Session Policy Examples
The table below contains some examples of valid configurations for session policies. These session policies are used in the examples that follow. Some session policies in the table are not used in the examples and are provided only as models of valid session policy configurations.
Name |
Prompting |
Support Tools |
||||||
---|---|---|---|---|---|---|---|---|
Which tools? |
Prompt Once |
Timeout |
Default |
Screen Sharing Permissions |
Screen Sharing Prompting |
File Transfer Permission |
File Transfer Prompting |
|
A |
All |
No |
30 seconds |
Deny |
Allow |
Always |
Allow |
Always |
B |
All |
- |
1 minute |
Allow |
Deny |
Always |
Allow |
Always |
C |
All |
- |
15 seconds |
Allow |
Not Defined |
Always |
Not Defined |
Always |
D |
All |
- |
30 seconds |
Deny |
Deny |
Always |
Deny |
Always |
E |
Some |
Yes |
1 minute |
Allow |
Allow |
Always |
Deny |
Not Defined |
F |
Some |
No |
15 seconds |
Allow |
Allow |
Always |
Not Defined |
Not Defined |
G |
Some |
Yes |
20 seconds |
Allow |
Allow |
Always |
Not Defined |
Not Defined |
H |
None |
- |
- |
- |
Not Defined |
Never |
Not Defined |
Never |
I |
None |
- |
- |
- |
Allow |
Never |
Not Defined |
Never |
J |
None |
- |
- |
- |
Allow |
Never |
Deny |
Never |
K |
Not Defined |
- |
- |
- |
Deny |
Not Defined |
Deny |
Not Defined |
L |
Not Defined |
- |
- |
- |
Allow |
Not Defined |
Not Defined |
Not Defined |
M |
Not Defined |
- |
- |
- |
Allow |
Not Defined |
Allow |
Not Defined |
Remember that the order of application is hard-coded by BeyondTrust and cannot be changed, and higher priority policies cannot be overridden. The order in which policies are applied is:
- Jump Item
- Public Portal
- Representative
- Global Default
In the examples below, the order of policies in each table represents the hierarchy of the policies applied to a session. Therefore, for example, the first row of a table may serve as a public portal policy, while the second row serves as a representative policy.
Example 1: First Policy Defines Everything
Name |
Prompting |
Support Tools |
||||||
---|---|---|---|---|---|---|---|---|
Which tools? |
Prompt Once |
Timeout |
Default |
Screen Sharing Permissions |
Screen Sharing Prompting |
File Transfer Permission |
File Transfer Prompting |
|
A |
All |
No |
30 seconds |
Deny |
Allow |
Always |
Allow |
Always |
B |
All |
- |
1 minute |
Allow |
Deny |
Always |
Allow |
Always |
Final |
All |
No |
30 seconds |
Deny |
Allow |
Always |
Allow |
Always |
Policy A defines every permission, so the final result is equivalent to Policy A.
Example 2: One Permission Undefined
Name |
Prompting |
Support Tools |
||||||
---|---|---|---|---|---|---|---|---|
Which tools? |
Prompt Once |
Timeout |
Default |
Screen Sharing Permissions |
Screen Sharing Prompting |
File Transfer Permission |
File Transfer Prompting |
|
E |
Some |
Yes |
1 minute |
Allow |
Allow |
Always |
Deny |
Not Defined |
A |
All |
No |
30 seconds |
Deny |
Allow |
Always |
Allow |
Always |
Final |
Some |
Yes |
1 minute |
Allow |
Allow |
Always |
Deny |
Always |
Policy A's file transfer prompt behavior is used because Policy E did not define it.
Example 3: Two Permissions Undefined
Name |
Prompting |
Support Tools |
||||||
---|---|---|---|---|---|---|---|---|
Which tools? |
Prompt Once |
Timeout |
Default |
Screen Sharing Permissions |
Screen Sharing Prompting |
File Transfer Permission |
File Transfer Prompting |
|
F |
Some |
No |
15 seconds |
Allow |
Allow |
Always |
Not Defined |
Not Defined |
D |
All |
- |
30 seconds |
Deny |
Deny |
Always |
Deny |
Always |
Final |
Some |
No |
15 seconds |
Allow |
Allow |
Always |
Deny |
Always |
- Policy F does not define a file transfer permission, so Policy D's rule is used.
- Policy F does not define a file transfer prompt behavior, so Policy D's rule is used.
Example 4: Three Layered Policies
Name |
Prompting |
Support Tools |
||||||
---|---|---|---|---|---|---|---|---|
Which tools? |
Prompt Once |
Timeout |
Default |
Screen Sharing Permissions |
Screen Sharing Prompting |
File Transfer Permission |
File Transfer Prompting |
|
M |
Not Defined |
- |
- |
- |
Allow |
Not Defined |
Allow |
Not Defined |
G |
Some |
Yes |
20 seconds |
Allow |
Allow |
Always |
Not Defined |
Not Defined |
A |
All |
No |
30 seconds |
Deny |
Allow |
Always |
Allow |
Always |
Final |
Some |
Yes |
20 seconds |
Allow |
Allow |
Always |
Allow |
Allow |
- Policy M does not define prompting options, so Policy G's rules are used.
- Policy M allows screen sharing.
- Policy M does not define a screen sharing prompt behavior, so Policy G's rule is used.
- Policy M allows file transfer.
- Neither Policy M nor Policy G specifies the file transfer prompt behavior, so Policy A's rule is used.
Group Policies and Session Policies
Session policies associated with a group policy follow the same rules as other settings in a group policy.
To configure session policies for a group policy, the group policy must either:
- Define the permission Allowed to provide remote support as enabled, or
- Not define the permission Allowed to provide remote support.
- If a representative using this group policy has permission to provide remote support, then the configured session policies apply to that representative.
- If a representative using this group policy does not have permission to provide remote support, then the configured session policies are irrelevant.
The following tables show the expected behavior when configuring session policies with group policies.
Group Policy |
Session Policy |
Defined? |
Override? |
---|---|---|---|
G1 |
S1 |
X |
X |
G2 |
- |
- |
- |
G3 |
S2 |
X |
- |
G4 |
S3 |
X |
- |
User |
Group Policies |
Final Session Policy |
Why? |
---|---|---|---|
U1 |
G1 |
S1 |
From G1 |
U2 |
G1, G2 |
S1 |
From G1; G2 does not have a session policy defined |
U3 |
G1, G2, G3 |
S2 |
From G3; G3 overrides G1 |
U4 |
G3, G4 |
S2 |
From G3; G4 cannot override G3 |
U5 |
G4 |
S3 |
From G4 |
Note that in the case of U3, the final session policy is S2 and not a combination of S1 and S2. Session policies are not combined based on the order of the group policies. Rather, they follow the same mode of application as other permissions in group policies. Thus, the highest priority, non-overridable group policy sets the session policy for that representative.
However, if other types of session policies are applied to a session (public portal session policies and Jump Item session policies), they may be combined with the representative's session policy and/or with each other during the support session.