Which default Jump Item Role, added in PRA 25.2, carries exactly ONE permission — “View Reports”?

Correct: a. Auditor arrived in v25.2 with the single permission View Reports — perfect for compliance staff who must read session history but never touch a target. Start Sessions Only can start sessions; Administrator has every checkbox; “Observer” is not a default PRA Jump Item Role at all.

Meera (vendor) may access ICICI's 3 DB servers only Mon–Sat 10:00–18:00 IST, and any session still running at 18:00 must be ended. Which configuration delivers exactly that?

Correct: c. Time-of-day session control is the Jump Policy's Jump Schedule; the force-end checkbox handles sessions that outlive the window (with 15-minute warnings). Session policies (a) have no clock. Schedule + approval on one policy (b) is rejected as mutually exclusive. Daily account expiry (d) is not a PRA mechanism and would break the morning login too.

Rahul submits an approval request on db-prod-2 with a reason and a 90-minute duration. What do the approvers receive, and what bounds the resulting grant?

Correct: b. Jump Approval notifies the policy's approvers by email; the requester supplies reason, start time and duration, and any approved window is capped by the policy's Maximum access duration. There is no SMS-via-Jumpoint channel, no reboot-bound grant, and silence does not auto-approve — an unanswered request simply never opens.

A vendor complains: “PRA warned me twice, then threw me out of my RDP session at 18:00 sharp.” No admin touched the session. What explains it?

Correct: d. Two warnings followed by a clean disconnect exactly at the schedule boundary is the documented force-end behaviour: 15-minute warnings, then disconnection once the schedule no longer permits access. A failover (a) or lost Jump Client (b) would not warn politely first, and recordings filling a disk (c) does not terminate sessions on a clock boundary.

Sneha attached a strict business-hours Jump Policy to every vendor Jump Item, yet a vendor still MOVED one Jump Item into another Jump Group and DELETED another. Why did the policy not stop this?

Correct: a. A Jump Policy is Gate 3 — it conditions session START (schedule/approval/ticket). Item management — create, move/copy, remove — is Gate 2, the Jump Item Role. The vendor's role was too permissive. Code Names (b) are identifiers, not bindings to group names; a down ITSM (c) blocks ticket-gated starts rather than enabling deletions; a timezone slip (d) shifts the window, it does not grant management rights.

Two vendor-access designs at Flipkart: (A) one shared “VendorAll” group policy, Administrator role on a shared Jump Group of 40 servers, recordings on, “we trust the contract”. (B) per-vendor Jump Groups, Start Sessions Only with a nothing-default, business-hours Jump Policy with ticket ID, and a session policy blocking file transfer + clipboard. Which is stronger, and why?

Correct: b. Design B layers all four gates so each failure needs a second failure to matter — and the audit answer “what could the vendor do?” has a short, defensible reply. Design A collapses Gates 1–4 into hope: recordings (a, d) only witness misuse after the fact, and fewer support tickets (c) is exactly how one stolen vendor laptop becomes a 40-server incident.

PRA Access Control: Group Policies, Jump Item Roles, Schedules & Approvals

Q: Rahul at HCL sits in two group policies. One grants Administrator on Jump Group prod-db via the group policy. But Rahul ALSO has a personal user↔Jump Group assignment of Start Sessions Only on prod-db, and his default role is Auditor. What can he do on prod-db?

Correct: b. The specificity chain is: user↔Jump Group beats group-policy↔Jump Group beats the user's default role. Rahul's personal Start Sessions Only assignment on prod-db is the most specific, so it applies — the group policy's Administrator and the Auditor default both lose. Alphabetical order plays no part.

Q: Meera's company must reach ONLY ICICI's 3 DB servers — nothing else may even be visible. Which combination delivers that?

Correct: c. Visibility and usage scope = Jump Group + Jump Item Role, granted via the group policy, with the default role granting nothing. Recordings (a) only witness the damage; a Jump Policy (b) controls WHEN sessions start, not what is visible; a session policy (d) controls in-session tools, not which servers exist for the vendor.

Q: Sneha ticks BOTH “Require approval before a session starts” AND enables a Jump Schedule on one new Jump Policy, then hits Save. What happens?

Correct: d. Jump schedules and Jump approvals are mutually exclusive on a single Jump Policy — the product refuses the combination rather than guessing an order. Options a–c all assume some silent merge happens; none does. The real-world pattern is two policies: a business-hours schedule policy for routine items, and a separate approval policy for emergency paths.

Q: Karthik at Airtel must let the vendor keep working in RDP sessions but stop files leaving the server. Which layer does that job?

Correct: a. What happens INSIDE a running session is Gate 4 — the session policy. A ticket ID (b) gates the start, not the inside. “Move and Copy Assets” (c) moves Jump Items between Jump Groups — nothing to do with files on the server. A shorter schedule (d) just shrinks when sessions run; files still move freely inside them.

Most engineers think…

Most engineers think PRA has ONE "permissions" screen that controls everything — so when a vendor sees too much, they hunt for a single magic checkbox and tick whatever looks close.

Wrong — and that hunt is why vendor access breaks in production. PRA stacks four separate layers: Group Policy (WHO you are), Jump Item Role (WHAT you may touch, per Jump Group), Jump Policy (WHEN/HOW a session may start) and session policy (WHAT you may do inside). Debugging access = naming the layer first. A permissive answer at any one layer quietly defeats the other three.

① The permission model — users, teams & Group Policies, the master control

In the last lesson Vault held the passwords and injected them. Today we climb to the control plane: who is even allowed to ask. PRA answers with four stacked objects, and the first is the Group Policy. Think of it as the HR-issued ID card at Infosys: HR does not configure each employee's gates one by one — your card GRADE decides which buildings open, and changing the grade changes them all at once.

Where do the people come from? Either local PRA users, or users mapped in from a Security Provider (AD, LDAPS, SAML) under /login > Users & Security > Security Providers. Group Policies live right beside them at /login > Users & Security > Group Policies — a policy bundles account settings (display name rules, password/2FA expectations, console permissions) plus memberships: which Jump Groups the member belongs to and with which Jump Item Role, which teams, and which default session policy. One AD security group mapped to one PRA group policy is the cleanest pattern you will see in real deployments at TCS or ICICI.

👉 So far: users arrive locally or via a Security Provider, and Group Policies hand every member the same settings + memberships. Next: what happens when one user matches SEVERAL policies.

Figure 1 — Four gates, four questions — one session

Follow Meera top to bottom: each gate answers a different question, and the session reaches the target only after all four say yes. The red dashed arrow is what a permissive layer really does — it lets the vendor walk around the rest.

Now the part interviews love: precedence. A real user matches several group policies at once — Rahul is in AllStaff AND DBA-Admins. Each setting inside a group policy is individually defined, and as of recent versions, when two policies define the same setting, the policy higher in the group-policy precedence order wins. For Jump access specifically the rule is documented and exact — a specificity chain: a role assigned on the user↔Jump Group relationship beats a role from a group-policy↔Jump Group relationship, which beats the user's default Jump Item Role. Most specific wins; the default is only the fallback where nothing specific exists.

The four knobs you will turn every week

Tap each card — these four objects are the entire lesson. Everything else is detail.

🪪

Group Policy

tap to flip

WHO you are: account settings + memberships members inherit. Users & Security > Group Policies. So: map one AD group to one policy.

🧰

Jump Item Role

tap to flip

WHAT you may touch: create/move/remove/start — assigned per Jump Group. So: scope the role, starve the default.

⏰

Jump Policy

tap to flip

WHEN/HOW a session starts: schedule, approval, ticket ID, 2FA, notify. So: attach it to the Jump Items that matter.

🎛️

Session policy

tap to flip

WHAT you may do inside: file transfer, clipboard, command use. So: the session can start yet still be on a leash.

Quick check · Q1 of 10

Rahul at HCL sits in two group policies. One grants Administrator on Jump Group prod-db via the group policy. But Rahul ALSO has a personal user↔Jump Group assignment of Start Sessions Only on prod-db, and his default role is Auditor. What can he do on prod-db?

a) Auditor only — the default role always winsb) Start Sessions Only — the personal user↔Jump Group assignment is the most specific and beats the group policyc) Administrator — group policies always beat personal assignmentsd) Whichever policy is alphabetically first

Correct: b. The specificity chain is: user↔Jump Group beats group-policy↔Jump Group beats the user's default role. Rahul's personal Start Sessions Only assignment on prod-db is the most specific, so it applies — the group policy's Administrator and the Auditor default both lose. Alphabetical order plays no part.

Pause & Predict

Predict: a brand-new PRA user is created with NO group policy memberships and a default role that grants nothing. What does their Jump interface show? Type your guess.

Answer: Effectively an empty list. Visibility in the access console comes from holding a Jump Item Role on a Jump Group — personally, via group policy, or via the default. With no memberships and a nothing-default, no layer ever says yes — PRA denies until something explicitly grants. That deny-by-default posture is exactly what you exploit when scoping vendors in section ②.

② Jump Item Roles — view, start, edit, delete… scoped per Jump Group

The docs define a Jump Item Role as “a predefined set of permissions regarding Jump Item management and usage.” Three defaults ship with the product: Administrator (everything), Start Sessions Only (the vendor classic), and — new in version 25.2 — Auditor, which holds exactly one permission: View Reports. In the Pathfinder UI the same object is called an Asset Role; interviewers still say Jump Item Role, so learn both.

Open a role and you see the real permission checkboxes: Create new Assets or upgrade Jump Clients · Move and Copy Assets · Remove existing Assets · View Session and Asset Reports · Start Sessions · Edit Tag · Edit Comments · Edit Asset Policy · Edit Session Policy · Edit Connectivity and Authentication · Edit Behavior and Experience. One trap to defuse now: Move and Copy Assets moves Jump Items between Jump Groups — it has nothing to do with copying files off a server. File movement is a Gate-4 (session policy) matter, and confusing the two is a classic interview slip.

🖥️ This is the screen you'll build the vendor role on — /login → Asset Management → Asset Roles (classic ≤24.x: the Jump menu → Jump Item Roles). Real permission labels. (Recreated for clarity — your console matches this.)

pra.icicilab.in/login · Asset Management → Asset Roles

Role Name

Vendor-StartOnly

Start Sessions

✓ enabled

Create new Assets or upgrade Jump Clients

☐ off

Move and Copy Assets

☐ off (moves Jump Items, NOT files)

Remove existing Assets

☐ off

Edit Session Policy

☐ off

Save

👉 So far: a role is a checkbox bundle, three defaults exist, and Move and Copy is about Jump Items not files. Now the build every PAM admin gets asked for in week one.

The classic build: vendor sees ONLY their 3 servers

Meera's company supports exactly three ICICI database servers — and must never see anything else. Four steps. Step 1 — make the wing: create Jump Group vendor-dbsupport at /login > Asset Management > Asset Groups (classic: under the Jump menu). A Jump Group is a society wing: your gate pass works for A-wing only. Step 2 — move the flats in: put the three Jump Items (Remote RDP shortcuts to 172.16.40.11, .12, .13) into that group — your own account needs Move and Copy Assets for this. Step 3 — make the pass: create the group policy Vendor-DBSupport, membership = Meera's vendor users (local or via a Security Provider). Step 4 — scope the role: inside that policy grant Start Sessions Only on vendor-dbsupport — and ONLY there — leaving the default role granting nothing.

Why so paranoid about the default? Because of the specificity chain from section ①: the default role applies on every Jump Group that has no explicit assignment. A permissive default is an estate-wide grant nobody remembers making — the hotel that stamps EVERY floor onto a visitor's keycard and then wonders how the guest reached the server room. Also worth knowing: PRA ships a dedicated Users & Security > Vendors page for full vendor-group onboarding flows — but the Jump-Group + scoped-role pattern here is the mechanism underneath, and it is what interviews probe.

Figure 2 — Vendor scoping — before vs after

Left: the default role quietly grants Start Sessions Only everywhere — Meera can Jump to ~48 servers. Right: default grants nothing, the role lives only on vendor-dbsupport — she sees exactly 3 Jump Items and the rest of the estate does not exist for her.

Sneha at ICICI faces this

Sneha onboarded vendor engineer Meera yesterday with role Start Sessions Only. This morning the SOC flags it: Meera's console also lists servers from the payments Jump Group — and she can Jump to them, not just to her 3 DB servers.

Likely cause

The vendor group policy left Meera's DEFAULT Jump Item Role as Start Sessions Only. The default applies wherever no specific assignment exists — so every Jump Group without an explicit role quietly inherited it.

Diagnosis

Walk the specificity chain: no personal user↔Jump Group assignment, group policy grants Start Sessions Only on vendor-dbsupport — fine — but the default ALSO says Start Sessions Only, and the default covers everything else.

BeyondTrust PRA /login > Users & Security > Group Policies > Vendor-DBSupport > memberships / Jump Item Role assignments — check the Default role

Fix

Set the default role to grant nothing, keep Start Sessions Only only on the vendor-dbsupport membership, save the policy, and have Meera log out and back in.

Verify

Meera's Jump interface now lists exactly 3 Jump Items (172.16.40.11–13). In Reports, her session history shows only vendor-dbsupport targets — and a test Jump toward payments is simply not offered.

Quick check · Q2 of 10

Meera's company must reach ONLY ICICI's 3 DB servers — nothing else may even be visible. Which combination delivers that?

a) Administrator role on all Jump Groups, and rely on session recordings to catch misuseb) One Jump Policy with a strict schedule — visibility follows the schedulec) A vendor-dbsupport Jump Group holding exactly the 3 Jump Items, plus a group policy granting Start Sessions Only on ONLY that group, with a nothing-default roled) A session policy denying file transfer on every Jump Item

Correct: c. Visibility and usage scope = Jump Group + Jump Item Role, granted via the group policy, with the default role granting nothing. Recordings (a) only witness the damage; a Jump Policy (b) controls WHEN sessions start, not what is visible; a session policy (d) controls in-session tools, not which servers exist for the vendor.

Pause & Predict

Predict: you set Meera's role on vendor-dbsupport to Start Sessions Only — but her DEFAULT role still says Administrator, copied from a template. What breaks? Type your guess.

Answer: Every Jump Group WITHOUT an explicit assignment inherits Administrator — Meera can create, move and remove Jump Items across the estate. The specific assignment only beats the default where the specific exists; everywhere else the default rules alone. This is the single most common vendor-scoping mistake in the field — always audit the default role after cloning any policy or template.

③ Jump Policies — schedules, ticket IDs & approval workflows

Meera can now see her 3 servers — but ICICI's contract says: business hours only, every session tied to a change ticket, and the NOC notified. That is Gate 3: the Jump Policy (Pathfinder: Asset Policy), created at /login > Asset Management > Asset Policies (classic: under the Jump menu) and then attached per Jump Item or per Jump Group. Each policy carries a Display Name, a Code Name (auto-generated if blank — you will meet it again in the API below), and a description.

First gate inside the policy: the Jump Schedule — a timezone plus start/end day-time entries, like a society's visiting hours board: visitors 10:00–18:00, watchman turns you away at 20:05 no matter how friendly you are. The optional checkbox “Force session to end when schedule does not permit access” is the strict version: a session running past the window is disconnected — with 15-minute warnings beforehand, so Meera's half-finished database patch is not killed without notice.

Second gate: Jump Approval — “Require approval before a session starts.” The requester submits a reason, a requested start time and duration; the policy's approvers get an email and answer; an approved request opens a time-boxed grant capped by the policy's Maximum access duration. It is the bank locker with two keys: your key (the request) opens nothing until the bank officer (approver) turns theirs — and the locker room closes again after the visit. One more option matters operationally: the policy decides whether only the requestor may use an approval, or any user permitted on that Jump Item may ride the same window. And the rule everyone trips on: a schedule and an approval cannot both be enabled on the same policy — the console rejects it. Deterministic window or human gate: pick one per policy, build two policies if you need both behaviours.

Figure 3 — Request → approver email → time-boxed grant

Trace Rahul's request left to right: reason + time + duration hit the policy gate, the approver answers by email, and an approval opens a grant capped by Maximum access duration. Note the amber box — schedule OR approval, never both on one policy.

Three more switches finish the policy. “Require a ticket ID before a session starts” makes PRA demand a ticket number and check it against your ITSM integration — the society gate-pass slip: no slip number in the register, no entry. A per-policy 2FA challenge can force re-authentication right before the Jump. And Jump Notification emails fire at session start and/or end — Karthik's NOC at Airtel gets a mail the second a vendor session opens, which converts “vendor was in the system silently for 3 hours” from an incident-report sentence into an impossibility. There is also a Disable Recordings override on the policy — leave it alone unless legal forces your hand; lesson 14 shows what audits look like without recordings.

🖥️ This is the form you'll fill — /login → Asset Management → Asset Policies → Add (classic ≤24.x: the Jump menu → Jump Policies). Real field labels. (Recreated for clarity — your console matches this.)

pra.icicilab.in/login · Asset Management → Asset Policies

Display Name

Vendor-BizHours

Code Name

vendor_bizhours (auto-generated if blank)

Jump Schedule

✓ Enabled — Mon–Sat 10:00 → 18:00 · Asia/Kolkata

Force session to end when schedule does not permit access

✓ (disconnects with 15-min warnings)

Require approval before a session starts

☐ — mutually exclusive with the schedule

Require a ticket ID before a session starts

✓ checked against the ITSM integration

Jump Notification

email noc-alerts@icicilab.in on session start + end

Save

▶ One vendor session through all four gates

Watch Meera's Tuesday-afternoon session pass Gate 1 to Gate 4 — then break it with a late-night attempt. Press Play for the healthy path, then Break it to see the failure.

① Sign inMeera logs in → group policy Vendor-DBSupport resolves → console shows ONLY vendor-dbsupport

▼

② Role checkStart Sessions Only on vendor-dbsupport → Jump ✓ · create/move/remove ✗

▼

③ Policy gateJump Policy vendor_bizhours: Tue 14:20 IST in-window ✓ · ticket CHG0042311 valid ✓

▼

④ Insidesession policy: file transfer ✗ · clipboard ✗ · commands filtered → 172.16.40.11 · recording ON

Press Play to step through the healthy path. Then press Break it.

Trust, but verify with the API. Every Jump Policy you click together is readable (and writable) through the PRA Configuration API — enable a client at /login > Management > API Configuration, fetch a token, then list the policies. This is also how you catch drift between what the runbook says and what the appliance really enforces.

PRA Configuration API — get a token (client from /login > Management > API Configuration)

curl -s -X POST https://pra.icicilab.in/oauth2/token \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "grant_type=client_credentials"

Expected output

{
  "access_token": "eyJhbGciOiJSUzI1NiIs…",
  "token_type": "Bearer",
  "expires_in": 3600
}

PRA Configuration API — verify the vendor Jump Policy really enforces what the contract says

curl -s https://pra.icicilab.in/api/config/v1/jump-policy \
  -H "Authorization: Bearer $TOKEN" \
  | jq '.[] | select(.code_name=="vendor_bizhours")'

Expected output

{
  "id": 7,
  "display_name": "Vendor-BizHours",
  "code_name": "vendor_bizhours",
  "schedule_enabled": true,
  "ticket_id_required": true
}

COMMON MISTAKE — the borrowed approval

Symptom: Priya approved RAHUL's 60-minute emergency request, yet the session report shows ADITYA on the box during that window — and the approver swears she never approved Aditya. Cause: the Jump Policy's approval option was set to let any user permitted on the Jump Item use an active approval, not only the requestor. The audit trail still names Aditya correctly, but the approval intent was bypassed. Fix: set approvals to requestor-only unless a team genuinely shares emergency windows — and say so in the SOP.

Quick check · Q3 of 10

Sneha ticks BOTH “Require approval before a session starts” AND enables a Jump Schedule on one new Jump Policy, then hits Save. What happens?

a) Both gates run — approval first, then the schedule checkb) The schedule silently wins and approval is ignoredc) The approval silently wins and the schedule is ignoredd) The configuration is rejected — schedule and approval cannot both be enabled on the same policy; she needs two policies

Correct: d. Jump schedules and Jump approvals are mutually exclusive on a single Jump Policy — the product refuses the combination rather than guessing an order. Options a–c all assume some silent merge happens; none does. The real-world pattern is two policies: a business-hours schedule policy for routine items, and a separate approval policy for emergency paths.

Pause & Predict

Predict: an approval was granted to Rahul for 60 minutes on db-prod-2. His teammate Aditya — also permitted on that Jump Item — clicks Jump during the window. Does it work? Type your guess.

Answer: It depends on one policy option: whether only the requestor may use an approval, or any permitted user may. If “any permitted user” was selected, Aditya rides Rahul's grant and the session starts — the audit log still records Aditya as the session user. If requestor-only, Aditya is refused. Check this toggle on every approval policy you inherit; it is the difference between dual control and a shared side door.

④ Session policies — what happens INSIDE, and the four-layer map

The session has started — legitimately. Gate 4 decides what the user's hands may do now. A session policy lives at /login > Users & Security > Session Policies and governs the in-session toolset: screen sharing behaviour, file transfer (and which direction), clipboard use, command shell access and similar controls. It attaches in two places: to people (via the group policy from Gate 1) and to targets — per Jump Item. That second path is exactly why the Jump Item Role has an Edit Session Policy checkbox: items carry their own session policy, and changing it is itself a guarded permission. Think valet key: the valet can start and park your car, but the same key refuses to open the boot.

For Shell Jump targets — Karthik's routers at Airtel, reached over SSH through a Jumpoint — there is a sharper tool: command filtering. As of recent versions you define allowed/blocked command patterns for Shell Jump sessions, so a vendor's rm -rf or a curious show running-config | include password is stopped at the proxy before it ever reaches the device, and the attempt lands in the session log. Combine it with the recording and you have both prevention AND evidence — the CCTV does not stop the thief; the locked counter does.

Why so much ceremony around the inside of a session? Because attackers think in layers too. In May 2025 BeyondTrust published advisory BT25-03 (CVE-2025-0217, CVSS 4.0 = 7.3): a local authentication bypass in PRA that let a local authenticated attacker view Shell Jump session connection details and access connected sessions without authorization — fixed in PRA 25.1. A patched appliance closed the hole; layered session controls and recordings are what told affected teams whether anything had actually been touched. The full CVE story — including the December 2024 Treasury incident — is the next lesson.

COMMON MISTAKE — file transfer off, clipboard forgotten

Symptom: the vendor's session policy blocks file transfer, yet a 400-line script appears on the target server anyway. Cause: clipboard use is a SEPARATE in-session permission — the vendor simply pasted the script into Notepad inside the RDP session. Fix: in the session policy, restrict file transfer AND clipboard together for vendor-facing items; if the business needs one-way paste, allow only the direction the workflow demands, and rely on the recording for review.

Layer all four on one target — then prove it

Meera's finished stack on 172.16.40.11 reads like a sentence: the group policy says she exists and sees one Jump Group; the Jump Item Role (Start Sessions Only) says she may start sessions and nothing else; the Jump Policy (vendor_bizhours) says only Mon–Sat 10:00–18:00 IST with a valid ticket, force-ended outside the window, NOC notified; the session policy says no files, no clipboard, filtered commands, recording on. Four objects, four screens, one defensible answer to the auditor's favourite question: “what exactly could the vendor do?”

👉 So far: session policies leash the inside of a session, command filtering guards Shell Jump, and the four layers stack into one auditable sentence. Last step: verify like an engineer, not like an optimist.

Figure 4 — PRA access control — your one-glance policy-layer map

Keep this card open during your first vendor build and before any PAM interview: the four layers with their console paths, then the constraint strip — the mutual exclusion, the 15-minute warnings, the specificity chain and the Pathfinder renames.

PROVE THE STACK — the 4-question vendor test

Log in AS the vendor account (or shoulder-test with them) and answer four questions with evidence: (1) WHO — does the Jump interface list ONLY the vendor Jump Group? (2) WHAT — is Jump the only available action (no create/move/remove)? (3) WHEN — does a session attempt outside the schedule refuse to start, and does an in-window start demand a ticket ID? (4) INSIDE — do file transfer and clipboard fail, does a blocked command die at the filter, and does the session appear in Reports with its recording? Four yes-with-evidence answers = a stack you can defend in any audit.

Quick check · Q4 of 10

Karthik at Airtel must let the vendor keep working in RDP sessions but stop files leaving the server. Which layer does that job?

a) A session policy with file transfer (and clipboard) restricted, attached to the vendor's Jump Items or group policyb) A Jump Policy with “Require a ticket ID before a session starts”c) Remove “Move and Copy Assets” from the vendor's Jump Item Roled) Shrink the Jump Schedule to fewer hours

Correct: a. What happens INSIDE a running session is Gate 4 — the session policy. A ticket ID (b) gates the start, not the inside. “Move and Copy Assets” (c) moves Jump Items between Jump Groups — nothing to do with files on the server. A shorter schedule (d) just shrinks when sessions run; files still move freely inside them.

Pause & Predict

Predict: all three earlier gates passed and Meera's Shell Jump session is live on a router. She types a destructive command. What is the LAST thing standing between that keystroke and the device? Type your guess.

Answer: The in-session layer: Shell Jump command filtering at the proxy. The group policy, role and Jump Policy all said yes minutes ago — only the session-layer filter inspects what is typed NOW and can block the pattern before it reaches the device, logging the attempt. The recording is evidence, not prevention. This is why a stack that stops at Gate 3 is half a stack.

🎮 Hands-on: BeyondTrust PAM Essentials room Recap: PRA Vault & Credential Injection

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: In one line: a vendor can SEE a server, is refused a session at 2 AM, and inside a daytime session cannot copy files out — name the layer doing each of the three jobs. Then compare to the expert version.

Expert version: Seeing the server = Group Policy membership + Jump Item Role on that Jump Group (Gates 1–2); the 2 AM refusal = the Jump Policy's Jump Schedule (Gate 3); the blocked file copy = the session policy's file-transfer restriction (Gate 4). Three behaviours, three different screens — which is exactly why one magic checkbox can never fix a PRA access ticket.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Policies & Access Control at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Group Policy: Container of account settings + permissions a set of PRA users inherits; lives at Users & Security > Group Policies.
Security Provider: LDAP/AD, RADIUS or SAML connector that brings external users and groups into PRA.
Jump Group (Asset Group): A collection of Jump Items — the unit you scope vendor visibility and roles to.
Jump Item Role (Asset Role): A predefined permission set for Jump Item management and usage: create, move/copy, remove, start sessions.
Auditor role: Default role added in v25.2 with exactly one permission — View Reports.
Jump Policy (Asset Policy): Controls WHEN/HOW a Jump Item may be accessed: schedule, approval, ticket ID, 2FA, notifications, recordings.
Jump Schedule: Timezone + day/time entries inside a Jump Policy; optional force-end disconnects with 15-minute warnings.
Jump Approval: Request (reason + time + duration) → approver email → time-boxed grant capped by Maximum access duration.
Ticket ID requirement: Jump Policy switch demanding a valid ticket number, checked against the ITSM integration, before a session starts.
Session policy: The in-session permission set — file transfer, clipboard, command tools — at Users & Security > Session Policies; attachable per user or per Jump Item.
Command filtering (Shell Jump): Pattern-based allow/block of typed commands in Shell Jump sessions, enforced at the proxy and logged.
Pathfinder rename: 25.x label change only: Jumpoint→Gateway, Jump Item→Asset, Jump Group→Asset Group, Jump Policy→Asset Policy; behaviour unchanged.

📚 Sources

BeyondTrust PRA Admin Guide — Jump Policies: Jump Schedule, force-end with 15-minute warnings, Jump Approval, ticket ID, notifications; schedule and approval mutually exclusive. docs.beyondtrust.com/pra/v24.3/docs/on-prem-jump-policies
BeyondTrust PRA docs — Jump Item Roles / Asset Roles: default roles incl. Auditor (v25.2, View Reports only) and the exact permission checkbox labels. docs.beyondtrust.com/pra/docs/pf-jump-item-roles
BeyondTrust PRA docs — Jump Technology overview: Jump Group, Jump Item Role and Jump Policy definitions; role-resolution specificity. docs.beyondtrust.com/pra/v24.3/docs/jump-overview · docs.beyondtrust.com/pra/docs/jumpoint
BeyondTrust PRA on-prem Admin Guide — /login menu tree: Users & Security > Group Policies / Session Policies / Vendors; Asset Management > Asset Groups, Asset Policies, Asset Roles; Management > API Configuration. docs.beyondtrust.com/pra/docs/on-prem-admin-guide
BeyondTrust security advisory BT25-03 / NVD CVE-2025-0217 — PRA local authentication bypass (Shell Jump session details), CVSS 4.0 = 7.3, fixed in PRA 25.1 (advisory 2025-05-05). beyondtrust.com/trust-center/security-advisories/bt25-03 · nvd.nist.gov/vuln/detail/CVE-2025-0217
BeyondTrust Beekeepers community — real-world PRA operations pain: Jump Client/policy behaviour across upgrades, EDR interference, duplicate cleanup. beekeepers.beyondtrust.com
BeyondTrust University — Privileged Remote Access Administration course & certification (40-question exam, 75% pass, two attempts). beyondtrust.com/services/beyondtrust-university/privileged-remote-access-administration

What's next?

Your policies now decide who gets in, when, and what their hands may do. Next: proving it — session recordings, syslog to your SIEM, and the hardening lessons from the CVE-2024-12356 era and the US Treasury incident.

Next · PRA auditing, SIEM & hardening (the CVE story) → Practice on exam.techclick.in →

PRA Access Control: — Group Policies, Jump Item Roles, Schedules & Approvals

🎯 By the end you will be able to

Pick where you want to start

Group Policies

Jump Item Roles

Jump Policies

Session policies

① The permission model — users, teams & Group Policies, the master control

The four knobs you will turn every week

② Jump Item Roles — view, start, edit, delete… scoped per Jump Group

The classic build: vendor sees ONLY their 3 servers

③ Jump Policies — schedules, ticket IDs & approval workflows

▶ One vendor session through all four gates

④ Session policies — what happens INSIDE, and the four-layer map

Layer all four on one target — then prove it

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?