Manage Scripts

The Manage Scripts option is available from the Run a Rule Script dropdown or Run an Audit Script dropdown on the Edit Application Rule dialog box.

There are two types of scripts that you can use:

  • Rule Scripts: PowerShell scripts and optional associated settings files allow you to modify the outcome of a Privilege Management for Windows rule, once a script has been run. These scripts can only be run in the user context.
  • Audit Scripts: VB, Javascript, or PowerShell scripts run after the Privilege Management for Windows rule. These are for auditing purposes. These scripts can be run in the user or system context.

Both rules can be imported into Privilege Management for Windows using this dialog box.

For more information, please see the following:

Rule Scripts

Rule scripts are PowerShell scripts that can dynamically change the Privilege Management for Windows default rule.

You can perform the following functions on rule scripts:

  • Manage Rule Scripts
  • Import a Rule Script
  • Add a Settings File
  • Exporting a Rule Script
  • Delete a Rule Script
For more information, please see the following:

Manage Rule Scripts

The Rule Script node contains all the rule scripts in your policy. If a rule script is assigned to the Application Rule you are currently editing, the icon displays a green tick on it.

You cannot delete a rule script if it is assigned to an Application Group or an On-Demand Application Group.

If you previously imported rule scripts, they are listed on the Rule Script node on the left side of the Script Manager.

Rule scripts must be created outside the Privilege Management Policy Editor and imported. You cannot create a new rule script using the Script Manager. Click Import Script at the bottom of the Script Manager to import a new rule script.

Import a Rule Script

There are two components to rule scripts:

  • Rule script
  • (Optional) Settings file

BeyondTrust-supported integrations are available from BeyondTrust.

You should not edit BeyondTrust-supported integrations, as this may affect the level of support we are able to provide.

While you can edit a rule script in the Script Manager, we recommend you import the completed script into the Script Manager.

To import a rule script:

  1. Copy the PowerShell rule script (*.ps1) and associated settings (*.json) file somewhere locally so you locate them from the Policy Editor.
  2. Click the Run a Rule Script dropdown and select Manage Scripts.
  3. Select the Rule Scripts node and click Import Script at the bottom of the dialog box.
  4. Navigate to your PowerShell (*.ps1) file and click Open.
  5. The script is loaded into the Script Manager and displayed.

You can edit the rule script here if required. When you click Close, your changes are automatically saved.

Each rule script can have an optional associated Settings file which must be in a valid *.json format. Settings files are encrypted at the endpoint. They are useful for managing credentials required for integrations and other sensitive information.

After you import a rule script, you can change the Timeout settings. This is the time that Privilege Management for Windows waits from the start of script execution for the script to complete before running the default rule.

Add a Settings File

After you add a rule script (*.ps1), you can optionally add an associated Settings file (*.json) if one is required for the integration. The Settings file contains any information that is specific to your integration environment, such as URLs, usernames, and passwords. The Settings file is encrypted on the endpoint using SHA1.

  1. Go to Settings > Import Settings.
  2. Navigate to and select your Settings file.
  3. Click Open. The Settings file is displayed. Before you proceed, we recommend you review and make any necessary edits to the Settings file in this window. Click Save to associate this Settings file with your rule script.
  4. The name of the Settings file that is associated with your rule script is shown next to the Settings button. Click Settings to view the contents of your settings file at any time.

You can click Delete Settings at any time if you want to clear the Settings window. Importing a new script overwrites the existing one.

After you associate a settings (*.json) file with a rule script (*.ps1), it is always associated with that rule script wherever you use it. For example, if you associate a settings file with a rule script for an Application Rule and select the same rule script in an On-Demand Application Rule, the same settings file is used. Changes to the settings or rule script file in either location are applied wherever it's used.

Export a Rule Script

If you need to share the rule script you can export it. You cannot export the settings file because it is linked to the rule script.

To export an existing rule script:

  1. From the Script Manager, click Export Script.
  2. Navigate to where you want to save the script to and click Save. The rule script is now exported.

Delete a Rule Script

You can delete an existing rule script, provided that it is not assigned to an Application Rule or On-Demand Application Rule.

To delete a rule script:

  1. From the Script Manager, select the rule script you want to delete and click Delete Script.
  2. Provided that the script is not in use by an Application Rule or an On-Demand Application Rule, you are prompted to confirm the deletion. The script is deleted.

If the rule script is assigned to an Application Rule or On-Demand Application Rule, you receive a message stating that it cannot be deleted.

A rule script is only assigned to an Application Group after you click Close on the Script Manager dialog box and click OK on the Edit Application Rule dialog box. Clicking Close on only the Script Manager does not associate a rule script with that Application Group.

Audit Scripts

Audit scripts allow you so audit behavior you may want to capture.

You can perform the following functions on audit scripts:

  • Manage Audit Scripts
  • Create an Audit Script
  • Import an Audit Script
  • Export an Audit Script
  • Delete an Audit Script
For more information, please see the following:

Manage Audit Scripts

The Audit Script node contains all the audit scripts in your policy. If an audit script is assigned to the Application Rule you are currently editing, the icon displays a green tick on it.

You cannot delete a rule script if it is assigned to an Application Group or an On-Demand Application Group.

If you previously imported rule scripts, they are listed on the rule script node on the left side of the Script Manager.

Click Import Script at the bottom of the Script Manager to import a new rule script. Alternatively, you can create a new audit script in the Privilege Management Policy Editor.

For more information, please see Create an Audit Script.

Create an Audit Script

You can create audit scripts using the Privilege Management Policy Editor.

To create an audit script:

  1. Click New in the Audit Scripts node in the Script Manager to create a new audit script. You can now choose the following options and enter your script directly into the policy editor.
    • Script Language: Choose from VB Script, Javascript, or PowerShell Script. Switching between languages clears all code in the script editor window.
    • Script Context: An audit script can run in the User or System context.
    • Timeout: The time that Privilege Management for Windows waits from the start of script execution for the script to complete before activating the default rule options.

You can edit the audit script here. Your changes are automatically saved when you click Close.

Import an Audit Script

Audit scripts can be imported in the Policy Editor.

To import an audit script:

  1. Copy the audit script (*.vbs, *.js, or *.ps1) file somewhere locally so you can locate it from the Policy Editor.
  2. Click either the Run a Rule Script or Run an Audit Script dropdown and click Manage Scripts.
  3. Select the Audit Scripts node and click Import Script at the bottom of the dialog box.
  4. Navigate to the audit script file and click Open.
  5. The script is loaded into the Script Manager and displayed.

You can edit the audit script here if required. Your changes are automatically saved when you click Close.

Export an Audit Script

You can export an existing audit script if you need to share it.

To export an existing audit script:

  1. From the Script Manager, click Export Script.
  2. Navigate to where you want to save the script to and click Save. The audit script is exported.

Delete an Audit Script

You can delete an existing audit script, even if it is assigned to an existing Application Rule.

To delete an audit script:

  1. From the Script Manager, select the audit script you want to delete and click Delete Script.
  2. Provided the script is not in use by an Application Rule or an On-Demand Application Rule, you are prompted to confirm the deletion. The script is deleted.