Manage Scripts

The Manage Scripts option is available from the Run a Rule Script dropdown or Run an Audit Script dropdown on the Edit Application Rule dialog box.

There are two types of scripts that you can use:

  • Rule Scripts: PowerShell scripts and optional associated settings files allow you to modify the outcome of an Endpoint Privilege Management for Windows rule, once a script has been run. These scripts can only be run in the user context.
  • Audit Scripts: VB, Javascript, or PowerShell scripts run after the Endpoint Privilege Management for Windows rule. These are for auditing purposes. These scripts can be run in the user or system context.

Both rules can be imported into Endpoint Privilege Management for Windows using this dialog box.

Manage Rule Scripts

The Rule Script node contains all the rule scripts in your policy. If a rule script is assigned to the Application Rule you are currently editing, the icon displays a green tick on it.

If you previously imported rule scripts, they are listed on the Rule Script node on the left side of the Script Manager.

Rule scripts must be created outside the Policy Editor and imported. You cannot create a new rule script using the Script Manager. Click Import Script at the bottom of the Script Manager to import a new rule script.

Import a Rule Script

There are two components to rule scripts:

  • Rule script
  • (Optional) Settings file: Each rule script can have an optional Settings file which must be in a valid *.json format. They are useful for managing credentials required for integrations and other sensitive information.

BeyondTrust-supported integrations are available from BeyondTrust.

You should not edit BeyondTrust-supported integrations, as this may affect the level of support we are able to provide.

While you can edit a rule script in the Script Manager, we recommend you import the completed script into the Script Manager.

To import a rule script:

  1. Copy the PowerShell rule script (*.ps1) and associated settings (*.json) file somewhere locally so you can locate them from the Policy Editor.
  2. Click the Run a Rule Script dropdown and select Manage Scripts.
  3. Select the Rule Scripts node and click Import Script at the bottom of the dialog box.
  4. Navigate to your PowerShell (*.ps1) file and click Open.
  5. The script is loaded into the Script Manager.
  6. Edit the rule script at this point, if required.
  7. Optionally, change the Timeout settings. This is the time that Endpoint Privilege Management for Windows waits from the start of script execution for the script to complete before running the default rule.
  8. Click Close to save your changes.

Add a Settings File

After you add a rule script (*.ps1), you can optionally add a Settings file (*.json) if one is required for the integration. The Settings file contains any information that is specific to your integration environment, such as URLs, usernames, and passwords. The Settings file is encrypted on the endpoint.

  1. Go to Settings > Import Settings.
  2. Navigate to and select your Settings file.
  3. Click Open. Before you proceed, review and edit the Settings file in this window. Click Save to associate this Settings file with your rule script.
  4. The name of the Settings file that is associated with your rule script is shown next to the Settings button. Click Settings to view the contents of your settings file at any time.

You can click Delete Settings at any time to clear the Settings window. Importing a new script overwrites the existing one.

After you associate a settings (*.json) file with a rule script (*.ps1), it is always associated with that rule script wherever you use it. For example, if you associate a settings file with a rule script for an Application Rule and select the same rule script in an On-Demand Application Rule, the same settings file is used. Changes to the settings or rule script file in either location are applied wherever it's used.

Export a Rule Script

If you need to share the rule script you can export it. You cannot export the settings file because it is linked to the rule script.

To export an existing rule script:

  1. From the Script Manager, click Export Script.
  2. Navigate to where you want to save the script to and click Save.

Delete a Rule Script

A rule script assigned to an Application Rule or an On-Demand Application Rule cannot be deleted.

To delete a rule script:

  1. From the Script Manager, select the rule script and click Delete Script.
  2. If the script is not used by an Application Rule or an On-Demand Application Rule, you are prompted to confirm the deletion.

A rule script is only assigned to an Application Group after you click Close on the Script Manager dialog box and click OK on the Edit Application Rule dialog box. Clicking Close on only the Script Manager does not associate a rule script with that Application Group.

Manage Audit Scripts

The Audit Script node contains all the audit scripts in your policy. If an audit script is assigned to the Application Rule you are currently editing, the icon displays a green tick on it.

If you previously imported rule scripts, they are listed on the rule script node on the left side of the Script Manager.

Click Import Script at the bottom of the Script Manager to import a script. Alternatively, you can create an audit script in the Policy Editor.

Create an Audit Script

You can create audit scripts using the Policy Editor.

To create an audit script:

  1. Click New in the Audit Scripts node in the Script Manager.
  2. You can choose the following options and enter your script directly into the Policy Editor.
    • Script Language: Choose from VB Script, Javascript, or PowerShell Script. Switching between languages clears all code in the script editor window.
    • Script Context: An audit script can run in the User or System context.
    • Timeout: The time that Endpoint Privilege Management for Windows waits from the start of script execution for the script to complete before activating the default rule options.
  3. Click Close to save the changes.

Import an Audit Script

Audit scripts can be imported in the Policy Editor.

To import an audit script:

  1. Copy the audit script (*.vbs, *.js, or *.ps1) file somewhere locally so you can locate it from the Policy Editor.
  2. Click either the Run a Rule Script or Run an Audit Script dropdown and click Manage Scripts.
  3. Select the Audit Scripts node and click Import Script at the bottom of the dialog box.
  4. Navigate to the audit script file and click Open.
  5. The script is loaded into the Script Manager.
  6. Edit the audit script here, if required.
  7. Click Close to save your changes.

Export an Audit Script

You can export an existing audit script if you need to share it.

To export an existing audit script:

  1. From the Script Manager, click Export Script.
  2. Navigate to where you want to save the script and click Save. The audit script is exported.

Delete an Audit Script

You can delete an audit script, even if it is assigned to an existing Application Rule.

To delete an audit script:

  1. From the Script Manager, select the audit script and click Delete Script.