Group Policies: Apply User Permissions to Groups of Users

Users & Security

Group Policies

The Group Policies page enables you to set up groups of users who will share common privileges.

Add New Policy, Edit, Delete

Create a new policy, modify an existing policy, or remove an existing policy.

If you edit the group policy that is the default for the local provider, or has local administrator users, and remove administrator permissions, a warning message appears. Ensure other users have administrator permissions before proceeding.

Change Order

Click the Change Order button to drag and drop group policies to set their priority. Click Save Order for prioritization changes to take effect. When multiple policies apply to a given user, the permissions take effect by starting at the top of the Group Policies list, and then moving down the list. If a permission conflicts with a permission applied by a group policy higher in the list, then the lower permission will overwrite the higher, unless the higher was set as Final. In short, group policies that appear lower in the list have a higher functional priority than those that are higher.

Search Group Policies

To quickly find an existing policy in the list of Group Policies, enter the name, or part of the name. The list filters to all policies with a name containing the entered search term. The list remains filtered until the search term is removed, even if the user goes to other pages or logs out. To remove the search term, click the X to the right of the search box.

If you click the Change Order button after searching the list, all group policies appear. You can drag and drop group policies to set their priority. When you click Save Order, the changes take effect and the list returns to policies with a name containing the entered search term.

Expand All / Collapse All

To assist with searching and navigating the group policies, click the Expand All link above the grid to expand the details of all listed group policies. Click Collapse All to return to the unexpanded list of group polices.

Copy

To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.

Add or Edit Policy

After making your edits, click Save to save your changes to this group policy.

Policy Name

Create a unique name to help identify this policy.

Available Members and Policy Members

To assign members, select a member from the Available Members list and click Add to move it to the Policy Members box. Use the Search box to find existing members.

You can select users from your local system, or select users or entire groups from configured security providers. To add users or groups from an external directory store such as LDAP, RADIUS, or Kerboros, you must first configure the connection on the /login > Users & Security > Security Providers page. If an attempt to add a user from a configured security provider is invalid, the synchronization log error message appears here as well as in the log.

Account Settings

Which account settings should this Group Policy control?

Decide if a setting should be Defined within this policy. If it is, you can select Final to prevent other policies of a lower priority from overriding the permission value set by this policy. Select All to define all settings in this section.

Two Factor Authentication: Log in with an Authenticator app

Select whether the user is required to log in using an authenticator app, or has the option to do so (default setting). If Required is selected, the next time the user tries to login to either the administrative interface or the representative console, a screen displays requiring the activation of two-factor authentication.

For more information on 2FA, please see How to Use Two Factor Authentication with BeyondTrust Remote Support.

Account Expiration: Account Never Expires

If this option is selected, the account never expires.

Account Expiration: Account Expiration Date

Causes the account to expire on a given date.

Account Enablement: Account Disabled

Disables the account so the user cannot log in. Disabling does NOT delete the account.

Display Name Editing: Allowed to Change Their Display Names

Enables users to change their display names.

Photo Editing: Allowed to Change Their Photo

Enables users to change their avatar photos, which display on the /login administrative interface and in the customer client chat window.

Showing on Public Site: Allowed to Show on Public Site

Displays the user's name on all public sites that have the representative list enabled.

Comments

Add comments to help identify the purpose of this account.

General Permissions

Which general settings should this Group Policy control?

Administration

Administrative Privileges: Administrator

Grants the user full administrative rights.

Vault Administrative Privileges: Allowed to Administer Vault

Enables the user to manage all aspects of the BeyondTrust Vault add-on.

Password Setting: Allowed to Set Passwords

Enables the user to set passwords and unlock accounts for non-administrative local users.

Jumpoint Editing: Allowed to Edit Jumpoints

Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which is configured per Jumpoint or group policy.

Public Site Editing: Allowed to Edit Public Site

Enables the user to create and modify public site configurations, edit HTML templates, view the translation interface, etc.

Customer Notice Editing: Allowed to Edit Customer Notices

Enables the user to create and edit messages used to notify customers, as they are requesting support, of broadly impacting IT outages.

File Store Editing: Allowed to Edit File Store

Enables the user to add or remove files from the file store.

Canned Message Editing: Allowed to Edit Canned Messages

Enables the user to create or edit canned chat messages.

Support Team Editing: Allowed to Edit Support Teams

Enables the user to create or edit support teams.

Jump Group Editing: Allowed to Edit Jump Groups

Enables the user to create or edit Jump Groups.

Issue Editing: Allowed to Edit Issues

Enables the user to create and edit issues.

Skill Editing: Allowed to Edit Skills

Enables the user to create and edit skills.

Support Button Profile Editing: Allowed to Edit Support Button Profiles

Enables the user to customize Support Button profiles.

Canned Script Editing: Allowed to Edit Canned Scripts

Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.

Custom Rep Link Editing: Allowed to Edit Custom Rep Links

Enables the user to create or edit custom links.

Access Sponsor Editing: Allowed to Edit Access Sponsors

Enables the user to create or edit access sponsor teams.

iOS Profile Editing: Allowed to Edit iOS Profiles

Enables the user to create, edit and upload Apple iOS Profile content for distribution to iOS device users.

Reporting

Session and Team Report Access: Allowed to View Support Session Reports

Enables the user to run reports on support session activity, viewing only sessions in which they were the primary representative, only sessions in which one of their teams was the primary team or one of their teammates was the primary representative, or all sessions.

Session and Team Report Access: Allowed to view support session recordings

Enables the user to view video recordings of screen sharing sessions, Show My Screen sessions, and command shell sessions.

License Usage Report Access: Allowed to View License Usage Reports

Enables the user to run reports on BeyondTrust license usage.

Vault Report Access: Allowed to View Vault Reports

Enables the user to run reports on Vault activity, viewing all event data or only their event data.

Presentation Report Access: Allowed to View Presentation Session Reports

Enables the user to run reports on presentation activity, viewing only presentations in which they were the presenter, only sessions in which one of their teammates was the presenter, or all presentations.

Allowed to View Support Session Recordings

Enables the user to view recordings of screen sharing sessions and command shell sessions. It does not affect presentation recordings.

Allowed to View License Usage Reports

Enables the user to view Representative License Report.

Syslog Report Access: Allowed to View Syslog Reports

Enables the user to download a ZIP file containing all syslog files available on the appliance. Admins automatically have permissions to access this report. Non-admin users must request access to view this report.

Representative Permissions

Allowed to provide remote support

Enables the user to use the representative console in order to run support sessions. If support is enabled, options pertaining to remote support will also be available. Disable this setting for presentation-only users.

Session Management

Allowed to generate session keys for support sessions within the representative console

Enables the user to generate session keys to allow customers to start sessions with them directly.

For more information, please see Generate a Session Key to Start a Support Session.

Allowed to generate access keys for sending iOS profiles

Enables the user to generate access keys to offer iOS content to iOS device users.

For more information, please see Generate an Apple iOS Profile Access Key.

Allowed to manually accept sessions from a team queue

Enables the user to select and start sessions that are in one of their team queues.

For more information, please see Accept a Session to Start Support.

Allowed to transfer sessions to teams which they do not belong to

Enables the user to transfer sessions to teams other than their own. If disabled, user interaction is restricted solely to the user's assigned teams.

For more information, please see Support Session Overview and Tools.

Allowed to share sessions with teams which they do not belong to

Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended availability permission, this permission expands session sharing capabilities.

For more information, please see Support Session Overview and Tools.

Allowed to invite external support representatives

Enables the user to invite third-party users to participate in a support session, for the duration of that session only.

For more information, Invite External Representatives to Join a Session in the BeyondTrust Representative Console guide.

Allowed to use the Get Next Session feature

Enables the user to start supporting the oldest queued session from all of their teams simply by clicking a button.

For more information, please see Accept a Session to Start Support.

Allowed to enable extended availability mode

Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the representative console.

For more information, please see Use Extended Availability to Stay Accessible When Not Logged In.

Allowed to edit the external key

Enables the user to modify the external key from the session info pane of a session within the representative console.

For more information, please see Support Session Overview and Tools.

Equilibrium

For more information, please see .

Allowed to opt out of session assignments

Enables the representative to mark himself or herself as unavailable for sessions to be assigned using Equilibrium.

Do not assign sessions if the representative is participating in at least

Sets the least number of sessions the representative must be supporting before sessions will no longer be automatically assigned using Equilibrium.

Do not assign sessions if the representative has been idle for at least

Sets the least amount of time the representative must have been idle before sessions will no longer be automatically assigned using Equilibrium.

Rep to Rep Screen Sharing

For more information, please see Share your Screen with Another Representative.

Allowed to show screen to other representatives

Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if the user is not in a session.

Allowed to give control when showing screen to other representatives

Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.

Support Buttons

For more information, please see Support Session Overview and Tools.

Allowed to deploy and manage Support Buttons in personal queue

Enables the user to deploy and manage personal Support Buttons. This setting affects deploying Support Buttons from both the web interface and the representative console. To deploy a Support Button from within a session, the Support Button Deployment session permission must also be allowed.

Allowed to manage Team Support Buttons

Enable the user to modify the Support Buttons deployed to teams they are a member of. If the user is a team lead or manager, they can modify the personal Support Buttons of any team members as well.

For more information, please see Manage Support Buttons at .

Allowed to change the Public Portal associated with Support Buttons

Enables the user to set the public portal through which a Support Button should connect. Because session policies may be applied to public portals, changing the portal may affect the permissions allowed in the session.

Allowed to deploy Team Support Buttons

Enables the user to deploy team Support Buttons for teams they are a member of. This setting affects deploying Support Buttons from both the web interface and the representative console. To deploy a Support Button from within a session, the Support Buttons Deployment session permission must also be allowed.

Jump Technology

Allowed Jump Methods

Enables the user to Jump to computers using Jump Clients, Local Jump, Local VNC, Local RDP, Remote Jump, Remote VNC, Remote RDP, Shell Jump, and/or Intel vPro.

Jump Item Roles

A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click the Edit button to open the Jump Item Role in a new tab.

The Default role is used only when Use User's Default is set for that user in a Jump Group.

The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.

The Teams role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.

The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option, the user is added to Jump Groups to which they would not normally be assigned, and in the representative console, they can see non-team members' personal lists of Jump Items.

For more information, please see Use Jump Item Roles to Create Permission Sets for Jump Clients.

Presentation

Allowed to give presentations

Enables the representative to give presentations to one or more attendees.

For more information, please see Give a Presentation to Remote Attendees.

Allowed to grant control to a presentation attendee

Enables the representative to grant control of their computer to an attendee during a presentation. This setting affects only presentations and does not impact the Show My Screen feature of a support session. Only one attendee at a time can have control. The representative always maintains overriding control.

For more information, please see Presentation Attendee Client: Join a Presentation.

Representative Console

Idle Timeout

Set how long the representative can be idle before being logged out of the representative console. This permission can use the site-wide setting or can override that setting.

Attended and Unattended Session Permissions

Attended and Unattended Session Policies

Session Policy

Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.

Use the same permissions for Unattended sessions

To use the same permissions for both attended and unattended sessions, check Use the same permissions for Unattended sessions. Uncheck this box to define attended and unattended permissions separately. You can also copy the permissions from one to the other.

Description

View the description of a pre-defined session permission policy.

Support Tool Prompting

For more information, please see Customer Client: Support Session Interface.

Prompting Rules

Choose to ask the customer permission to use any of the support features below. Select No Prompting to never prompt, Always Prompt to always prompt, or Prompt for Some Tools to choose which permissions to prompt for. If Prompt for Some Tools is chosen, a Prompt Customer option will appear beside each tool with the options to Never prompt or to Always prompt. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to prompt once

If Screen Sharing is set to View and Control and prompting is enabled, this option appears. Check the box to make the screen sharing prompt request access to all tools during the session, with no further prompts.

Prompting Options

Set how long to wait for a response to a prompt before defaulting to the answer of Deny or Allow. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Screen Sharing

Screen Sharing Rules

Enable the user to view or control the remote screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

For more information, please see Screen Share with the Remote Customer for View and Control.

Allowed to show their screen to the customer

Enables the user to share their screen with the customer during a support session. This option is available if View Only or View or Control is selected.

For more information, please see Show My Screen: Reverse Screen Share.

Allowed Customer Restrictions

Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed. This is option is available if View and Control is selected. If Display, Mouse and Keyboard is the selected Customer Restriction, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump item, or a Local Jump item. We recommend using privacy screen for unattended sessions. The remote system must support privacy screen.

For more information, please see Restricted Customer Interaction: Privacy Screen, Disable Remote Input.

Application Sharing Prompt Behavior

Set if a request for screen sharing should always or never prompt the customer to select applications to share, or if the user can choose whether to prompt for application sharing or not. Selecting Always or Rep Decides also allows you to predefine application sharing restrictions.

For more information, please see Application Sharing: Limit What the Representative Can See.

Clipboard Synchronization Direction

This is option is available if View and Control is selected. Select how clipboard content flows between representatives and end users. The options are:

Not allowed: The representative is not allowed to use the clipboard, no clipboard icons display in the representative console, and cut and paste commands do not work.
Allowed from Rep to Customer: The representative can push clipboard content to the customer but cannot paste from the end user's clipboard. Only the Send clipboard icon displays in the representative console.
Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the representative console.

For more information about the Clipboard Synchronization Mode, please see Security: Manage Security Settings.

Annotations

Annotation Rules

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

More more information, please see Use Annotations to Draw on the Remote Screen at .

File Transfer

File Transfer Rules

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on customer's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

Accessible paths on representative's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

For more information, please see File Transfer to and from the Remote System.

Command Shell

Command Shell Rules

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Command shell access cannot be restricted for Shell Jump sessions.

For more information, please see Access the Remote Command Shell.

System Information

System Information Rules

Enables the user to see system information about the remote computer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to use system information actions

Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.

For more information, please see View Remote System Information.

Registry Access

Registry Access Rules

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.

For more information, please see Access the Remote Registry Editor.

Canned Scripts

Canned Script Rules

Enables the user to run canned scripts that have been created for their teams. Note that when the user is in view-only screen sharing, the customer receives a prompt to allow the script to run.If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

For more information, please see Access the Remote Command Shell.

Elevation

Elevation Rules

Enables the user to attempt to elevate the customer client to run with administrative rights on the remote system. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

For more information, please see Elevate the Client.

Support Button Deployment

Support Button Deployment Rules

Enables the user to deploy or remove a Support Button while in a session. Locations available for deployment depend on the Support Button settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

For more information, please see Support Session Overview and Tools.

Jump Clients Pinning/Unpinning

Jump Clients Pinning/Unpinning Rules

Enables the user to pin or unpin a Jump Client while in a session. Locations available for deployment depend on the Jump Client settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

For more information, please see Support Session Overview and Tools.

Chat

For more information, please see Chat with the Customer During a Session.

Chat Rules

Enables the user to chat with the remote customer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to push URLs to the customer's web browser

Enables the user to enter a URL into the chat area and then click the Push URL button to automatically open a web browser to that address on the remote computer.

Allowed to send files using the chat interface

Enables the user to send files via the chat interface.

For more information, please see Customer Client: Support Session Interface.

Session Termination Behavior

If unable to reconnect within the time you set by Reconnect Timeout, choose what action to take. To prevent an end-user from accessing unauthorized privileges after an elevated session, set the client to automatically log the end user out of the remote Windows computer at session end, to lock the remote computer, or to do nothing. These rules do not apply to browser sharing sessions.

Allow users to override this setting per session

You can allow a user to override the session termination setting from the Summary tab in the console during a session.

Chat Session Permissions

Allowed to push URLs to the customer's web browser

Enables the user to enter a URL into the chat area and then click the Push URL button to automatically open a web browser to that address on the remote computer.

Allowed to send files using the chat interface

Enables the user to send files via the chat interface.

For more information, please see Customer Client: Support Session Interface.

Availability Settings

Which availability settings should this Group Policy control?

Full Support License Pool

Choose the license pool to which this representative should belong. When this representative logs into the representative console, a license is consumed from the designated license pool. If None is selected, the representative will be able to log in to the representative console only if one or more licenses are left unassigned to license pools and are available.

Login Schedule

Restrict representative log in to the following schedule

Set a schedule to define when users can log in to the representative console. Set the time zone you want to use for this schedule, and then add one or more schedule entries. For each entry, set the start day and time and the end day and time.

If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work past the set end time. They will not, however, be allowed to log back in after 5 pm.

Force logout when the schedule does not permit login

If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions will follow the session fallback rules.

Memberships

Which membership settings should this Group Policy control?

Add Support Teams Membership

Search for teams to which members of this group policy should belong. You can set the role as Team Member, Team Lead, or Team Manager. These roles play a significant part in the Dashboard feature of the representative console. Click Add.

Added teams are shown in a table. You can edit the role of members in a team or delete the team from the list.

Remove Support Teams Membership

Search for teams from which members of this group policy should be removed, and then click Add. Removed teams are shown in a table. You can delete a team from the list.

Add Jumpoint Membership

Search for Jumpoints which members of this group policy should be allowed to access, and then click Add. Added Jumpoints are shown in a table. You can delete a Jumpoint from the list.

Remove Jumpoint Memberships

Search for Jumpoints from which members of this group policy should not be removed, and then click Add. Removed Jumpoints are shown in a table. You can delete a Jumpoint from the list.

Add Jump Group Memberships

Search for Jump Groups to which members of this group policy should belong. You can set each user's Jump Item Role to set their permissions specific to Jump Items in this Jump Group, or you can use the user's default Jump Item Roles set in this group policy or on the Users & Security > Users page. A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage.

For more information see Jump Item Roles: Configure Permission Sets for Jump Items.

You can also apply a Jump Policy to manage user access to the Jump Items in this Jump Group.

Added Jump Groups are shown in a table. You can edit a Jump Group's settings or delete the Jump Group from the list.

Remove Jump Group Memberships

Search for Jump Groups from which members of this group policy should be removed, and then click Add. Removed Jump Groups are shown in a table. You can delete a Jump Group from the list.

Add Vault Account Memberships

Search for an account, select the Vault Account Role, and then click Add to grant members of the policy access to the selected Vault account. Users may have memberships added by other group policies. View Vault > Accounts to see all members within each group. Users may be assigned one of two roles for using the Vault account:

Inject (default value): Users with this role can use this account in Remote Support sessions.
Inject and Checkout: Users with this role can use this account in Remote Support sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

Enable the Add Vault Account Membership permission to assign a Vault Account Role to a Vault account in a group policy. The Vault Account Role is visible in the list of accounts added to the group policy.

Add Vault Account Group Memberships

Search for an account group, select the Vault Account Role, and then click Add to grant members of the policy access to the group of Vault accounts. Users may have memberships added by other group policies. View Vault > Accounts to see all members within each group. Users may be assigned one of two roles for using the group of Vault accounts:

Inject (default value): Users with this role can use this account in Remote Support sessions.
Inject and Checkout: Users with this role can use this account in Remote Support sessions and can check out the account on /login. The Checkout permission has no affect on generic SSH accounts.

Enable the Add Vault Account Group permission to assign a Vault Account Role to a group of Vault accounts in a group policy. The Vault Account Role is visible in the list of account groups added to the group policy.

Export Policy

You can export a group policy from one site and import those permissions into a policy on another site. Edit the policy you wish to export and scroll to the bottom of the page. Click Export Policy and save the file.

When exporting a group policy, only the policy name, account settings, and permissions are exported. Policy members, team memberships, and Jumpoint memberships are not included in the export.

Import Policy

You may import exported group policy settings to any other BeyondTrust site that supports group policy import. Create a new group policy or edit an exiting policy whose permissions you wish to overwrite, and scroll to the bottom of the page. Browse to the policy file and then click Select Policy File. Once the policy file is uploaded, the page will refresh, allowing you to make modifications. Click Save to put the group policy into effect.

Importing a policy file to an existing group policy will overwrite any previously defined permissions, with the exception of policy members, team memberships, and Jumpoint memberships.

Sample Policy Matrix

The diagram below is an example of how multiple policies can work together.