Manage Endpoint Privilege Management Policies

Using BeyondInsight you can deploy Endpoint Privilege Management polices to assets and policy users. From the Endpoint Privilege Management Polices page, you can view a list of available Endpoint Privilege Management policies, and in single-tenant environments only, you can manage the global priority for the policies. You can also delete policies if you have sufficient permissions.

Endpoint Privilege Management features are only available when an Endpoint Privilege Management license is detected.

If the Endpoint Privilege Management Web Policy Editor (WPE) is installed in your BeyondInsight instance, and your account has sufficient permissions, you can view the details for each policy, unlock policies, edit policies (which also locks the policy), and delete policies.

The WPE is not installed out of the box with BeyondInsight. Please contact your BeyondTrust representative for assistance with installing the WPE and its associated WPE service in your BeyondInsight environment.

View Endpoint Privilege Management Policies

  1. From the left menu in BeyondInsight, select Policies under Endpoint Privilege Management.
  2. To filter the list of displayed policies, select the desired criteria from the Filter by list above the grid. Available filter options are:
    • Policy Name
    • Locked
    • Locked By
    • Policy Version
    • Policy Workgroup
    • Powered by

If you select Filter by > Locked, you can then select Locked or Unlocked as the filter criteria. If a policy is locked, this indicates that a user currently has it locked by a policy editor. The ability to lock, unlock, and edit policies within BeyondInsight is planned for a future release. If the WPE is installed in your BeyondInsight instance, and you have sufficient permissions, you can unlock a policy that is locked by another user, and then lock the policy so you can edit it.

EPM Policy Items on User Audits Page in BeyondInsight

You can see who added, modified, or deleted an Endpoint Privilege Management policy from the Configuration > General > User Audits page in BeyondInsight. Click the i button for a specific activity to view its details .

 

For more information on using the Endpoint Privilege Management Web Policy Editor, please see:

Deploy Endpoint Privilege Management Policies to Assets and Policy Users Using a Smart Rule

  1. From the Smart Rules page in BeyondInsight, select Asset or Policy User from the Smart Rule type Filter dropdown, and then click Create Smart Rule.

Screenshot of the Deploy Endpoint Privilege Management Policy Smart Rule Action in BeyondInsight.

  1. Under Actions, select Deploy Endpoint Privilege Management Policy from the dropdown.
  2. Click Select Policies for Deployment.

 

Select Endpoint Privilege Management policies and assign their priority within a Smart Rule.

  1. Select the policies using the plus sign next to the policy and set their priorities using the arrows. Click Accept Changes.

The ability to set policy priorities within a Smart Rule is available only when Use Global Priority is not enabled, as indicated in the banner at the top of the page. Click Dismiss in the banner to continue setting priorities within the Smart Rule or click Configure Global Priority to enable that feature and set global policy priorities.

 

Selecting Endpoint Privilege Management Policies within a Smart Rule with no option to set policy priority.

When Use Global Priority is enabled, you do not have the ability to set the priority on a policy within the Smart Rule, as indicated in the banner at the top of the page. Click Configure Global Priority in the banner to disable that feature if you wish to set policy priorities within the Smart Rule.

 

We recommend setting policy priority using the global policy priority feature over setting policy priority within a Smart Rule. For more information on managing global priority for policies, please see, Manage Global Priority for Endpoint Privilege Management Policies.

For more information on working with Smart Rules to organize assets, please see Use Smart Rules to Organize Assets.

Manage Global Priority for Endpoint Privilege Management Policies

If multiple Smart Rules contain the same asset and have different policy priorities set within each of those Smart Rules, the Endpoint Privilege Management agent does not know which policy has the top priority on that asset. In this case, a different policy can take precedence each time the agent processes the Smart Rules. To prevent this, we recommend setting a global priority for your polices. With global policy priority enabled, BeyondInsight processes all policy-configured Smart Rules and serves all policies across all applicable Smart Rules to the Endpoint Privilege Management agent as per the defined global priority order.

The global policy priority feature is enabled by default on new installations of BeyondInsight 21.1 or later. It is not enabled by default when upgrading BeyondInsight versions prior to 21.1 to the 21.1 release or later releases.

The global policy priority feature is supported only in single-tenant BeyondInsight installations. This feature is disabled in multi-organization environments.

Enable global policy priority as follows.

  1. From the left menu in BeyondInsight, select Policies under Endpoint Privilege Management.

Setting Global Policy Priority in BeyondInsight.

  1. Click Configure Global Priority Policy, or if this is your first time using the global policy priority feature, click Configure Now in the banner that displays at the top of the page.
  1. Select the policies using the plus sign next to the policy and set their priorities using the arrows. Alternatively, you can manually specify the priority number in the box for the policy, and then click the plus sign.

All policies must be prioritized in order to enable the Use Global Priority option. Also, any policies added to BeyondInsight after global policy priority is enabled, are not available for assignment within Smart Rules until a priority has been explicitly set for them here.

  1. Click Save Priority.

 

A banner indicating Global Policy has been configured.

  1. The banner at the top of the page now indicates a global policy priority has been configured. Click the toggle to enable the Use Global Priority option.

 

Confirmation message asking to confirmation that you want to enable global policy priority.

  1. A confirmation message displays. Click Enable Global Policy Priority in the message box.

 

Screenshot of banner indicating global policy is enabled and grid listing policies with their assigned priority.

  1. The banner at the top of the page now indicates global policy is enabled and Smart Rule prioritization is disabled, and the policies display in the grid with their assigned priority.