Get Started With the Policy Editor

This section provides information on getting started with the Policy Editor. Details include accessing the Policy Editor, creating a policy using QuickStart template, and editing a policy.

Access the Policy Editor

  1. Log on to the PMC console, and click the Policies tile.
  2. Select a policy in the list, and then select Edit & Lock from the Actions menu.

The default page of the Web Policy Editor

Overview of Policy Editor Components

Workstyles

Workstyles are used to assign Application Rules for a specific user, or group of users.

Application Groups

Application Groups are used by Workstyles to group applications together to apply certain Privilege Management behavior.

Content Groups

Content groups are used by Workstyles to group content together to apply certain Privilege Management behavior.

Messages

Messages are used by Workstyles to provide information to the end user when Privilege Management has applied certain behavior that you've defined and need to notify the end user.

Utilities

The Policy Editor provides some useful tools to help with managing policies, including an import policy tool and a license management tool.

Create a Policy

  1. Log into the PMC console, and click the Policies tile.
  2. Click Create Policy.
  3. Select one of the following:
    • QuickStart for Windows: A preconfigured template with Workstyles, Application Groups, messages, and Custom Tokens already configured.
    • QuickStart for Mac: A preconfigured template with Workstyles, Application Groups, messages, and Custom Tokens already configured.
    • Server Roles: The Server Roles policy contains Workstyles, Application Groups, and Content Groups to manage different server roles such as DHCP, DNS, IIS, and Print Servers.
    • Blank: Select to configure a policy from scratch. There are no preconfigured settings in this template.
  1. Enter a name and description.
  2. Click Create Policy.

The Policy Editor opens to the Workstyles page. At this point you must configure the Workstyle, Application Groups, Application Rules and other policy configuration as required for your organization.

Use the QuickStart for Windows or Mac Template

To get started quickly using the Policy Editor, create a new policy using either the QuickStart For Windows template, or the Quickstart For Mac template.

Both QuickStart templatesfor Windows and Mac policies contain Workstyles, Application Groups, Messages, and Custom Tokens configured with Privilege Management and Application Control. The QuickStart policy is designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.

Customize the QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.

At a minimum you need to:

  • Configure the users or groups that can authorize requests that trigger messages.
  • Assign users and groups to the high, medium, and low flexibility Workstyles.
  • Populate the Block - Blocklisted Apps Application Group with any applications that you want to block for all users.
  • Set your shared key so you can generate a Privilege Management Response code.

QuickStart Template Summary

This section provides information about the properties for the Windows and Mac QuickStart templates, including the Workstyles and Application Groups that comprise the template.

Workstyles

All Users

This Workstyle contains a set of default rules that apply to all standard users regardless of the level of flexibility they need.

The All Users Workstyle contains rules to:

  • Block any applications in the Block - Blocklisted Apps group
  • Allow Privilege Management Support tools
  • Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with admin rights (Windows QuickStart template)
  • Allow standard Mac functions, business applications, and applications installed through trusted deployment tools to run with admin rights (Mac QuickStart template)
  • Allow approved standard user applications to run passively

High Flexibility

This Workstyle is designed for users that require a lot of flexibility, such as developers.

The High Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights.
  • Allow users to run unknown applications with admin rights once they confirm that the application should be elevated.
  • Allow applications that are in the Add Admin – High Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.

Medium Flexibility

This Workstyle is designed for users that require some flexibility, such as sales engineers.

The Medium Flexibility Workstyle contains rules to:

  • Allow known business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights once they confirm that the application should be elevated.
  • Prompt users to provide a reason before they can run unknown applications with admin rights .
  • Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.
  • Restricted OS functions that require admin rights are prevented and require support interaction.

Low Flexibility

This Workstyle is designed for users that don't require much flexibility, such as helpdesk operators.

The Low Flexibility Workstyle contains rules to:

  • Prompt users to contact support if a trusted or untrusted application requests admin rights.
  • Prompt users to contact support if an unknown application tries to run.
  • Allow known approved business applications and operating system functions to run.

Application Groups

The Application Groups that are prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered.

  • Add Admin – General (Business Apps): Contains applications that are approved for elevation for all users, regardless of their flexibility level.
  • Add Admin – General (Windows Functions): Contains operating system functions that are approved for elevation for all users.
  • Add Admin – High Flexibility: Contains the applications that require admin rights that should only be provided to the high flexibility users.
  • Add Admin – Low Flexibility: Contains the applications that require admin rights that should only be provided to the low flexibility users.
  • Add Admin – Medium Flexibility: Contains the applications that require admin rights that should only be provided to the medium flexibility users.
  • Passive - High Business Apps
  • Passive - Medium Business Apps
  • Passive - Low Business Apps
  • Block - Blocklisted Apps: This group contains applications that are blocked for all users.
  • Passive - All Users Functions & Apps: Contains trusted applications, tasks and scripts that should execute as a standard user.
  • (Default) Any Application: Contains all application types and is used as a catch-all for unknown applications.
  • (Default) Any Trusted & Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
  • (Default) Any UAC Prompt: This group contains applications types that request admin rights.
  • (Default) Privilege Management Tools: This group is used to provide access to a BeyondTrust executable that collects Privilege Management for Windows troubleshooting information.
  • (Default) Child Processes of TraceConfig.exe 
  • (Default) Signed UAC Prompt: Contains signed (trusted ownership) application types that request admin rights.
  • (Default) Software Deployment Tool Installs: Contains applications that can be installed by deployment tools such as System Center Configuration Manager (SCCM).
  • (Recommended) Restricted Functions: This group contains OS applications and consoles that are used for system administration and trigger UAC when they are executed.
  • (Recommended) Restricted Functions (On Demand): This group contains OS applications and consoles that are used for system administration.
  • (Default) Trusted Parent Processes

Messages

The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:

  • Allow Message (Authentication): Asks the user to provide a reason and enter their password before the application runs with admin rights.
  • Allow Message (Select Reason): Asks the user to select a reason from a dropdown menu before the application runs with admin rights.
  • Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
  • Allow Message (Yes / No): Asks the user to confirm that they want to proceed to run an application with admin rights.
  • Block Message: Warns the user that an application has been blocked.
  • Block Notification: Notifies the user that an application has been blocked and submitted for analysis.
  • Notification (Trusted): Notifies the user that an application has been trusted.

Use the Server Role Template

The Server Roles policy contains Workstyles, Application Groups, and Content Groups to manage different server roles such as DHCP, DNS, IIS, and Print Servers.

Server Roles Template Summary

This template policy contains the following elements.

Workstyles

  • Server Role - Active Directory - Template
  • Server Role - DHCP - Template
  • Server Role - DNS - Template
  • Server Role - File Services - Template
  • Server Role - Hyper V - Template
  • Server Role - IIS - Template
  • Server Role - Print Services - Template
  • Server Role - Windows General - Template

Application Groups

  • Server Role - Active Directory - Server 2008R2
  • Server Role - DHCP - Server 2008R2
  • Server Role - DNS - Server 2008R2
  • Server Role - File Services - Server 2008R2
  • Server Role - General Tasks - Server 2008R2
  • Server Role - Hyper V - Server 2008R2
  • Server Role - IIS - Server 2008R2
  • Server Role - Print Services - Server 2008R2

Content Groups

  • AD Management
  • Hosts Management
  • IIS Management
  • Printer Management
  • Public Desktop

Edit Policy

When you edit a policy, the policy is locked. Other policy administrators cannot access the policy to change the properties when the status is Locked.

  1. Select the policy, and then select Edit & Lock from the Actions menu.
  1. On the Policy Editor page, go to the policy property you want to change.
  1. Click Save to save a draft of the policy. Clicking Save allows you to keep the Policy Editor open to continue changing the policy.
  2. After you finish all updates to the policy, click Save & Unlock to save a new revision of the policy.
  3. Add a note to indicate any important changes to the policy. Adding an annotation is optional.
  4. Click Save Policy.

Policy Revisions and Drafts

You can review the history of revisions and drafts on the Policy Details page.

  1. Click the link for the policy.

Web Policy Editor showing revision history

  1. Click the Revision History tab or Drafts tab to view more information about the changes to the policy.

 

Unlock a Policy

A policy locked by a user can be unlocked. The policy is reverted to the previous version.

After unlocking the policy, the user account that locked the policy can no longer save or check in changes to that policy.

To unlock and discard the changes to a policy:

  1. Navigate to and click the Policies tile.
  2. Right-click the locked policy, and then click Revert & Discard Changes.
  3. Click Continue Anyway to discard the draft and revert the policy version; otherwise, click Cancel.