Users and Security

Users: Add Account Permissions for a User or Admin

Users & Security > Users

User Accounts

View information about all users who have access to your Bomgar Appliance, including local users and those who have access through security provider integration.

Create New User, Edit, Delete

Create a new account, modify an existing account, or remove an existing account. You cannot delete your own account.

Synchronize

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day. Clicking this button forces a manual synchronization.

Search

Search for a specific user account based on username, display name, or email address.

Reset

If a user has one or more failed login attempts, click the Reset button beside their name to reset the number back to 0.

User :: Add or Edit

User Settings

Username

Unique identifier used to log in.

Display Name

User's name as shown in team chats, in reports, etc.

Email Address

Set the email address to which email notifications are sent, such as password resets or extended availability mode alerts.

Preferred Email Language

If more than one language is enabled on this site, set the language in which to send emails.

Password

Password used with the username to log in. The password may be set to whatever you choose, as long as the string complies with the defined policy set on the /login > Management > Security page.

Email Password Reset Link to User

Send an email to the user containing a link to reset the password for their account. This feature requires a valid SMTP configuration for your appliance, set up on the /login > Management > Email Configuration page.

Must Reset Password at Next Login

If this option is selected, then the user must reset their password at next login.

Password Expires On

Causes the password to expire after a given date or never to expire.

Memberships

Note: The Memberships section does not initially display while a new user is being created. Once the new user has been saved, a new Memberships section appears, listing any group policy or teams to which the user may have been added.

Group Policy Memberships

Listing of the group policies to which the user belongs.

Team Memberships

Listing of the teams to which the user belongs.

Jumpoint Memberships

Listing of the Jumpoints which the user can access.

Jump Groups

Listing of the Jump Groups to which the user belongs.

Account Settings

Last Authentication Date

The date and time when this user last logged in.

Two Factor Authentication

Two factor authentication (2FA) uses an authenticator app to provide a time-based, one time code to login to the administrative interface, as well as the access console. If Required is selected , the user will be prompted to enroll and begin using 2FA at the next login. If Optional is selected, the user will have the option to use 2FA, but itis not required. Click Remove Current Authenticator App if you want a user to stop login in with a specific authenticator.

Note: Users who were receiving codes to log in will be automatically upgraded to 2FA, although they may continue to use email codes until they register an app. Once they begin to use 2FA, the email code option is permanently disabled.

Account Expires On

Causes the account to expire after a given date or never to expire.

Account Disabled

Disables the account so the user cannot log in. Disabling does NOT delete the account.

Comments

Add comments to help identify the purpose of this object.

Permissions

Admin

Grants the user full administrative rights.

Allowed to Set Passwords

Enables the user to set passwords and unlock accounts for non-administrative local users.

Allowed to Edit Jumpoints

Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which is configured per Jumpoint or group policy.

Allowed to Use Endpoint Analyzer

Enables the user to set up and view scans of open ports on Jump Items.

Access Session Reporting Permissions: Allowed to View Access Session Reports

Enables the user to run reports on access session activity, viewing only sessions for which they were the primary session owner, only sessions in which one of their teams was the primary team or one of their teammates was the primary session owner, or all sessions.

Allowed to view access session recordings

Enables the user to view video recordings of screen sharing sessions and command shell sessions.

Allowed to Use Reporting API

Enables the user's credentials to be used to pull XML reports via the API.

Note: As of 16.1, it is preferred to use API accounts created on Management > API Configuration.

Allowed to Use Command API

Enables the user's credentials to be used to issue commands via the API.

Note: As of 16.1, it is preferred to use API accounts created on Management > API Configuration.

Allowed to Edit Teams

Enables the user to create or edit teams.

Allowed to Edit Jump Groups

Enables the user to create or edit Jump Groups.

Allowed to Edit Canned Scripts

Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.

Allowed to Edit Custom Links

Enables the user to create or edit custom links.

Access Permissions

Access

Allowed to access endpoints

Enables the user to use the access console in order to run sessions. If endpoint access is enabled, options pertaining to endpoint access will also be available.

Session Management

Allowed to share sessions with teams which they do not belong to

Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended availability permission, this permission expands session sharing capabilities.

Allowed to invite external users

Enables the user to invite a third-party user to participate in a session one time only.

Allowed to enable extended availability mode

Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the access console.

Allowed to edit the external key

Enables the user to modify the external key from the session info pane of a session within the access console.

User to User Screen Sharing

Allowed to show screen to other users

Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if the user is not in a session.

Allowed to give control when showing screen to other users

Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.

Jump Technology

Allowed Jump Methods

Enables the user to Jump to computers using Jump Clients, Local Jump on the local network, Remote Jump via a Jumpoint, Remote VNC via a Jumpoint, Remote RDP via a Jumpoint, Web Jump via a Jumpoint, Shell Jump via a Jumpoint, and/or Protocol Tunnel Jump via a Jumpoint.

Jump Item Roles

A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click Show to open the Jump Item Role in a new tab.

The Default role is used only when Use User's Default is set for that user in a Jump Group.

The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.

The Team role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.

The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option, the user is added to Jump Groups to which they would not normally be assigned, and in the access console, they can see non-team members' personal lists of Jump Items.

Session Permissions

Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.

Description

View the description of a pre-defined session permission policy.

Screen Sharing

Screen Sharing

Enable the user to view or control the remote screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Application Sharing Restrictions

Limit access to specified applications on the remote system with either Allow only the listed executables or Deny only the listed executables. You may also choose to allow or deny desktop access.

Note: This feature applies only to Windows and Linux operating systems and does not include Remote Desktop Protocol (RDP) or VNC sessions.

Add New Executables

If application sharing restrictions are enforced, an Add New Executables button appears. Clicking this button opens a dialog that allows you to specify executables to deny or allow, as appropriate to your objectives.

After you have added executables, one or two tables display the file names or hashes you have selected for restriction. An editable comment field allows administrative notes.

Enter file names or SHA-256 hashes, one per line

When restricting executables, manually enter the executable file names or hashes you wish to allow or deny. Click on Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Browse for one or more files

When restricting executables, select this option to browse your system and choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.

Choose either Use file name or Use file hash to have the browser derive the executable file names or hashes automatically. Click Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Note: This option is available only in modern browsers, not in legacy browsers.

Allowed Endpoint Restrictions

Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.

Allowed to log in using credentials from an Endpoint Credential Manager

Enable connection of a user to your Endpoint Credential Manager to use credentials from your existing password stores or vaults.

Use of the Endpoint Credential Manager requires a separate services agreement with Bomgar. Once a services agreement is in place, you may download the required middleware from the Bomgar self-service center.

Note: Prior to 15.2, this feature is available only in sessions started from an elevated Jump Client on Windows®. Starting with 15.2, you also may use an Endpoint Credential Manager in Remote Jump sessions, Microsoft® Remote Desktop Protocol sessions, VNC sessions, and Shell Jump sessions. You may also use this feature with the Run As special action in a screen sharing session on a Windows® system.

Annotations

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

File Transfer

File Transfer

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on the endpoint's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

Accessible paths on user's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

Command Shell

Command Shell

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

System Information

System Info

Enables the user to see system information about the remote computer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to use system information actions

Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.

Registry Access

Registry Access

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.

Other Tools

Canned Scripts

Enables the user to run canned scripts that have been created for their teams. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Login Schedule

Restrict user login to the following schedule

Set a schedule to define when users can log into the access console. Set the time zone you want to use for this schedule, and then add one or more schedule entries. For each entry, set the start day and time and the end day and time.

If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work past the set end time. They will not, however, be allowed to log back in after 5 pm.

Force logout when the schedule does not permit login

If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions will follow the session fallback rules.

User Account Report

Export detailed information about your users for auditing purposes. Gather detailed information for all users, users from a specific security provider, or just local users. Information collected includes data displayed under the “show details” button, plus group policy and team memberships and permissions.