Use Cases for Implementing Jump Items

To offer you the most flexibility and control over your Jump Items, BeyondTrust includes quite a few separate areas where permissions must be configured. To help you understand how you might want to set up your system, we have provided two use cases below.

Basic Use Case

You are a small organization without a lot of Jump Items or users to manage. You want your administrators to manage all of the Jump Item setup steps and your users to only be able to Jump to those items.

Jump Item Roles

  1. Create two Jump Item Roles, Administrator and Start Sessions Only.
    • The Administrator role should have all permissions enabled.
    • The Start Sessions Only role should have only Start Sessions enabled.

 

Jump Groups - Shared

  1. Create a Shared Jump Group that will contain all shared Jump Items. Personal Jump Items can also be created.

 

Group Policies

  1. Put users into two group policies, Admin and Users.

 

Admin Group Policy Settings

  1. In the Admin group, configure settings and permissions as appropriate. The permissions should include the following:
    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Jump Methods that your organization will use.
    • Under Jump Item Roles, set the Default and Personal roles to Administrator.
    • Set the Team and System roles to Start Sessions Only.
    • Under Memberships, define Add to Jump Groups.
    • In the Jump Group field, search for and select Shared.
    • Set the Jump Item Role to Administrator.
    • Click Add to assign the members of this group policy to the Jump Group.
    • Save the group policy.

 

Users Group Policy Settings

  1. In the Users group, configure settings and permissions as appropriate. The permissions should include the following:
    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Jump Methods that your organization will use.
    • Under Jump Item Roles, set the Default to Start Sessions Only.
    • Set the Personal Jump Item Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add to Jump Groups.
    • In the Jump Group field, search for and select Shared.
    • Set the Jump Item Role to Start Sessions Only.
    • Click Add to assign the members of this group policy to the Jump Group.
    • Save the group policy.

 

Jump Client Mass Deployment Wizard

  1. Deploy Jump Items, assigning them to the Shared Jump Group.

 

  1. Now, administrators can deploy and start sessions with Jump Items in the Shared Jump Group. They can also manage their personal lists of Jump Items and start sessions with all other Jump Items.

    Likewise, users can now start sessions with Jump Items in the Shared Jump Group. They can also manage their personal lists of Jump Items.

Advanced Use Case

You are a large organization with a lot of Jump Items to manage and with users to manage in three different departments. You want your administrators to manage all of the Jump Item setup steps and your users to only be able to Jump to those items. In addition to your local users, you have some third-party vendors who need occasional access. Some Jump Items should be accessible at all times, while others should be accessible only once a week.

Jump Item Roles

  1. Create two Jump Item Roles, Administrator and Start Sessions Only.
    • The Administrator role should have all permissions enabled.
    • The Start Sessions Only role should have only Start Sessions enabled.

 

Jump Policies

  1. Create three Jump Policies, Thursdays, Notification Sent, and Authorization Required.

 

Jump Policies - Thursday

  1. For the Thursdays policy, enable the Jump Schedule.
    • Click Add Schedule Entry.
    • Set the Start day and time to Thursday 8:00 and the End day and time to Thursday 17:00.
    • Save the Jump Policy.

     

     

    Jump Policies - Notification

  2. For the Notification Sent policy, check Notify recipients when a session starts.
    • Add the Email Addresses of one or more recipients who should be notified when a session starts.
    • Add a Display Name such as Manager. When a user attempts to start a session with a Jump Item that has this policy applied, the user sees an alert that a notification will be sent to the name set here.
    • Save the Jump Policy.

     

     

    Jump Policies - Authorization

  3. For the Authorization Required policy, check Require approval before a session starts.
    • Set the Maximum Access Duration to 3 Hours.
    • Under Access Approval Applies to, select Requestor Only.
    • Add the Email Addresses of one or more recipients who can approve or deny access to Jump Items.
    • Add a Display Name such as Manager. When a user requests access to a Jump Item that has this policy applied, the user must fill out a request for authorization form. On that form, the approver's name is displayed as set here.
    • Save the Jump Policy.

 

Jump Groups

  1. Create three Jump Groups, Web Servers, Directory Servers, and User Systems. Personal Jump Items can also be created.

 

Screenshot of the Group Policies page in /login

  1. Put users into three group policies, Admin, Local Users, and Third-Party Users.

 

Group Policies - Administrators

  1. In the Admin group, configure settings and permissions as appropriate. The permissions should include the following:
    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Jump Methods that your organization will use.
    • Under Jump Item Roles, set the Default and Personal roles to Administrator.
    • Set the Team and System roles to Start Sessions Only.
    • Under Memberships, define Add to Jump Groups.
    • In the Jump Group field, search for and select Web Servers.
      • Set the Jump Item Role to Administrator.
      • Leave Jump Policy set to Set on Jump Items.
      • Click Add to assign the members of this group policy to the Jump Group.
    • In the Jump Group field, search for and select Directory Servers.
      • Set the Jump Item Role to Administrator.
      • Leave Jump Policy set to Set on Jump Items.
      • Click Add to assign the members of this group policy to the Jump Group.
    • In the Jump Group field, search for and select User Systems.
      • Set the Jump Item Role to Administrator.
      • Leave Jump Policy set to Set on Jump Items.
      • Click Add to assign the members of this group policy to the Jump Group.
    • Save the group policy.

 

Group Policies - Local Users

  1. In the Local Users group, configure settings and permissions as appropriate. The permissions should include the following:
    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Jump Methods that your organization will use.
    • Under Jump Item Roles, set the Default to Start Sessions Only.
    • Set the Personal Jump Item Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add to Jump Groups.
    • In the Jump Group field, search for and select Web Servers.
      • Set the Jump Item Role to Start Session Only.
      • Set Jump Policy to Notification Sent.
      • Click Add to assign the members of this group policy to the Jump Group.
    • In the Jump Group field, search for and select Directory Servers.
      • Set the Jump Item Role to Start Session Only.
      • Set Jump Policy to Notification Sent.
      • Click Add to assign the members of this group policy to the Jump Group.
    • In the Jump Group field, search for and select User Systems.
      • Set the Jump Item Role to Start Session Only.
      • Set Jump Policy to Thursdays.
      • Click Add to assign the members of this group policy to the Jump Group.
    • Save the group policy.

 

Group Policies - Third-Party Users

  1. In the Third-Party Users group, configure settings and permissions as appropriate. The permissions should include the following:
    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Jump Methods that these users should be allowed to use.
    • Under Jump Item Roles, set all roles to No Access.
    • Under Memberships, define Add to Jump Groups.
    • In the Jump Group field, search for and select Web Servers.
      • Set the Jump Item Role to Start Session Only.
      • Set Jump Policy to Authorization Required.
      • Click Add to assign the members of this group policy to the Jump Group.
    • Save the group policy.

 

Jump Clients Mass Deployment Wizard

  1. Deploy Jump Items, assigning them to the three Jump Groups as appropriate. If any particular Jump Item requires a different Jump Policy, assign that, as well.

 

  1. Now, administrators can deploy and start sessions with Jump Items in all three Jump Groups. They can also manage their personal lists of Jump Items and start sessions with all other Jump Items.

    Likewise, local users can now start sessions with Jump Items in all three Jump Groups, with a notification sent upon session start and with user systems accessible only on Thursdays. They can also manage their personal lists of Jump Items.

    Finally, third-party users can start sessions with Jump Items in the Web Servers Jump Group, with approval required before they can complete the Jump. They cannot deploy personal Jump Items.