DocumentationAPI ReferenceRelease Notes
Documentation

Use cases | RS

To offer you the most flexibility and control over your Assets, BeyondTrust includes several areas where permissions must be configured. To help you understand how you might want to set up your system, there are two use cases below.

Basic use case

You are a small organization without a lot of Assets or users to manage. You want your administrators to manage all of the Asset setup steps and your users to be able to connect to only those items.

  1. Create two Asset Roles, Administrator and Start Sessions Only. Ensure the following:

    • The Administrator role has all permissions enabled.
    • The Start Sessions Only role has only Start Sessions enabled.

  2. Create a Shared Asset Group to contain all shared Assets. Personal Assets can also be created.

  3. Put users into two group policies, Admins and Users.

  4. In the Admins group, configure settings and permissions as appropriate. Include the following permissions:

    • Define Representative Permissions and enable Allowed to provide remote support.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default and Personal roles to Administrator.
    • Set the Teams and System roles to Start Sessions Only.
    • Under Memberships, define Add Asset Group Memberships.
    • In the Asset Group field, search for and select Shared.
    • Set the Asset Role to Administrator.
    • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  5. In the Users group, configure settings and permissions as appropriate. Include the following permissions:

    • Define Representative Permissions and check Allowed to provide remote support.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default to Start Sessions Only.
    • Set the Personal Asset Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add Asset Group Memberships.
    • In the Asset Group field, search for and select Shared.
    • Set the Asset Role to Start Sessions Only.
    • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  6. Deploy Assets, assigning them to the Shared Asset Group.

  7. Now administrators can deploy and start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets and start sessions with all other Assets.

    Likewise, users can now start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets.

Advanced use case

You are a large organization with a lot of Assets to manage and with users to manage in three different departments. You want your administrators to manage all of the Asset setup steps and your users to only be able to connect to those items. In addition to your local users, you have some third-party vendors who need occasional access. Some Assets must be accessible at all times, while others must be accessible only on weekdays.

  1. Create two Asset Roles, Administrator and Start Sessions Only. Ensure the following:

    • The Administrator role has all permissions enabled.
    • The Start Sessions Only role has only Start Sessions enabled.

  2. Create an Asset Policy, Weekdays.

  3. In the Asset Policy, enable the Schedule.

    • Click Add Schedule Entry.
    • Set the Start day and time to Monday 8:00 and the End day and time to Monday 17:00.
    • Click Add Schedule Entry and repeat the process for the remaining weekdays.
    • Save the Asset Policy.

  4. Create three Asset Groups: Web Servers, Directory Servers, and User Systems. Personal Assets can also be created.

  5. Put users into two group policies, Admins and Users.

  6. In the Admins group, configure settings and permissions as appropriate. Include the following permissions:

    • Define Representative Permissions and enable Allowed to provide remote support.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default and Personal roles to Administrator.
    • Set the Team and System roles to Start Sessions Only.
    • Under Memberships, define Add Asset Group Memberships.
    • In the Asset Group field, search for and select Web Servers.
      • Set the Asset Role to Administrator.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select Directory Servers.
      • Set the Asset Role to Administrator.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select User Systems.
      • Set the Asset Role to Administrator.
      • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  7. In the Users group, configure settings and permissions as appropriate. Include the following permissions:

    • Define Representative Permissions and check Allowed to provide remote support.
    • Under Jump Technology, check all Allowed Connection Types that your organization will use.
    • Under Asset Roles, set the Default to Start Sessions Only.
    • Set the Personal Asset Role to Administrator.
    • Set the Team and System roles to No Access.
    • Under Memberships, define Add Asset Group Memberships.
    • In the Asset Group field, search for and select Web Servers.
      • Set the Asset Role to Start Session Only.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select Directory Servers.
      • Set the Asset Role to Start Session Only.
      • Click Add to assign the members of this group policy to the Asset Group.
    • In the Asset Group field, search for and select User Systems.
      • Set the Asset Role to Start Session Only.
      • Click Add to assign the members of this group policy to the Asset Group.
    • Set the Asset Role to Start Sessions Only.
    • Click Add to assign the members of this group policy to the Asset Group.
    • Save the group policy.

  8. Deploy Assets, assigning them to the three Asset Groups as appropriate. If any particular Asset requires an Asset Policy schedule to be enforced, assign that as well.

  9. Now administrators can deploy and start sessions with Assets in all three Asset Groups. They can also manage their personal lists of Assets and start sessions with all other Assets.

    Likewise, local users can now start sessions with Assets in all three Asset Groups. They can also manage their personal lists of Assets.

    Finally, third-party users can start sessions with Assets in the Web Servers Asset Group. They cannot deploy personal Assets.

    Specified Assets can be accessed only on weekdays.

Updated 3 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.