Configuring Temporary Session Elevation
Available only in Privilege Manager Professional and Professional Evaluation editions.
Temporary Session Elevation (TSE) allows an administrator to generate Elevation passcodes that can provide end users the ability to temporarily elevate the privileges of any process or application on their machine. The passcodes work for both on-network and off-network machines, even if there are active internet connections.
Temporary Session Elevation passcodes are intended to be used during a specific user session. A user session comprises the period between the user logon and logoff times, regardless of the reason that caused the logoff.
Temporary Session Elevation passcode usage can be limited by time or number of uses. More granular limitations can selected by using Validation Logic in the passcode. Examples of this are limiting use by computer name, user name or time and date range. When the passcode is used on a client computer, Validation Logic allows or denies usage based on selected options.
|
|
Note: In some cases, Temporary Session Elevation and Blacklisting rules are configured for the same target application. In this case, Blacklisting takes precedence over Temporary Session Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard. |
For more information, see the following KB articles:
- Temporary Session Elevation: Duration (293630)
- Temporary Session Elevation: What is a session? (293610)
Using the Temporary Session Elevation Passcode Manager
Before you configure Temporary Session Elevation settings, ensure the following components are set up:
- The Client is running on the computers you want to apply the settings to.
- The Server is configured and running with the port that you have selected allowed for incoming data (the default port is 8003).
- Client data collection settings are enabled for the selected GPO.
- The cCient is enabled to use offline passcodes to create Temporary Elevated Sessions (enabled in the Client Deployment Settings wizard).
To use the Temporary Session Elevation Wizard to set up privileges:
- Open the wizard:
- Open Passcode Manager from the Temporary Session Elevation section on the navigation pane of the Console.
- Create a new passcode:
- Click New to start the Instant Elevation TSE passcode generator.
- Enable the Instant On Demand Privilege Elevation settings on the State tab.
- Choose Enabled, to ensure the settings apply to the selected GPO.
- Choose Not Configured, to enable child GPOs to inherit settings from their parent.
- Use the Groups tab to alter the settings. By default, users of the target GPO will automatically inherit the administrator's settings (BUILTIN\Administrators).
- Complete the advanced options in the Privileges, Integrity and Validation Logic tabs.
- The Passcode is created on the next tab, Passcode.
- Enter a Title to describe the passcode.
- Enter a Maximum allowed usage. This is the number of times the passcode can be used before expiring.
- Enter a Duration. The duration is the amount of time the passcode remains active, after being activated.
- Optionally, select the check box to End all elevated processes (and child processes) when Passcode duration expires. If selected, all windows that are opened with a Temporary Session Elevation passcode are closed.
- Click Export to file to save the passcode for end-user use.
- Click Finish to complete the wizard.
- The passcode is delivered to the user for usage.
- Run a Temporary Session Elevation Usage Report to view the processes that have been launched. For more information, see Temporary Session Elevation Usage Report on page 1.