Skip to content

Access Profile

Access profile is a security specification for the remote access to the asset endpoint. Access profile defines the type of allowed connection to the endpoint as well as actions a user can perform during their active remote session. Access profile also specifies whether certain actions or the whole sessions should be recorded for the future review.

Access profile is assigned to users or groups of users for the selected assets or containers, using inherited or unique configurations.

Access Profile Parameters

Creating an Access Profile

Creating a new Access Profile allows user(s) or groups of users to have remote session access to an asset with defined security controls.

To create a new Access Profile:

  1. Log in with an Administrator account.
  2. Navigate to Management > Access Profile and click Add.
  3. Each access profile parameter can be set to one of the following:
    • Deny: setting a parameter to Deny will not allow the user assigned this profile to perform this operation.
    • Allow: setting a parameter to Allow will allow the user assigned this profile to perform this operation.
    • Record: setting a parameter to Record will allow the user assigned this profile to perform this operation and the operation will be recorded.
  4. Click on the parameter name for details about each or follow the guidance provided here.
    • Name: Access Profile name to use as a reference to the profile when assigning it to users or groups in the application.
    • WEB Session: Set to Allow or Record to allow the user assigned to this profile to access a remote session using their web browser as their client. Allow will permit the access session without Video recording enabled, Record will permit the access session with Video recording enabled, and Deny will disable this access for the user.
    • Native Session: Set to Allow or Record to allow the user assigned to this profile to access a remote session using a native desktop client (such as RDP or PuTTY) as their client. Allow will permit the access session without Video recording enabled, Record will permit the access session with Video recording enabled (RDP and SSH Proxy sessions only), and Deny will disable this access for the user.
    • Keyboard: Defines if the keyboard actions will be recorded or not. Note that Deny is not available for this operation, this is only to determine whether the allowed keyboard keystroke inputs are recorded.
    • File Download: Defines whether the assigned user can download files from the connected asset to their local device through their remote access session.
    • File Upload: Defines whether the assigned user can upload files to the connected asset from their local device through their remote access session.
    • Clipboard Download: Defines whether the assigned user can access the clipboard on the asset to transfer it to their local device through their remote access session.
    • Clipboard Upload: Defines whether the assigned user can access the transfer clipboard text from their local device to the asset through their remote access session.
    • MFA: Defines whether the application should prompt the user for MFA authentication before starting the connection to confirm the user identity in addition to the MFA confirmation during login to the application. Note that if a user does not have an MFA provider assigned to them, then they cannot be challenged for MFA regardless of this parameter.
  5. Click Save to save the Access Profile configuration.

SSH Exec Session Command Settings

To configure SSH Exec session command behavior, set the File Upload and/or File Download parameters as follows:

  • Deny: denies the command.
  • Allow: allows the command.
  • Record: records the command.

Behavior rules:

  • If either parameter is set to Deny, the command is denied.
  • If both are set to Record or Record and Allow, the command is recorded.
  • If both are set to Allow, the command is allowed (but not recorded).

Assigning an Access Profile

Before an Access Profile can be used to permit remote access sessions, it first needs to be assigned on an Asset (container or asset) and to a user or group.

Note

Any user with the site role: Administrator applied to their account will have a builtin Access Profile defaulted to their account. This will allow these Administrator users to access any remote access session, with full recording, and MFA required. This can be overwritten by creating a new Access Profile and assigning it to these Admin users.

To assign an Access Profile:

  1. Log in with an Administrator account.
  2. Navigate to Database > Assets and locate a container or asset that you wish to grant remote session access to a user. From this asset, use the Manage > Access Profile option. Note that Access Profiles use inheritance, so assigning an Access Profile on a parent container like Root Container, will inherit down to all child assets. Inherited Access Profiles are shown in italicized font on child assets. Child assets can only Disable these inherited profiles or add new profiles as needed to create more customized unique access.
  3. Click the Add button to assign an Access Profile.
  4. From this Add Access Profile page:
    • Confirm the value in the Asset parameter (read only) is the expected asset that this access profile will be assigned.
    • From the User or Group parameter, assign a user or a group to this access profile.
    • Using the Name parameter, select the Access Profile that will be assigned to this asset and applied to the defined user or group.
  5. Click the Save button to complete this configuration.

After the configuration has been saved, it will appear as Enabled on this asset's Access Profiles page and subsequently all child assets. To manage the Access Profile on the asset it was assigned (not the inherited child asset), use the Actions menu to:

  • Edit: this option will provide the option to change the assigned Access Profile by its Name value.
  • Enable / Disable: this option will allow the selected Access Profile to be enabled or disabled.
  • Delete: this option will delete the selected Access Profile.