Manage Endpoint Privilege Management Policies

Using BeyondInsight you can deploy Endpoint Privilege Management polices to assets and policy users. From the Endpoint Privilege Management Polices page, you can view the Endpoint Privilege Management policies and manage the global priority for the policies.

This feature is only available when an Endpoint Privilege Management license is detected.

View Endpoint Privilege Management Policies

  1. In the BeyondInsight console, click the MENU.
  2. Under Endpoint Privilege Management, click Policies.
  3. To filter the list of displayed policies, select the desired criteria from the Filter by list above the grid. Available filter options are:
    • Policy Name
    • Locked
    • Locked By
    • Policy Version
    • Policy Workgroup
    • Powered by

If you select Filter by > Locked, you can then select Locked or Unlocked as the filter criteria. If a policy is locked, this indicates that a user currently has it locked by an external policy editor. The ability to lock, unlock, and edit policies within BeyondInsight is planned for a future release.

EPM Policy Items on User Audits Page in BeyondInsight

You can see who added, modified, or deleted an Endpoint Privilege Management policy from the Configuration > General > User Audits page in BeyondInsight.

 

You can configure display preferences and filters to refine the information displayed. For more information, please see Change and Set the Console Display and Preferences.

Deploy Endpoint Privilege Management Policies to Assets and Policy Users Using a Smart Rule

Deploy Endpoint Privilege Management Policy Smart Rule Action in BeyondInsight.

  1. From the Smart Rules page in BeyondInsight, create an asset or Policy User Based Smart Rule that has an action of Deploy Endpoint Privilege Management Policy.

 

Select Endpoint Privilege Management policies and assign their priority within a Smart Rule.

  1. Select the policies using the plus sign next to the policy and set their priorities using the arrows. Click Accept Changes.

The ability to set policy priorities within a Smart Rule is available only when Use Global Priority is not enabled, as indicated in the banner at the top of the page. Click Dismiss in the banner to continue setting priorities within the Smart Rule or click Configure Global Priority to enable that feature and set global policy priorities.

 

Selecting Endpoint Privilege Management Policies within a Smart Rule with no option to set policy priority.

When Use Global Priority is enabled, you do not have the ability to set the priority on a policy within the Smart Rule, as indicated in the banner at the top of the page. Click Configure Global Priority in the banner to disable that feature if you wish to set policy priorities within the Smart Rule.

 

We recommend setting policy priority using the global policy priority feature over setting policy priority within a Smart Rule. For more information on managing global priority for policies, please see, Manage Global Priority for Endpoint Privilege Management Policies.

For more information on working with Smart Rules to organize assets, please see Use Smart Rules to Organize Assets.

Manage Global Priority for Endpoint Privilege Management Policies

If multiple Smart Rules contain the same asset and have different policy priorities set within each of those Smart Rules, the Endpoint Privilege Management agent does not know which policy has the top priority on that asset. In this case, a different policy can take precedence each time the agent processes the Smart Rules. To prevent this, we recommend setting a global priority for your polices. With global policy priority enabled, BeyondInsight processes all policy-configured Smart Rules and serves all policies across all applicable Smart Rules to the Endpoint Privilege Management agent as per the defined global priority order.

The global policy priority feature is enabled by default on new installations of BeyondInsight 21.1 or later. It is not enabled by default when upgrading BeyondInsight versions prior to 21.1 to the 21.1 release or later.

The global policy priority feature is supported only in single-tenant BeyondInsight installations. This feature is disabled in multi-organization environments.

Enable global policy priority as follows.

  1. From the left menu in BeyondInsight, select Policies under Endpoint Privilege Management.

Setting Global Policy Priority in BeyondInsight.

  1. Click Configure Global Priority Policy, or if this is your first time using the global policy priority feature, click Configure Now in the banner that displays at the top of the page.
  1. Select the policies using the plus sign next to the policy and set their priorities using the arrows. Alternatively, you can manually specify the priority number in the box for the policy, and then click the plus sign.

All policies must be prioritized in order to enable the Use Global Priority option. Also, any policies added to BeyondInsight after global policy priority is enabled, are not available for assignment within Smart Rules until a priority has been explicitly set for them here.

  1. Click Save Priority.

 

A banner indicating Global Policy has been configured.

  1. The banner at the top of the page now indicates a global policy priority has been configured. Click the toggle to enable the Use Global Priority option.

 

Confirmation message asking to confirmation that you want to enable global policy priority.

  1. A confirmation message displays. Click Enable Global Policy Priority in the message box.

 

Screenshot of banner indicating global policy is enabled and grid listing policies with their assigned priority.

  1. The banner at the top of the page now indicates global policy is enabled and Smart Rule prioritization is disabled, and the policies display in the grid with their assigned priority.