DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Session policies

Suggest Edits

What are session policies?

Session policies define session security permissions tailored to specific scenarios. They can be applied to users, public sites, and all Jump Items. The Session Policies section lists available policies. When you click the arrow by a policy name it does the following:

  • Can quickly see where the policy is being used
  • Displays availability for users, access invites, and Jump Clients
  • Displays the tools configured.

How are session policies useful?

Session policies enhance security and flexibility by allowing administrators to control session behavior and permissions for users, public sites, and Jump Items based on organizational needs.

How do I access the Session Policies page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.

The Sessions Policies page


  1. Left menu: Easy access to all pages in Privilege Remote Access, including Home, Status, Consoles & Downloads, My Account, Configuration, Jump, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.

  2. Status: Takes you to the Status page.

  3. Header: Change tenant site and obtain user profile setting information.

  4. Add:- Adds a new session policy.

  5. Session Policies columns: The list of Session Policies columns.

    Vendors Group columns
    • Display Name: Unique name of the session policy.
    • Availability/Usage: Displays the user and groups as defined in the Availability section.
    • Description: Detailed comments of the policy.

  6. Special Actions list options: Copy, edit or delete a session policy.

Add a session policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.
  4. Click Add.
    The Add Session Policy page displays.
  5. For Display Name, create a unique name to help identify this policy. This name helps when assigning a session policy to users and Jump Clients.
  6. For Code Name, set a code name for integration purposes. If you do not set a code name, one is created automatically for you.
  7. For Description, add a brief description to summarize the purpose of this policy. The description is seen when applying a policy to user accounts, group policies, and access invites.

Availability

  1. In the Availability section, for Users, select this to allow users (user accounts and group policies) be assigned to the policy.
  2. In the Availability section, for Access Invite, select this to allow users to invite external users to join a session.
  3. In the Availability section, for Jump Items, select this to allow users with appropriate permissions to assign this policy to Jump Items.
  4. In the Availability section, for Dependents, this field is only displayed if this session policy is already in use. It displays the number of users and Jump Clients using this policy.

Permissions

For all of the permissions that follow, you can choose to enable or disable the permission, or you can choose to set it to Not Defined.

❗️

Important

Session policies are applied to a session in a hierarchical manner, with Jump Clients taking the highest priority, then users, and then the global default. If multiple policies apply to a session, then the policy with the highest priority will take precedence over the others.

If, for example, the policy applied to a Jump Client defines a permission, then no other policies may change that permission for the session. To make a permission available for a lower policy to define, leave that permission set to Not Defined.

You can set which tools should be enabled or disabled with this policy, by selecting any one of the following permissions:

Permission nameDescription
Allow Elevated Access to Tools and Special Actions on the EndpointYou when you select the checkbox, access to elevated functionality is provided in the Access Console for this session without needing the explicit rights of a logged in user on the remote endpoint. This setting applies where allowed by the endpoint's platform.

When you clear the checkbox, it restricts users from gaining full access to the file transfer and command shell functions when they Jump to an elevated Jump Item but do not have elevated rights. To do this, special actions and power control actions are hidden and not available. It also restricts File Transfer, Command Shell, and Registry Access when there is no user present in the session. This setting applies where allowed by the endpoint's platform.
Screen Sharing
Screen Sharing RulesSelects the remote user's access to the remote system.

The values are the following:

  • Not Defined: This option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
  • Deny: Disables screen sharing.
  • View Only: Allows the representative to view the screen.
  • View and Control: Allows the representative to view and take action on the system. If this is selected, endpoint restrictions can be set to avoid interference by the remote user by the following values:
    • None: Does not set any restrictions on the remote system.
    • Display, Mouse, and Keyboard: Disables these inputs. If this is selected, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump Item, or a Local Jump Item. It is recommended to use privacy screen for unattended sessions. The remote system must support privacy screen.



Clipboard Synchronization DirectionSelects how clipboard content flows between users and endpoints. The value are the following:

  • Not allowed: The user is not allowed to use the clipboard, no clipboard icons display in the access console, and cut and paste commands do not work.
  • Allowed from Rep to Customer:The user can push clipboard content to the endpoint but cannot paste from the endpoint's clipboard. Only the Send clipboard icon displays in the access console.
  • Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the access console.



Application Sharing RestrictionsThis option limits access to specified applications on the remote system with either. There are three values:

  • None
  • Allow only the listed executables: Allows you to specify executables to allow as appropriate to your objectives.
  • Deny only the listed executables: Allows you to specify executables to deny as appropriate to your objectives.


ℹ️ Note

This feature applies only to Windows operating systems. The Add New Executable button only displays when the Application Share Restriction permission is enabled


When you add executables, you have one of two choices:

  • Enter file names or SHA-256 hashes, one per line: Manually enter the executable file names or hashes you wish to allow or deny. Click Add Executable(s) when you are finished to add the chosen files to your configuration.You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

  • Browse for one or more files: Choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.- Choose either Use file name or Use file hash (advanced) to have the browser derive the executable file names or hashes automatically. Click Add Executable(s) when you are finished to add the chosen files to your configuration. You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

ℹ️ Note

This option is available only in modern browsers, not in legacy browsers.



Allowed Endpoint RestrictionsSets the option for the user to suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.
Annotations
Annotation RulesEnables the user to use annotation tools to draw on the remote system's screen. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
File Transfer
File Transfer RulesEnables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Accessible paths on endpoint's filesystemAllows the user to transfer files to or from any folders on the remote system or only specified folders.
Accessible paths on user's filesystemAllows the user to transfer files to or from any folders on their local system or only specified folders.
Shell
Shell RulesEnables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined is set, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

ℹ️ Note

Command shell access cannot be restricted for Shell Jump sessions.



Allowed Executable Command PatternsEnables the user to search for a regex pattern that matches a shell prompt. For filtering to work, the Recognized Shell Prompts section on the Jump > Jump Item page must be set and only filter commands in a Shell Jump session.
System Information
System Information RulesEnables the user to see system information about the remote computer. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy. You also have the option to set system information actions.
Allowed to use system information actionsEnables the user to interact with processes and programs on the remote system without requiring screen sharing. Some of the actions you can perform are the following:

  • Kill processes
  • Start, stop, pause, resume, and restart services
  • Uninstall programs



Registry Access
Registry Access RulesEnables the user to interact with the registry on a remote Windows system without requiring screen sharing. You have the ability to do the following actions:

  • View, add, delete and edit keys

  • Search and import/export keys



Canned Scripts
Canned Script RulesEnables the user to run canned scripts that have been created for their teams. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Session Termination Behavior
When the access session ends, automaticallyControls what action to happen when session ends. The following options are:

  • Not Defined

  • Do Nothing

  • Lock the computer

  • Logout the user (Only works on Windows hosts)



Allow users to override this setting per sessionYou can allow a user to override the session termination setting from the Summary tab in the console during a session.

Edit a session policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.

Delete a session policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.

Copy a session policy

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.

To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.

Export policy

You can export a session policy from one site and import those permissions into a policy on another site.

To export a saved policy file, do the following:

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.
  4. Edit an existing policy file, click the pencil.
  5. Scroll to the bottom of the page, click Export Policy, and save the file.

Import policy

You may import those policy settings to any other BeyondTrust site that supports session policy import.

To import a saved policy file, do the following:

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.
  4. Edit an existing policy file, click the pencil.
  5. Scroll to the bottom of the page, click + Select Policy File.
  6. From the Open dialog box, located the exported policy file. The default extension is .bgo.
  7. Select the exported policy file, click Open.
  8. Once the policy file is uploaded, the Edit Session Policy page displays, which allows you to make modifications. After the modifications are made, click Save.

Session Policy Simulator

Because layering policies can be complex, you can use the Session Policy Simulator to determine what the outcome will be. Additionally, you could use the simulator to troubleshoot why a permission is not available when you expected it to be.

To use the Session Policy simulator, do the following:

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.
  3. Click the Session Policies tab.
    The Session Policies tab displays.
  4. Go to the Session Policy Simulator section.
  5. For User, select the user performing the session. This dropdown includes both user accounts and access invite policies.
  6. For Session Start Method, select a valid method.
  7. For Jump Client or Jump Shortcut, search the client or shortcut by name, comments, Jump group, or tag.
  8. Click Simulate.
    In the results, the permissions configurable by session policy are displayed in read-only mode. You can see which permissions are allowed or denied as a result of the stacked policies, as well as which policy set each permission.

Updated 16 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.