Session Policy Examples

The table below contains some examples of valid configurations for session policies. These session policies are used in the examples that follow. Some session policies in the table are not used in the examples and are provided only as models of valid session policy configurations.

Name

Prompting

Support Tools
 

Which tools?

Prompt Once

Timeout

Default

Screen Sharing Permissions

Screen Sharing Prompting

File Transfer Permission

File Transfer Prompting

A

All

No

30 seconds

Deny

Allow

Always

Allow

Always

B

All

-

1 minute

Allow

Deny

Always

Allow

Always

C

All

-

15 seconds

Allow

Not Defined

Always

Not Defined

Always

D

All

-

30 seconds

Deny

Deny

Always

Deny

Always

E

Some

Yes

1 minute

Allow

Allow

Always

Deny

Not Defined

F

Some

No

15 seconds

Allow

Allow

Always

Not Defined

Not Defined

G

Some

Yes

20 seconds

Allow

Allow

Always

Not Defined

Not Defined

H

None

-

-

-

Not Defined

Never

Not Defined

Never

I

None

-

-

-

Allow

Never

Not Defined

Never

J

None

-

-

-

Allow

Never

Deny

Never

K

Not Defined

-

-

-

Deny

Not Defined

Deny

Not Defined

L

Not Defined

-

-

-

Allow

Not Defined

Not Defined

Not Defined

M

Not Defined

-

-

-

Allow

Not Defined

Allow

Not Defined

Remember that the order of application is hard-coded by BeyondTrust and cannot be changed, and higher priority policies cannot be overridden. The order in which policies are applied is:

  1. Jump Item
  2. Public Portal
  3. Representative
  4. Global Default

In the examples below, the order of policies in each table represents the hierarchy of the policies applied to a session. Therefore, for example, the first row of a table may serve as a public portal policy, while the second row serves as a representative policy.

Example 1: First Policy Defines Everything

Name

Prompting

Support Tools
 

Which tools?

Prompt Once

Timeout

Default

Screen Sharing Permissions

Screen Sharing Prompting

File Transfer Permission

File Transfer Prompting

A

All

No

30 seconds

Deny

Allow

Always

Allow

Always

B

All

-

1 minute

Allow

Deny

Always

Allow

Always

Final

All

No

30 seconds

Deny

Allow

Always

Allow

Always

Policy A defines every permission, so the final result is equivalent to Policy A.

Example 2: One Permission Undefined

Name

Prompting

Support Tools
 

Which tools?

Prompt Once

Timeout

Default

Screen Sharing Permissions

Screen Sharing Prompting

File Transfer Permission

File Transfer Prompting

E

Some

Yes

1 minute

Allow

Allow

Always

Deny

Not Defined

A

All

No

30 seconds

Deny

Allow

Always

Allow

Always

Final

Some

Yes

1 minute

Allow

Allow

Always

Deny

Always

Policy A's file transfer prompt behavior is used because Policy E did not define it.

Example 3: Two Permissions Undefined

Name

Prompting

Support Tools
 

Which tools?

Prompt Once

Timeout

Default

Screen Sharing Permissions

Screen Sharing Prompting

File Transfer Permission

File Transfer Prompting

F

Some

No

15 seconds

Allow

Allow

Always

Not Defined

Not Defined

D

All

-

30 seconds

Deny

Deny

Always

Deny

Always

Final

Some

No

15 seconds

Allow

Allow

Always

Deny

Always
  1. Policy F does not define a file transfer permission, so Policy D's rule is used.
  2. Policy F does not define a file transfer prompt behavior, so Policy D's rule is used.

Example 4: Three Layered Policies

Name

Prompting

Support Tools
 

Which tools?

Prompt Once

Timeout

Default

Screen Sharing Permissions

Screen Sharing Prompting

File Transfer Permission

File Transfer Prompting

M

Not Defined

-

-

-

Allow

Not Defined

Allow

Not Defined

G

Some

Yes

20 seconds

Allow

Allow

Always

Not Defined

Not Defined

A

All

No

30 seconds

Deny

Allow

Always

Allow

Always

Final

Some

Yes

20 seconds

Allow

Allow

Always

Allow

Allow
  1. Policy M does not define prompting options, so Policy G's rules are used.
  2. Policy M allows screen sharing.
  3. Policy M does not define a screen sharing prompt behavior, so Policy G's rule is used.
  4. Policy M allows file transfer.
  5. Neither Policy M nor Policy G specifies the file transfer prompt behavior, so Policy A's rule is used.

Group Policies and Session Policies

Session policies associated with a group policy follow the same rules as other settings in a group policy.

To configure session policies for a group policy, the group policy must either:

  • Define the permission Allowed to provide remote support as enabled, or
  • Not define the permission Allowed to provide remote support.
    • If a representative using this group policy has permission to provide remote support, then the configured session policies apply to that representative.
    • If a representative using this group policy does not have permission to provide remote support, then the configured session policies are irrelevant.

The following tables show the expected behavior when configuring session policies with group policies.

Group Policy

Session Policy

Defined?

Override?

G1

S1

X

X

G2

-

-

-

G3

S2

X

-

G4

S3

X

-

 

User

Group Policies

Final Session Policy

Why?

U1

G1

S1

From G1

U2

G1, G2

S1

From G1; G2 does not have a session policy defined

U3

G1, G2, G3

S2

From G3; G3 overrides G1

U4

G3, G4

S2

From G3; G4 cannot override G3

U5

G4

S3

From G4

Note that in the case of U3, the final session policy is S2 and not a combination of S1 and S2. Session policies are not combined based on the order of the group policies. Rather, they follow the same mode of application as other permissions in group policies. Thus, the highest priority, non-overridable group policy sets the session policy for that representative.

However, if other types of session policies are applied to a session (public portal session policies and Jump Item session policies), they may be combined with the representative's session policy and/or with each other during the support session.