Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Safeguard Privilege Manager for Windows 4.5.3 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Configuring Self-Service Elevation

Detailed information about this topic

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

To enable users to request permissions to use privileged applications, use the Self-Service Elevation Request Settings Wizard. Whenever a user attempts to run an application which requires administrative permissions for which they do not have rights, they are asked if they would like to send a request to their administrator for permission to run it.

You can select how users access the request form and set up Self-Service notifications to email you, the help desk, and your manager of each request. Then, you can process the request within the Self-Service Elevation Requests section of the Console and email your decision to the user, using the Console Email Configuration screen.

NOTE: In some cases, Self-Service Elevation and Blacklist rules could be configured for the same target application. In this case, Blacklisting takes precedence over Instant Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.

Using the Self-Service Elevation Request Settings Wizard

NOTE: Before you configure Self-Service Elevation request settings, ensure the following components are set up:

  1. The Client is running on the computers you want to apply the settings to;

  2. The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003); and

  3. Client data collection settings are enabled for the selected GPO.

To use the Self-Service Elevation Request Settings Wizard to set up, modify, or discard privileges

  1. Open the wizard by completing one of the following steps:

    • Open the Self-Service Elevation Request Settings Wizard from the Setup Tasks section. This section always shows the default settings.

    • On the Advanced Policy Settings tab of the target GPO, double-click Self-Service Elevation Request Settings. The changes made within the wizard are saved here.

  2. Enable the Self-Service Elevation Request Settings on the State tab.

    • Choose Enabled, to ensure the settings apply to the selected GPO.

    • Choose Not Configured, to enable child GPOs to inherit settings from their parent.

  3. Use the Settings tab for Selecting how users access the request form.

  4. Click Next to use Validation Logic to target the settings to specific client computers or user accounts within the GPO, or click Finish to save your settings and quit.

    If an error message indicates that the target GPO is not selected:

    1. Click OK to close the message window.

    2. Open the GPO tab and select the desired GPO.

  5. Click Next to use the Filters tab to filter out Self-Service Request data according to different application specific criteria.

    Enter filter criteria in one or more of the available boxes:

    • Executable path contains

    • Product name contains

    • Publisher name contains

    • File description contains

    NOTE: The Publisher name contains field looks at the Publisher or Company Name attribute.

    An application only needs to meet a single filter criteria in order for its Self-Service Request data to be filtered out. A comma delimiter can be used to enter multiple criteria in each filter box.

    NOTE: The Privilege Manager Client does not transmit any Self-Service Request data for any application that meets at least one of the existing filter criteria.

  6. Click Save on the GPO toolbar to save the new settings.

Selecting how users access the request form

Use the Settings tab of the Self-Service Elevation Request Settings Wizard to select how end users access the request form and set up email confirmation and notification settings. You can combine the following options:

OPTION

ACTION

Automatically ask users if they would like to request that a privilege elevation rule be created whenever they attempt to launch applications which require privilege elevation to run

This option is enabled by default.

Once a user closes the User Account Control (UAC) window, a Self-Service Elevation Request Prompt will display.

NOTE: Not all applications that display UAC windows will automatically pop up a Self-Service Elevation Request Form. You can allow the user to manually submit Self-Service requests by enabling the Add a Windows explorer shell extension allowing the user to right- click on a program or shortcut in order to request that a privilege elevation rule be created for that program option. Windows Installer files (.msi) do not automatically trigger Self-Service Prompts, so the Self- Service Elevation Request Form must be manually triggered by users.

Allow users to hide or disable these prompts

This option is enabled by default.

  • Users can select whether the request form displays in the future by checking the In the future, don't show me this when I try to run applications that need approval check box.

  • A user on a client computer can re-enable/disable the prompt using the Display Self-Service Prompts icon on the context menu of the system tray.

NOTE: This setting does not affect the Self-Service Elevation Request Form launched with the Elevate! button. It only affects the request forms displayed automatically.

Add a Windows explorer shell extension allowing the user to right- click on a program or shortcut in order to request that a privilege elevation rule be created for that program

This option is enabled by default.

  • Users can click Elevate! to launch privileged applications without interruptions. The button is available on the context menu of Windows Explorer objects that require elevated privileges to start up, including: .bat, .cmd,.exe, .js, .lnk, .msc, .msi, .msp, .pl, .ps1 or .vbs (.lnk is for shortcuts).

  • Users can click Elevate! to launch the Self-Service Elevation Request Form or Instant Elevation, if it is enabled.

Allows the user to specify the email address where the confirmation email will be sent once the administrator processed the request for the privilege elevation rule. If this option is not checked, the email will be sent to the Exchange account of the user specified in Active Directory.

This option is disabled by default.

The user can enter an email address into the corresponding text field.

By default, the field is pre-populated with the email address of the user who is logged in (provided that it is specified in Active Directory).

Send an email notification to the administrator whenever a user submits a Self-Service Elevation Request

This option is disabled by default.

Enter the Email Address for the administrator and/or the help desk or other recipients. Click + to add entries and x to remove them.

By default, the Email Subject is pre-populated with Privilege Manager Self-Service Elevation Request as the subject line. You can enter your own subject and click Reset to reset it to the default.

Customizing Self-Service request email messages

The approval and denial email messages that are sent as a response to the user's Self-Service Elevation request can be customized.

Approval messages

Denial messages

Customizing Approval and Denial messages

Approval messages
Example: Default Approval message

The default Approval message says the following:

MESSAGE_NAME:ApprovedRequest
MESSAGE:
Your request to run the following application with elevated privileges has been "approved".Request Date: <ExecutionDate>
Requested Application:
<ProductName>
<Path>
<Arguments>
Reason for request: <Reason>
This new privilege should be available on your computer once Windows has refreshed its domain security policies.
Denial messages
Example: default Denial message

The default Denial message says the following:

MESSAGE_NAME:NotApprovedRequest
MESSAGE:
Your request to run the following application with elevated privileges has "not" been approved.
<ProductName>
<Path>
Please contact your administrator for more details.
Customizing Approval and Denial messages

These messages can be customized by opening the MessageTemplates.cfg file in the Privilege\Console folder. Each message in the CFG file starts with ======StartOfMessage========= and ends with ======EndOfMessage============. The text between these delimiters can be customized to your liking. Text delimited with angle brackets ( < > ) are variables that are replaced with data at runtime.

The following variables may be used in the Approval message:

  • ExecutionDate

  • ProductName

  • Path

  • Arguments

  • Reason

The following variables may be used in the Denial message:

  • ProductName

  • Path

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation