立即与支持人员聊天
与支持团队交流

Safeguard Privilege Manager for Windows 4.5.3 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Using Self-Service Notifications

If you would like to receive an email when a user on a client computer submits a Self-Service Elevation Request Form, you can set up a Self-Service Notification. You can configure it to go to multiple recipients, including you, your manager, and/or the help desk. In addition, you can set the subject line to meet the requirements of your help desk.

To set up Self-Service Notifications

  1. Configure the Server.

    1. Use the Privilege Manager Server Setup Wizard to configure the Server Email Notification Configuration settings on the first screen of the wizard.

    2. If you previously completed the wizard, the remaining screens are automatically populated.

    3. Refer to the Safeguard Privilege Manager for Windows Quick Start Guide for step-by-step instructions.

  2. Configure the recipient.

    1. Use the Settings tab on the Self-Service Elevation Request Settings Wizard to configure the Email Notification Settings.

  3. For more information on the wizard, see Using the Self-Service Elevation Request Settings Wizard.

  4. For more information on setting up Email Notification Settings, see .

  5. Check your email for the Self-Service Notification, containing information on the user, the request, and the client’s computer.

  6. Accept or reject the user's request Using the Self-Service Elevation Request Processing Wizard.

  7. Inform the end user of your decision Using the Console Email Configuration screen.

Using the Self-Service Elevation Request Processing Wizard

Shortly after a user on a client computer has submitted a Self-Service Elevation Request Form, you can view and/or process it within the Self-Service Elevation Requests section of the Console (provided that your environment is properly configured according to the Maximum Sleep Time setting).

You can only view data stored in the database of the server that is selected in the Server configuration (under Setup Tasks > Configure a Server).

When processing a Self-Service Elevation request, you can either create a rule to elevate privileges for the process or deny the request. You can then email your decision to the user using the Console Email Configuration screen.

To view or process Self-Service Elevation requests

  1. Open the Self-Service Elevation Requests section from the navigation pane of the Console. The requests appear in the window on the right.

  2. Click Display requests to list the Self-Service Elevation requests submitted by users, based on the default filter settings shown in the Applied Filters section at the top of the screen.

  3. Select a request in the Self-Service Elevation Requests grid below. Use the grid's column headers to sort the requests.

    By default, the following information appears:

    1. Requests to elevate any type of applications;

    2. Requests sent during the last 30 days; and

    3. Requests that have never been processed with using Process request from the current section.

  4. Use the Applied Filters Wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.

  5. Select a record and then click Process request to open the Self-Service Elevation Request Processing Wizard.

  6. On the first tab of the wizard, view the details for a process that failed to start, and the reason for requesting Elevation privileges. Click Next.

  7. Indicate whether you want to create a rule to elevate the privileges for this process, or deny the request.

    1. If you approve the request, the Create Rule wizard appears, allowing you to create a rule for the requested process. By default, the rule is created for a specific user at a specific computer, and the Administrators group (stored within the BUILTIN\Administrators Active Directory OU) is added to the rule. Use the Validation Logic tab to modify this setting.

    2. When a request is processed and a rule is created for it (or it has been denied), the Processed Action column displays a rule created or ignored value.

    3. To view ignored requests or requests for which the rules were created, change the Process Date of Item filter on the Applied Filters Wizard from None: Item has not been processed to the corresponding Date Range.

  8. Select whether or not to email your decision to the user. This feature requires that you set up the Console Email Configuration settings.

  9. Click Finish to save.

    The rule created from the request is added to the selected GPO with a default name.

  10. Select Export to export the list of requests presented on the grid. The list will be saved as an .xls file.

    After the rule has been created:

    • The rule is added to the target GPO of the Group Policy Settings section.

    • The rule applies after the GPO settings are updated on the client computer.

Using the Console Email Configuration screen

If you want Safeguard Privilege Manager for Windows to send an email message to the user after approving or denying their Self-Service Elevation request, configure the settings using the Setup Tasks > Console Email Configuration screen.

To configure the Server to send your Self-Service Elevation request approval or refusal:

  1. Select Console Email Configuration from the Setup Tasks section.

  2. Configure the following fields:

    1. Host Name: Enter the SMTP Server name of the email account from which you are going to send your emails.

    2. SMTP Port: Enter the port number.

    3. SMTP User Name and Password: If necessary, enter the authentication information and check the SSL check box.

    4. From Email: Enter the corresponding email.

  3. Click Send Test Email to send an email to the account specified in the From Email field.

    1. If Safeguard Privilege Manager for Windows succeeds in sending the email, the corresponding message appears.

    2. Log into an email program with the corresponding account and locate the sent email folder, with Privilege Manager Test Email in the subject.

  4. Click OK to save the settings and quit.

Configuring Temporary Session Elevation

Detailed information about this topic

Available only in Safeguard Privilege Manager for Windows Professional Edition and Professional Evaluation Edition.

Temporary Session Elevation (TSE) allows an administrator to generate Elevation passcodes that can provide end users the ability to temporarily elevate the privileges of any process or application on their machine. The passcodes work for both on-network and off-network machines, even if there are active internet connections.

Temporary Session Elevation passcodes are intended to be used during a specific user session. A user session comprises the period between the user logon and logoff times, regardless of the reason that caused the logoff.

Temporary Session Elevation passcode usage can be limited by time or number of uses. More granular limitations can selected by using Validation Logic in the passcode. Examples of this are limiting use by computer name, user name or time and date range. When the passcode is used on a client computer, Validation Logic allows or denies usage based on selected options.

NOTE: In some cases, Temporary Session Elevation and Blacklisting rules are configured for the same target application. In this case, Blacklisting takes precedence over Temporary Session Elevation and prevents the application from starting. For more information about creating Blacklisting rules, see Using the Create Rule Wizard.

For more information, see the following Knowledge Base Articles:

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级