Privilege Management Console Policy Management in the MMC

The Privilege Management MMC snap-in allows you to create, edit, check in, and check out policies to the PMC portal.

For information on editing workstyle policy for Windows, please see the Windows Administration Guide.

Privilege Management Console Policy Workflow in MMC

Policies are managed on a per-revision basis in PMC. When you create or import a PMC policy in the Privilege Management MMC snap-in, you can save one or more local drafts before you check it into PMC. Revisions are not created when you are working with local drafts and PMC does not have visibility of them.

Each time you check in a policy to PMC from the MMC, a new revision is created. This allows you to revert to an older revision, if required. If you check a policy out and make changes but then change your mind, you can discard your changes and the associated checkout to cancel your original checkout and any changes.

You can check policies in and out from the Privilege Management MMC snap-in as well as create new ones.

There are six user roles for policies:

  • Abort
  • Create
  • Delete
  • Modify
  • Query
  • View

Only users in the Administrators or Policy Administrators group have all of the user roles.

For more information, please see Assign Roles to a User Account in Privilege Management Console.

Agent and Group Locks

Endpoints or groups are locked when a policy is applied. Rows are locked in the Computers or Groups grids, respectively.

After all commands are applied, the endpoint or group will unlock. Once the endpoint or group is unlocked, you can interact with the computer or group. Subsequent commands are queued by PMC as required.

Create a Policy in the Privilege Management Console MMC Snap-in

You can create a policy using the functionality in the Privilege Management MMC snap-in.

To create a policy:

  1. Click Create in the Privilege Management MMC snap-in.
  2. Enter a name for the policy and click OK. This creates the policy so you can now start editing it. At this stage the policy is in draft, so PMC does not have visibility of it. PMC can only see policies that you have checked in.

For information on editing policy on Windows endpoints, please see the Windows Administration Guide.

View Policies in the Privilege Management Console MMC Snap-in

You can view a list of policies that are local to the Privilege Management MMC snap-in, and whether PMC can see the state of them.

To view policies:

  1. In the Privilege Management MMC snap-in, if you have a policy checked out and you want to view all policies, click Browse Policies in the Start section on the left. If you do not have a policy checked out, you can click Browse all PMC policies in the PMC Policy section.
  2. You can perform additional actions such as Save Draft, Check in Changes, Discard Draft, and View from this list, depending on your user role and the state of the policy.

Check in a Policy Using the Privilege Management Console MMC Snap-in

Once you have created or imported a policy you can check it into PMC. This will create the first revision of the policy if it's new to PMC; otherwise, it will increment the revision of the policy.

To check in a policy:

  1. In the Privilege Management MMC snap-in, click Check in your changes in the Policy section.
  2. Add a description of your changes and click OK. Your policy is now checked into PMC and is visible in the PMC portal.

Each time the same policy is checked in or uploaded to the Privilege Management MMC snap-in, the revision of the policy is incremented. New revisions of the same policy need to be manually assigned to the group; this is not done automatically.

For more information, please see Assign a Policy to a Group in Privilege Management Console.

Check out a Policy Using the Privilege Management Console MMC Snap-in

Policies that have been checked into PMC must be checked out to be edited.

To check out a policy:

  1. In the Privilege Management MMC snap-in, click Browse all PMC policies in the PMC Policy section.
  2. Select your policy from the list and click Check Out. You can now edit the policy in the Privilege Management MMC snap-in.