Group Policies: Apply User Permissions to Groups of Users
The Group Policies page enables you to set up groups of users who will share common privileges.
Create New Policy, Edit, Delete
Create a new policy, modify an existing policy, or remove an existing policy.
To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.
Click this button to drag and drop group policies to set their priority. Click Save Order for prioritization changes to take effect. For management purposes, the recommended order of priority is to define policies for more specific user groups as a higher priority (preventing override) and to move your way down from there, setting broader groups as lower priority.
Group Policy :: Add
Create a unique name to help identify this policy.
To assign members, click the Add button to open a select box. Select users from your local system, or select users or entire groups from configured security providers. To add users or groups from an external directory store such as LDAP, RADIUS, or Kerberos, you must first configure the connection on the /login > Users & Security > Security Providers page. If an attempt to add a user from a configured security provider is invalid, the synchronization log error message will appear here as well as in the log.
For each setting, select whether it should be defined in this policy or left available for configuration for individual users. If it is defined, you will be unable to modify that privilege for an individual user from their user account page.
If you have a policy that defines a permission and you do not want any policy to be able to replace that permission, then you must select that the permission cannot be overridden, and the policy must be a higher priority than other policies that additionally define that setting.
Two Factor Authentication
Two-factor authentication (2FA) uses an authenticator app to provide a time-based, one-time code to log into the administrative interface, as well as the access console. If Required is selected, the user will be prompted to enroll and begin using 2FA at the next login. If Optional is selected, the user has the option to use 2FA, but it is not required.
Note: Users who were authenticating using email codes will be automatically upgraded to two-factor authentication (2FA), although they may continue to use email codes until they register an app. Once they begin to use 2FA, the email code option is permanently disabled.
For more information on 2FA, please see How to Use Two Factor Authentication with Bomgar Remote Support.
Account Expires On
Causes the account to expire after a given date or never to expire.
Disables the account so the user cannot log in. Disabling does NOT delete the account.
Add comments to help identify the purpose of this policy.
Grants the user full administrative rights.
Allowed to Set Passwords
Enables the user to set passwords and unlock accounts for non-administrative local users.
Allowed to Edit Jumpoints
Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which is configured per Jumpoint or group policy.
Allowed to Change Display Names
Enables users to change their display names.
Allowed to Change His/Her Photo
Enables users to change their avatar photos, which display on the /login administrative interface and in the customer client chat window.
Support Session Reporting Permissions: Allowed to View Support Session Reports
Enables the user to run reports on support session activity, viewing only sessions in which they were the primary representative, only sessions in which one of their teams was the primary team or one of their teammates was the primary representative, or all sessions.
Allowed to view support session recordings
Enables the user to view video recordings of screen sharing sessions, Show My Screen sessions, and command shell sessions.
Allowed to View Presentation Session Reports
Enables the user to run reports on presentation activity, viewing only presentations in which they were the presenter, only sessions in which one of their teammates was the presenter, or all presentations.
Allowed to View License Usage Reports
Enables the user to run reports on Bomgar license usage.
Allowed to Use Reporting API
Enables the user's credentials to be used to pull XML reports via the API.
Note: As of 16.2, it is preferred to use API accounts created on Management > API Configuration.
Allowed to Use Command API
Enables the user's credentials to be used to issue commands via the API.
Note: As of 16.2, it is preferred to use API accounts created on Management > API Configuration.
Allowed to Use Real-time State API
Enables the user's credentials to be used to pull data using the real-time state API.
Allowed to Edit Public Site
Enables the user to create and modify public site configurations, edit HTML templates, view the translation interface, etc.
Allowed to Edit Customer Notices
Enables the user to create and edit messages used to notify customers, as they are requesting support, of broadly impacting IT outages.
Allowed to Edit File Store
Enables the user to add or remove files from the file store.
Allowed to Edit Canned Messages
Enables the user to create or edit canned chat messages.
Allowed to Edit Support Teams
Enables the user to create or edit support teams.
Allowed to Edit Jump Groups
Enables the user to create or edit Jump Groups.
Allowed to Edit Issues
Enables the user to create and edit issues.
Allowed to Edit Skills
Enables the user to create and edit skills.
Allowed to Edit Bomgar Button Profiles
Enables the user to customize Bomgar Button profiles.
Allowed to Edit Canned Scripts
Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.
Allowed to Edit Custom Rep Links
Enables the user to create or edit custom links.
Allowed to Edit Access Sponsors
Enables the user to create or edit access sponsor teams.
Allowed to Show on Public Site
Displays the user's name on all public sites that have the representative list enabled.
Allowed to Edit iOS Profiles
Enables the user to create, edit and upload Apple iOS Profile content for distribution to iOS device users.
Allowed to provide remote support
Enables the user to use the representative console in order to run support sessions. If support is enabled, options pertaining to remote support will also be available. This option is always enabled for embassies and embassy users. Disable this setting for presentation-only users.
Allowed to generate session keys for support sessions within the representative console
Enables the user to generate session keys to allow customers to start sessions with them directly.
Allowed to generate access keys for sending iOS profiles
Enables the user to generate access keys to offer iOS content to iOS device users.
Allowed to manually accept sessions from a team/embassy queue
Enables the user to select and start sessions that are in one of their team queues.
Allowed to transfer sessions to teams which they do not belong to
Enables the user to transfer sessions to teams other than their own. If disabled, user interaction is restricted solely to the user's assigned teams.
Allowed to transfer sessions to embassies
Enables the user to transfer sessions to third-party embassy team queues.
Allowed to share sessions with teams which they do not belong to
Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended availability permission, this permission expands session sharing capabilities.
Allowed to share sessions with embassies
Enables the user to share support sessions with one or more members of a third-party embassy team.
Allowed to invite external support representatives
Enables the user to invite a third-party user to participate in a support session one time only.
Allowed to use the Get Next Session feature
Enables the user to start supporting the oldest queued session from all of their teams simply by clicking a button.
Allowed to enable extended availability mode
Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the representative console.
Allowed to edit the external key
Enables the user to modify the external key from the session info pane of a session within the representative console.
Allowed to opt out of session assignments
Enables the representative to mark himself or herself as unavailable for sessions to be assigned using Equilibrium.
Do not assign sessions if the representative is participating in at least
Sets the least number of sessions the representative must be supporting before sessions will no longer be automatically assigned using Equilibrium.
Do not assign sessions if the representative has been idle for at least
Sets the least amount of time the representative must have been idle before sessions will no longer be automatically assigned using Equilibrium.
Rep to Rep Screen Sharing
Allowed to show screen to other representatives
Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if the user is not in a session.
Allowed to give control when showing screen to other representatives
Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.
Allowed to deploy and manage Bomgar Buttons in personal queue
Enables the user to deploy and manage personal Bomgar Buttons. This setting affects deploying Bomgar Buttons from both the web interface and the representative console. To deploy a Bomgar Button from within a session, the Bomgar Buttons Deployment session permission must also be allowed.
Allowed to deploy Team Bomgar Buttons
Enables the user to deploy team Bomgar Buttons for teams they are a member of. This setting affects deploying Bomgar Buttons from both the web interface and the representative console. To deploy a Bomgar Button from within a session, the Bomgar Buttons Deployment session permission must also be allowed.
Allowed to manage Team Bomgar Buttons
Enable the user to modify the Bomgar Buttons deployed to teams they are a member of. If the user is a team lead or manager, they can modify the personal Bomgar Buttons of any team members as well.
Allowed to change the Public Portal associated with Bomgar Buttons
Enables the user to set the public portal through which a Bomgar Button should connect. Because session policies may be applied to public portals, changing the portal may affect the permissions allowed in the session.
Allowed Jump Methods: Allowed to start sessions through Jump Clients which use any of the following Jump methods
Enables the user to Jump to computers using Jump Clients, Local Jump, Local VNC, Local RDP, Remote Jump, Remote VNC, Remote RDP, Shell Jump, and/or Intel vPro.
Jump Item Roles
A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click Show to open the Jump Item Role in a new tab.
The Default role is used only when Use User's Default is set for that user in a Jump Group.
The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.
The Team role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.
The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option, the user is added to Jump Groups to which they would not normally be assigned, and in the representative console, they can see non-team members' personal lists of Jump Items.
Allowed to give presentations
Enables the representative to give presentations to one or more attendees.
Allowed to grant control to a presentation attendee
Enables the representative to grant control of their computer to an attendee during a presentation. This setting affects only presentations and does not impact the Show My Screen feature of a support session. Only one attendee at a time can have control. The representative always maintains overriding control.
Set how long the representative can be idle before being logged out of the representative console. This permission can use the site-wide setting or can override that setting.
Attended and Unattended Session Permissions
Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.
Use the same permissions for Unattended sessions
To use the same permissions for both attended and unattended sessions, check Use the same permissions for Unattended sessions. Uncheck this box to define attended and unattended permissions separately. You can also copy the permissions from one to the other.
View the description of a pre-defined session permission policy.
Support Tool Prompting
Choose to ask the customer permission to use any of the support features below. Select No Prompting to never prompt, Always Prompt to always prompt, or Prompt for Some Tools to choose which permissions to prompt for. If Prompt for Some Tools is chosen, a Prompt Customer option will appear beside each tool with the options to Never prompt or to Always prompt. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to prompt once
If Screen Sharing is set to View and Control and prompting is enabled, this option appears. Check the box to make the screen sharing prompt request access to all tools during the session, with no further prompts.
Set how long to wait for a response to a prompt before defaulting to the answer of Deny or Allow. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Enable the user to view or control the remote screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Application Sharing Prompt Behavior
Set if a request for screen sharing should always or never prompt the customer to select applications to share, or if the user can choose whether to prompt for application sharing or not. Selecting Always or Rep Decides also allows you to predefine application sharing restrictions.
Allowed Customer Restrictions
Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.
For more details, check out Restricted Customer Interaction: Privacy Screen, Disable Remote Input.
Allowed to show their screen to the customer
Enables the user to share their screen with the customer during a support session.
Enables the user to browse the same web page the customer is viewing without having control or seeing other applications. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Please also see Screen Share with the Remote Customer for View and Control.
Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Accessible paths on customer's filesystem
Allow the user to transfer files to or from any directories on the remote system or only specified directories.
Accessible paths on representative's filesystem
Allow the user to transfer files to or from any directories on their local system or only specified directories.
For more information see File Transfer to and from the Remote System.
Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
See also Access the Remote Command Shell for more info.
Enables the user to see system information about the remote computer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to use system information actions
Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.
More information on this topic can be viewed at https://www.bomgar.com/docs/remote-support/getting-started/rep-console/system-info.htm, in View Remote System Information.
Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.
See Access the Remote Registry Editor for more information on this topic.
Enables the user to run canned scripts that have been created for their teams. Note that when the user is in view-only screen sharing, the customer receives a prompt to allow the script to run. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Enables the user to attempt to elevate the customer client to run with administrative rights on the remote system. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Bomgar Button Deployment
Enables the user to deploy or remove a Bomgar Button while in a session. Locations available for deployment depend on the Bomgar Button settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Jump Clients Pinning/Unpinning
Enables the user to pin or unpin a Jump Client while in a session. Locations available for deployment depend on the Jump Client settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Enables the user to chat with the remote customer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to push URLs to the customer's web browser
Enables the user to enter a URL into the chat area and then click the Push URL button to automatically open a web browser to that address on the remote computer.
Allowed to send files using the chat interface
Enables the user to send files via the chat interface.
Full Support License Pool
Choose the license pool to which this representative should belong. When this representative logs into the representative console, a license is consumed from the designated license pool. If None is selected, the representative will be able to log into the representative console only if one or more licenses are left unassigned to license pools and are available.
Restrict representative log into the following schedule
Set a schedule to define when users can log into the representative console. Set the time zone you want to use for this schedule, and then add one or more schedule entries. For each entry, set the start day and time and the end day and time.
If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work past the set end time. They will not, however, be allowed to log back in after 5 pm.
Force logout when the schedule does not permit login
If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions will follow the session fallback rules.
Add to Support Teams
Search for teams to which members of this group policy should belong. You can set the role as Team Member, Team Lead, or Team Manager. These roles play a significant part in the Dashboard feature of the representative console. Click Add.
Added teams are shown in a table. You can edit the role of members in a team or delete the team from the list.
Remove from Support Teams
Search for teams from which members of this group policy should be removed, and then click Add. Removed teams are shown in a table. You can delete a team from the list.
Add to Jumpoints
Search for Jumpoints which members of this group policy should be allowed to access, and then click Add. Added Jumpoints are shown in a table. You can delete a Jumpoint from the list.
Remove from Jumpoints
Search for Jumpoints from which members of this group policy should not be removed, and then click Add. Removed Jumpoints are shown in a table. You can delete a Jumpoint from the list.
Add to Jump Groups
Search for Jump Groups to which members of this group policy should belong. You can set each user's Jump Item Role to set their permissions specific to Jump Items in this Jump Group, or you can use the user's default Jump Item Roles set in this group policy or on the Users & Security > Users page. A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage.
For more information see Jump Item Roles: Configure Permission Sets for Jump Items.
You can also apply a Jump Policy to manage user access to the Jump Items in this Jump Group.
Added Jump Groups are shown in a table. You can edit a Jump Group's settings or delete the Jump Group from the list.
Remove from Jump Groups
Search for Jump Groups from which members of this group policy should be removed, and then click Add. Removed Jump Groups are shown in a table. You can delete a Jump Group from the list.
Click Save Policy to put the policy into effect.
You can export a group policy from one site and import those permissions into a policy on another site. Edit the policy you wish to export and scroll to the bottom of the page. Click Export Policy and save the file.
Note: When exporting a group policy, only the policy name, account settings, and permissions are exported. Policy members, team memberships, and Jumpoint memberships are not included in the export.
You may import exported group policy settings to any other Bomgar site that supports group policy import. Create a new group policy or edit an exiting policy whose permissions you wish to overwrite, and scroll to the bottom of the page. Browse to the policy file and then click Import Policy. Once the policy file is uploaded, the page will refresh, allowing you to make modifications; click Save Policy to put the group policy into effect.
Note: Importing a policy file to an existing group policy will overwrite any previously defined permissions, with the exception of policy members, team memberships, and Jumpoint memberships.