DocumentationAPI ReferenceRelease Notes
Documentation

Use cases | RS

To offer you the most flexibility and control over your Assets, BeyondTrust includes quite a few separate areas where permissions must be configured. To help you understand how you might want to set up your system, we have provided two use cases below.

Basic use case

You are a small organization without a lot of Assets or users to manage. You want your administrators to manage all of the Asset setup steps and your users to only be able to connect to those items.

  1. Create two Asset Roles, Administrator and Start Sessions Only.

    1. The Administrator role should have all permissions enabled.
    2. The Start Sessions Only role should have only Start Sessions enabled.

  2. Create a Shared Asset Group that will contain all shared Assets. Personal Assets can also be created.

  3. Deploy a Gateway to each remote network segment where Assets will be deployed.

  4. Put users into two group policies, Admins and Users.

  5. In the Admins group, configure settings and permissions as appropriate. The permissions should include the following:

    1. Define Representative Permissions and enable Allowed to provide remote support.
    2. Under Jump Technology, check all Allowed Connection Types that your organization will use.
    3. Under Asset Roles, set the Default and Personal roles to Administrator.
    4. Set the Teams and System roles to Start Sessions Only.
    5. Under Memberships, define Add Gateway Membership.
      1. In the Gateway field, search for and select each Gateway.
      2. Click Add to grant the members of this group policy access to the Gateway.
    6. Under Memberships, define Add Asset Group Memberships.
      1. In the Asset Group field, search for and select Shared.
      2. Set the Asset Role to Administrator.
      3. Click Add to assign the members of this group policy to the Asset Group.
    7. Save the group policy.

  6. In the Users group, configure settings and permissions as appropriate. The permissions should include the following:

    1. Define Representative Permissions and check Allowed to provide remote support.

    2. Under Jump Technology, check all Allowed Connection Types that your organization uses.

    3. Under Asset Roles, set the Default to Start Sessions Only.

    4. Set the Personal Asset Role to Administrator.

    5. Set the Teams and System roles to No Access.

    6. Under Memberships, define Add Gateway Membership.

      1. In the Gateway field, search for and select each Gateway these users will need to access.
      2. Click Add to grant the members of this group policy access to the Gateway.

    7. Under Memberships, define Add Asset Group Memberships.

      1. In the Asset Group field, search for and select Shared.
      2. Set the Asset Role to Start Sessions Only.
      3. Click Add to assign the members of this group policy to the Asset Group.

    8. Save the group policy.

  7. Deploy Assets, assigning them to the Shared Asset Group.

Now, administrators can deploy and start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets and start sessions with all other Assets.

Likewise, users can now start sessions with Assets in the Shared Asset Group. They can also manage their personal lists of Assets.

Advanced use case

You are a large organization with a lot of Assets to manage and with users to manage in three different departments. You want your administrators to manage all of the Asset setup steps and your users to only be able to connect to those items. Some Assets should be accessible at all times, while others should be accessible only on weekdays.

  1. Create two Asset Roles, Administrator and Start Sessions Only.

    1. The Administrator role should have all permissions enabled.
    2. The Start Sessions Only role should have only Start Sessions enabled.

  2. Create an Asset Policy, Weekdays.

  3. In the Asset Policy, enable the Schedule.

    1. Click Add Schedule Entry.
    2. Set the Start day and time to Monday 8:00 and the End day and time to Monday 17:00.
    3. Click Add Schedule Entry and repeat the process for the remaining weekdays.
    4. Save the Asset Policy.

  4. Create three Asset Groups, Web Servers, Directory Servers, and User Systems. Personal Assets can also be created.

  5. Deploy a Gateway to each remote network segment where Assets will be deployed.

  6. Put users into two group policies, Admins and Users.

  7. In the Admins group, configure settings and permissions as appropriate. The permissions should include the following:

    1. Define Representative Permissions and enable Allowed to provide remote support.

    2. Under Jump Technology, check all Allowed Connection Types that your organization uses.

    3. Under Asset Roles, set the Default and Personal roles to Administrator.

    4. Set the Teams and System roles to Start Sessions Only.

    5. Under Memberships, define Add Gateway Membership.

      1. In the Gateway field, search for and select each Gateway.
      2. Click Add to grant the members of this group policy access to the Gateway.

    6. Under Memberships, define Add Asset Group Memberships.

    7. In the Asset Group field, search for and select Web Servers.

      1. Set the Asset Role to Administrator.
      2. Click Add to assign the members of this group policy to the Asset Group.

    8. In the Asset Group field, search for and select Directory Servers.

      1. Set the Asset Role to Administrator.
      2. Click Add to assign the members of this group policy to the Asset Group.

    9. In the Asset Group field, search for and select User Systems.

      1. Set the Asset Role to Administrator.
      2. Click Add to assign the members of this group policy to the Asset Group.

    10. Save the group policy.

  8. In the Users group, configure settings and permissions as appropriate. The permissions should include the following:

    1. Define Representative Permissions and check Allowed to provide remote support.

    2. Under Jump Technology, check all Allowed Connection Types that your organization uses.

    3. Under Asset Roles, set the Default to Start Sessions Only.

    4. Set the Personal Asset Role to Administrator.

    5. Set the Teams and System roles to No Access.

    6. Under Memberships, define Add Gateway Membership.

      1. In the Gateway field, search for and select each Gateway these users will need to access.
      2. Click Add to grant the members of this group policy access to the Gateway.

    7. Under Memberships, define Add Asset Group Memberships..

    8. In the Asset Group field, search for and select Web Servers.

      1. Set the Asset Role to Start Session Only.
      2. Click Add to assign the members of this group policy to the Asset Group.

    9. In the Asset Group field, search for and select Directory Servers.

      1. Set the Asset Role to Start Session Only.
      2. Click Add to assign the members of this group policy to the Asset Group.

    10. In the Asset Group field, search for and select User Systems.

    11. Set the Asset Role to Start Session Only.

    12. Click Add to assign the members of this group policy to the Asset Group.

    13. Set the Asset Role to Start Sessions Only.

    14. Click Add to assign the members of this group policy to the Asset Group.

    15. Save the group policy.

  9. Deploy Assets, assigning them to the three Asset Groups as appropriate. If any particular Asset requires an Asset Policy schedule to be enforced, assign that, as well.

Now, administrators can deploy and start sessions with Assets in all three Asset Groups. They can also manage their personal lists of Assets and start sessions with all other Assets.

Likewise, local users can now start sessions with Assets in all three Asset Groups. They can also manage their personal lists of Assets.

Specified Assets can be accessed only on weekdays.

Updated 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.