DocumentationAPI ReferenceRelease Notes
Documentation

Use cases | PRA

To offer you the most flexibility and control over your Assets, BeyondTrust includes quite a few separate areas where permissions must be configured. To help you understand how you might want to set up your system, we have provided two use cases below.

Basic use case

You are a small organization without a lot of Assets or users to manage. You want your administrators to manage all of the Asset setup steps and your users to only be able to connect to those items.

  1. Create two Asset Roles, Administrator and Start Sessions Only.

    • The Administrator role should have all permissions enabled.
    • The Start Sessions Only role should have only Start Sessions enabled.

  2. Create a Shared Asset Group that will contain all shared Assets. Personal Assets can also be created.

  3. Put users into two group policies, Admin and Users.

  4. In the Admin group, configure settings and permissions as appropriate. The permissions should include the following:

    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default and Personal roles to Administrator.
    • Set the Team and System roles to Start Sessions Only.
    • Under Memberships, define Add to Asset Groups.
    • In the Asset Group field, search for and select Shared.
    • Set the Asset Role to Administrator.
    • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  5. In the Users group, configure settings and permissions as appropriate. The permissions should include the following:

    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default to Start Sessions Only.
    • Set the Personal Asset Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add to Asset Groups.
    • In the Asset Group field, search for and select Shared.
    • Set the Asset Role to Start Sessions Only.
    • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  6. Deploy Assets, assigning them to the Shared Asset Group.

  7. Now, administrators can deploy and start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets and start sessions with all other Assets.

    Likewise, users can now start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets.

Advanced use case

You are a large organization with a lot of Assets to manage and with users to manage in three different departments. You want your administrators to manage all of the Asset setup steps and your users to only be able to connect to those items. In addition to your local users, you have some third-party vendors who need occasional access. Some Assets should be accessible at all times, while others should be accessible only once a week.

  1. Create two Asset Roles, Administrator and Start Sessions Only.

    • The Administrator role should have all permissions enabled.
    • The Start Sessions Only role should have only Start Sessions enabled.

  2. Create three Asset Policies, Thursdays, Notification Sent, and Authorization Required.

  3. For the Thursdays policy, enable the Schedule.

    • Click Add Schedule Entry.
    • Set the Start day and time to Thursday 8:00 and the End day and time to Thursday 17:00.
    • Save the Asset Policy.

  4. For the Notification Sent policy, check Notify recipients when a session starts.

    • Add the Email Addresses of one or more recipients who should be notified when a session starts.
    • Add a Display Name such as Manager. When a user attempts to start a session with an Asset that has this policy applied, the user sees an alert that a notification will be sent to the name set here.
    • Save the Asset Policy.

  5. For the Authorization Required policy, check Require approval before a session starts.

    • Set the Maximum Access Duration to 3 Hours.
    • Under Access Approval Applies to, select Requestor Only.
    • Add the Email Addresses of one or more recipients who can approve or deny access to Assets.
    • Add a Display Name such as Manager. When a user requests access to an Asset that has this policy applied, the user must fill out a request for authorization form. On that form, the approver's name is displayed as set here.
    • Save the Asset Policy.

  6. Create three Asset Groups, Web Servers, Directory Servers, and User Systems. Personal Assets can also be created.

  7. Put users into three group policies, Admin, Local Users, and Third-Party Users.

  8. In the Admin group, configure settings and permissions as appropriate. The permissions should include the following:

    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default and Personal roles to Administrator.
    • Set the Team and System roles to Start Sessions Only.
    • Under Memberships, define Add to Asset Groups.
    • In the Asset Group field, search for and select Web Servers.
      • Set the Asset Role to Administrator.
      • Leave Asset Policy set to Set on Assets.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select Directory Servers.
      • Set the Asset Role to Administrator.
      • Leave Asset Policy set to Set on Assets.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select User Systems.
      • Set the Asset Role to Administrator.
      • Leave Asset Policy set to Set on Assets.
      • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  9. In the Local Users group, configure settings and permissions as appropriate. The permissions should include the following:

    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default to Start Sessions Only.
    • Set the Personal Asset Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add to Asset Groups.
    • In the Asset Group field, search for and select Web Servers.
      • Set the Asset Role to Start Session Only.
      • Set Asset Policy to Notification Sent.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select Directory Servers.
      • Set the Asset Role to Start Session Only.
      • Set Asset Policy to Notification Sent.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select User Systems.
      • Set the Asset Role to Start Session Only.
      • Set Asset Policy to Thursdays.
      • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  10. In the Third-Party Users group, configure settings and permissions as appropriate. The permissions should include the following:

    • Define Access Permissions and check Allowed to access endpoints.
    • Under Jump Technology, check all Allowed Connection Types that these users should be allowed to use.
    • Under Asset Roles, set all roles to No Access.
    • Under Memberships, define Add to Asset Groups.
    • In the Asset Group field, search for and select Web Servers.
      • Set the Asset Role to Start Session Only.
      • Set Asset Policy to Authorization Required.
      • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  11. Deploy Assets, assigning them to the three Asset Groups as appropriate. If any particular Asset requires a different Asset Policy, assign that, as well.

  12. Now, administrators can deploy and start sessions with Assets in all three Asset Groups. They can also manage their personal lists of Assets and start sessions with all other Assets.

    Likewise, local users can now start sessions with Assets in all three Asset Groups, with a notification sent upon session start and with user systems accessible only on Thursdays. They can also manage their personal lists of Assets.

    Finally, third-party users can start sessions with Assets in the Web Servers Asset Group, with approval required before they can complete the Jump. They cannot deploy personal Assets.

Updated 2 days ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.