DocumentationAPI ReferenceRelease Notes
Documentation
Start typing to search…

Security | PRA On-prem

  • Users: Add User Permissions for a User or Admin: Users and Security > Users > Add > Session Permissions > Screen Sharing
  • Session Policies: Set Session Permission and Prompting Rules: Users and Security > Session Policies > Add > Permission > Screen Sharing
  • Group Policies: Apply User Permissions to Groups of Users: Users and Security > Group Policies > Add > Session Permissions [defined]
ℹ️

You must restart the software on the Status page for this setting to take effect.

Allow search for external Jump Items

This enables Jump Item searching in Password Safe, when Privileged Remote Access (PRA) has a Password Safe integration and a fully configured Endpoint Credential Manager (ECM).

ℹ️

You must restart the software for this setting to take effect. When enabling or disabling this setting, you are prompted to restart now or restart later from the Status page in /login.

Jumpoint for external Jump Item sessions

This field is available only when the Allow Search for External Jump Items option is checked. All sessions started from external Jump Items are performed through the Jumpoint selected here, or in the case where multiple Jumpoints are deployed on endpoints across segmented networks, the Jumpoint used may be selected automatically by matching against an External Jump Item's Network ID. A Jumpoint must be positioned on the network to have connectivity to potentially any of the External Jump Items returned by the ECM.

Select the Jumpoint to use for external Jump Item sessions from the dropdown list of available Jumpoints, or leave the default selection of Automatically Selected by External Jump Item Network ID to allow PRA to determine which Jumpoint handles the session.

  • The External Jump Item Network ID is an attribute you must set on the Jumpoint from Jump > Jumpoint in /login. It is equivalent to the Workgroup attribute on managed systems in Password Safe. Its value is matched against the Network ID property for external Jump Items returned by the ECM to determine the Jumpoint to handle a session.

External Jump Item group name

This field is available only when the Allow Search for External Jump Items option is checked. Optionally, enter a name for the external Jump Group, or leave the default option of External Jump Items. This name displays as the Jump Group name when viewing Jump Items in the access console or the web access console. Click Save if you have modified the default group name.

Log "Run As" special action commands in session reports

Uncheck this option to stop logging and reporting all Run As commands. Since the entire command is logged, any credentials passed as a command parameter are logged.

Force the closure of windows that were opened during the session

Set this option to force closure of windows opened during an elevated session. This ensures all windows are closed when a session ends.

ℹ️

This option is for elevated Windows sessions only.

🚧

This setting is off by default. Setting this option may cause loss of data if information is not saved. Ensure you save your data during the session.

Miscellaneous

Days to keep logging information

In Days to Keep Logging Information, you can set how long logging information should be stored on the B Series Appliance. This information includes the session reporting data and recordings. The maximum duration for which session reporting data and recordings can be retained on a B Series Appliance is 90 days. This is the default value in a new installation. It is possible that session recordings for some sessions within the retention time frame are not available. This could be caused by disk space constraints or the Days to Keep Logging Information setting.

The B Series Appliance runs a maintenance script every day that ensures disk usage does not exceed 90%. Should this be exceeded, the script begins deleting session recordings based on a formula until the disk usage is less than 90%. If the Days to Keep Logging Information setting was recently changed, the new setting may take up to 24 hours to go into effect.

Inter-appliance communication pre-shared key

ℹ️

This feature is available only to customers who own an on-premises BeyondTrust Appliance B Series. BeyondTrust Cloud customers do not have access to this feature.

Enter a password in the Inter-appliance Communication Pre-shared Key field to establish a trusted relationship between two B Series Appliances. Matching keys are required for two or more B Series Appliances to be configured for features such as failover or clustering. The key must contain at least 6 characters and contain at least one uppercase letter, one lowercase letter, one number, and one special character.

Days to keep endpoint automation logging data

This setting defines how long finished Endpoint Automation job data remains on the appliance. Since data is purged once daily, it may remain accessible for up to 24 hours beyond the selected timeframe.

Days to keep Jump Item logging information

Choose how long Jump Item reporting data will be accessible from the appliance. Because data is purged only once a day, it may actually be accessible for up to 24 hours beyond what is selected here.

Endpoint automation resource storage size in GiB

This setting specifies the maximum amount of storage available for endpoint automation resources.

Network restrictions

Determine which IP networks should be able to access /login, /api, and the BeyondTrust access console on your B Series Appliance. If you enable network restrictions, you can also enforce the networks on which access consoles may be used.

Admin interface (/login) and API interface (/api)

  • Always apply network restrictions: when selected, you have the option of creating either an Allow list containing only allowed networks, or a Deny list containing networks that are denied access. When this option is selected, you can determine which restrictions, if any, should apply to the desktop, mobile, and web access consoles.
  • Never apply network restrictions: when selected, no restrictions are applied and no other options are available to apply restrictions to the desktop, mobile, and web console.

Desktop and mobile access console

  • Always apply network restrictions: when selected, it inherits the network restrictions entered for the Admin interface.
  • Never apply network restrictions: when selected, no restrictions are applied to the desktop and mobile consoles, but you have the option to apply restrictions to the web access console.
  • Only apply network restrictions for user's first authentication: this applies restrictions selected above, but only when the user first logs in.

Web console (/console)

  • Always apply network restrictions: when selected, the web access console inherits the restrictions entered for the admin interface.
  • Never apply network restrictions: when selected, no restrictions are applied to the web access console, even if restrictions are in effect for the other access console methods.

Updated about 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.