
Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.
Jump Technology
Allowed Jump Item Methods
Enables the user to Jump to computers using Jump Clients, Local Jump on the local network, Remote Jump via a Jumpoint, Remote VNC via a Jumpoint, Remote RDP via a Jumpoint, Web Jump via a Jumpoint, Shell Jump via a Jumpoint, and Protocol Tunnel Jump via a Jumpoint.
Jump Item Roles
A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click Show to open the Jump Item Role in a new tab.
The Default role is used only when Use User's Default is set for that user in a Jump Group.
The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.
The Teams role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.
The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option, the user is added to Jump Groups to which they would not normally be assigned, and in the access console, they can see non-team members' personal lists of Jump Items.
A new Jump Item Role called Auditor is automatically created on new site installations. On existing installations it has to be created. This role only has a single View Reports permission enabled, giving admins the option to grant a user just the permission to run Jump Item reports, without the need to grant any other permission.
For more information, please see Use Jump Item Roles to Configure Permission Sets for Jump Items.
Session Permissions
Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.
Description
View the description of a pre-defined session permission policy.
Screen Sharing
Screen Sharing Rules
Select the representative's and remote user's access to the remote system:
- If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
- Deny disables screen sharing.
- View Only allows the representative to view the screen.
- View and Control allows the representative to view and take action on the system. If this is selected, endpoint restrictions can be set to avoid interference by the remote user:
- None does not set any restrictions on the remote system.
- Display, Mouse, and Keyboard disables these inputs. If this is selected, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump item, or a Local Jump item. We recommend using privacy screen for unattended sessions. The remote system must support privacy screen.
For more information, please see Control the Remote Endpoint with Screen Sharing.
Clipboard Synchronization Direction
Select how clipboard content flows between users and endpoints. The options are:
- Not allowed: The user is not allowed to use the clipboard, no clipboard icons display in the access console, and cut and paste commands do not work.
- Allowed from Rep to Customer: The user can push clipboard content to the endpoint but cannot paste from the endpoint's clipboard. Only the Send clipboard icon displays in the access console.
- Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the access console.
For more information about the Clipboard Synchronization Mode, please see Security: Manage Security Settings.
Application Sharing Restrictions
Limit access to specified applications on the remote system with either Allow only the listed executables or Deny only the listed executables. You may also choose to allow or deny desktop access.
This feature applies only to Windows operating systems.
Add New Executables
If application sharing restrictions are enforced, an Add New Executables button appears. Clicking this button opens a dialog that allows you to specify executables to deny or allow, as appropriate to your objectives.
After you have added executables, one or two tables display the file names or hashes you have selected for restriction. An editable comment field allows administrative notes.
Enter file names or SHA-256 hashes, one per line
When restricting executables, manually enter the executable file names or hashes you wish to allow or deny. Click on Add Executable(s) when you are finished to add the chosen files to your configuration.
You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.
Browse for one or more files
When restricting executables, select this option to browse your system and choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.
Choose either Use file name or Use file hash to have the browser derive the executable file names or hashes automatically. Click Add Executable(s) when you are finished to add the chosen files to your configuration.
You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.
This option is available only in modern browsers, not in legacy browsers.
Allowed Endpoint Restrictions
Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.
For more information, please see Control the Remote Endpoint with Screen Sharing.
Annotations
Annotation Rules
Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Use Annotations to Draw on the Remote Screen of the Endpoint.
File Transfer
File Transfer Rules
Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Accessible paths on the endpoint's filesystem
Allow the user to transfer files to or from any directories on the remote system or only specified directories.
Accessible paths on user's filesystem
Allow the user to transfer files to or from any directories on their local system or only specified directories.
For more information, please see File Transfer to and from the Remote System Endpoint.
Command Shell
Command Shell Rules
Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Command shell access cannot be restricted for Shell Jump sessions.
Configure command filtering to prevent accidental use of commands that can be harmful to endpoint systems.
For more information on command filtering, please see Use Shell Jump to Access a Remote Network Device.
For more information, please see Open the Command Shell on the Remote Endpoint Using the Access Console.
System Information
System Information Rules
Enables the user to see system information about the remote computer. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to use system information actions
Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.
For more information, please see View System Information on the Remote Endpoint.
Registry Access
Registry Access Rules
Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.
For more information, please see Access the Remote Registry Editor on the Remote Endpoint.
Canned Scripts
Canned Script Rules
Enables the user to run canned scripts that have been created for their teams. If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Open the Command Shell on the Remote Endpoint Using the Access Console .
Session Termination Behavior
If unable to reconnect within the time you set by Reconnect Timeout, choose what action to take. To prevent an end-user from accessing unauthorized privileges after an elevated session, set the client to automatically log the end user out of the remote Windows computer at session end, to lock the remote computer, or to do nothing. These rules do not apply to browser sharing sessions.
Allow users to override this setting per session
You can allow a user to override the session termination setting from the Summary tab in the console during a session.
Availability Settings
Login Schedule
Restrict user login to the following schedule
Set a schedule to define when users can log into the access console. Set the time zone you want to use for this schedule, and then add one or more schedule entries. For each entry, set the start day and time and the end day and time.
If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work past the set end time. They will not, however, be allowed to log back in after 5 pm.
Force logout when the schedule does not permit login
If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions will follow the session fallback rules.
User Account Report
Export detailed information about your users for auditing purposes. Gather detailed information for all users, users from a specific security provider, or just local users. Information collected includes data displayed under the "show details" button, plus group policy and team memberships and permissions, and passwordless authentication registration and last usage.
