Skip to main content

Endpoint Privilege Management

Elevation rules

Create rules to define what privileged actions are allowed on workstations.

Overview

Rule scope

  1. Local rules - rules that are applicable to a certain customer tenant, meaning local rules only apply to one customer.
  2. Global rules - rules that can be created at the MSP level and will apply to all customers.

Rule evaluation logic

Here is how rules are evaluated when elevation is requested:

  1. Check if there are any local rules that deny the request → if yes, deny the request.
  2. Check if there are any local rules that allow the request → if yes, allow the request.
  3. Check if there are any global rules that deny the request → if yes, deny the request.
  4. Check if there are any global rules that allow the request → if so, allow the request.
  5. If no rules found, trigger request / approval flow.

Rule types

There are various types of rules that you can create:

  • File rule
    • Rule that identifies a specific executable using file hash, file name, and / or file path
    • Use this rule when you need to allow / deny a certain application
    • For example, using SHA256 file hash you can allow execution of a certain version of Google Chrome
  • Publisher rule
    • Rule that identifies a specific publisher by certificate thumbprint
    • Use this rule when you need to allow / deny anything signed by a certain publisher certificate
    • For example, you have a set of applications that your internal team develops and signs with a publisher certificate. When you create a rule using the certificate thumbprint, you can allow all applications signed by the certificate of you developer team.
  • Certificate rule
    • Rule that identifies a verified publisher by certificate attributes
    • Use this rule when you want to allow / deny any application signed by any verified publisher certificate of a certain company
    • For example, Oracle uses various certificates to sign its binaries. You can create a rule to match Oracle.* as an organization name in the verified publisher certificate. This way you can allow all Oracle executables, even if they are signed by different publisher certificates.
💡
You can use regular expressions to match certain certificate attributes. For example, if you want to match all verified Microsoft certificates you can use Microsoft.* in the CN section.

How to create local rules

Create from local event

You can create local rules right from elevation events in your customer tenants.

  • Access your customer admin dashboard
  • Navigate to ElevationEvents
  • Click on ... and choose Create local rule
  • The rule dialog will open with all details pre-populated

Create from local request

You can also generate rule automatically when approving the request in your customer tenant. Once request is approved, a file rule will be created that will leverage the file hash of the executable.

  • Access your customer admin dashboard
  • Navigate to ElevationRequests
  • Click on ... and the choose to Approve or Deny
  • Then choose Approve with local rule or Deny with local rule

Create on mobile

  • When approving or denying user requests with idemeum application you can automatically create rules.
  • Choose Approve for tenant when you want to create a local rule.
  • Idemeum will automatically create a file rule using the executable SHA256 hash value. In the UI you will see the rule with the name ALLOW <app_name>, for example ALLOW Google Chrome.

How to create global rules

Create in MSP tenant manually

You can manually create global rules in your MSP tenant.

  • Navigate to your MSP tenant admin dashboard
  • Click ElevationGlobal rules
  • Click Add rule
  • You can now create any type of rule file, publisher, or certificate by filling out the rule values.

Create from local event

You can also create global rules from the elevation events in your customer tenants.

  • Access your customer admin dashboard
  • Navigate to ElevationEvents
  • Click on ... and choose Create global rule
  • The rule information will be automatically populated

Create from local request

You can also create global rules from elevation requests in your customer tenants. Once request is approved, a file rule will be created that will leverage the file hash of the executable.

  • Access your customer admin dashboard
  • Navigate to ElevationRequests
  • Click on ... and the choose to Approve or Deny
  • Then choose Approve with global rule or Deny with global rule

Create on mobile

  • When approving or denying user requests with idemeum application you can automatically create rules.
  • Choose Approve for all customers when you want to create a global rule.
  • Idemeum will automatically create file rule using the executable SHA256 hash value. In the UI you will see the rule with the name ALLOW <app_name>, for example ALLOW Google Chrome.