CornellAD Groups Associated with BeyondTrust Remote Support Access
This article applies to: BeyondTrust Remote Support
Before a local technical support team can use BeyondTrust Remote Support, a local CornellAD OU admin must create and populate four BeyondTrust-related AD groups in their OU.
If that paragraph made no sense to you, start on our About BeyondTrust Remote Support article. You may also wish to visit our About Group Management article, which discusses the concept of groups within CornellAD, or our About CornellAD article for information on Cornell's implementation of Active Directory.
Creation of these groups and maintenance of membership is handled by the OU Admin(s) for each unit, not by the central CornellAD Admins.
Three of the four CornellAD groups control the level of access its members have to BeyondTrust Remote Support's features. The fourth group allows some managerial functions.
An individual should be made a member of only one of the groups described here. See the exception noted under the Managers group below.
Group names include the prefix for the OU where they reside. For instance, the department of limnology might have the prefix LIM. This is the example we'll use in the descriptions in this article.
[prefix]-bomgar
Example: LIM-bomgar
Members of this group are able to initiate interactive sessions (where the end user is present) by inviting the end user to download and install the BeyondTrust Remote Support mini-client. Typically the mini-client is removed when the support session ends, but, with the end user's permission, they can “pin” the client (which is then called the Jump Client) to the user's computer where it will remain, inactive, after the session ends. This allows the TSP to start another session at a future time without the need for the client to walk through the steps of downloading and installing the client. The end user must still be present for these future sessions, and must respond to TSP prompts asking for additional permissions.
[prefix]-bomgar-no-jump
Example: LIM-bomgar-no-jump
TSPs who are members of the no-jump group have only one level of access: they can initiate interactive sessions beginning with the end user downloading and installing the BeyondTrust Remote Support mini-client, and where the end user is present to respond to the TSP's requests for permissions to copy files, get system information, elevate privileges, etc. They cannot use the jump client method described above or the unattended method described below.
Make this group a member of the [prefix]-bomgar group described above.
[prefix]-bomgar-jump-unattended
Example: LIM-bomgar-jump-unattended
TSPs who are members of the jump-unattended group have the highest level of access, permitting them to initiate interactive sessions and jump sessions (as described under the first group above). They can also begin a BeyondTrust Remote Support session with no input from the end user, assuming the “jump client” has been installed on the end user's computer.
Make this group a member of the [prefix]-bomgar group described above.
[prefix]-bomgar-managers
Example: LIM-bomgar-managers
Members of this group have access to BeyondTrust Remote Support reports for their entire team (other team members can only see reports of their own session activities) and have the ability to terminate sessions that have been left inactive (for example, if all our licenses are in use and one needs to be freed up for a new support session). Since the manager's group is itself a member of the basic [unit]-bomgar group, members of the manager's group have those same rights. If a manager needs the “unattended” rights described above, they should also be made a member of that group.
Make this group a member of the [prefix]-bomgar group described above.
See our CornellAD articles for information on how local OU administrators can create the required groups and add members to those groups.
OU Group Name Explanation
BeyondTrust Remote Support was previously called Bomgar, so that's how our Active Directory groups were named.
Comments?
To share feedback about this page or request support, log in with your NetID