Manage Privilege Management Rule Scripts

Rule scripts are PowerShell scripts that can dynamically change the Privilege Management for Windows default rule.

Rule scripts must be created outside of the Privilege Management Policy Editor and imported. You cannot create a new rule script using the Script Manager.

Rule scripts can be assigned to an Application Rule.

You can perform the following functions in this page:

  • Import a New Rule Script
  • Edit a Rule Script
  • Delete a Rule Script
  • Import a Settings File
  • Edit your Settings File
  • Delete the Settings File

For more information, please see Create On-Demand Application Rules.

Import a New Rule Script

To add a new rule script:

  1. Navigate to the Policy Catalog and select a policy.
  2. Existing rule scripts are listed in the middle pane. You can use the filter to search for rule scripts. Click Import New Script to import a new rule script.
  3. A rule script must be a PowerShell script. Click Choose File to navigate to the PowerShell script you want to use.
  4. Select the PowerShell script and click Open and OK to import the PowerShell file.
  5. Click OK to acknowledge the imported rule script. The rule script you've just imported is shown in the list on the left. If you select the rule script, the contents of the PowerShell file are shown on the right.

You should not edit BeyondTrust-supported integrations, as this may affect the level of support we are able to provide.

Each rule script can have an optional associated Settings file, which must be in a valid *.json format. Settings files are encrypted at the endpoint. They are useful for managing credentials required for integrations and other sensitive information.

Edit a Rule Script

You can edit a rule script or change the timeout settings provided that it's not signed. Signed rule scripts cannot be edited in the Policy Editor but you can still change their timeout settings:

To edit a rule or change the timeout settings:

  1. Select the rule script you want to edit from the left side.
  2. Click Edit Script on the bottom.
  3. Make the required changes and click OK.

Delete a Rule Script

Rule scripts can be deleted even if they are assigned to a Workstyle. In this instance, you are prompted to confirm that you want to remove the association with the Workstyle. To determine if a rule script is assigned to a an Application Rule in a Workstyle, select it from the list. If the rule script is assigned to an Application Rule in a Workstyle, this is indicated under the Timeout dropdown.

To delete a rule script:

  1. Select the rule script from the list on the left.
  2. Whether or not the rule script is assigned to an Application Group in a Workstyle is indicated under the Timeout setting dropdown. Click Delete Script. You are prompted to confirm the deletion. If the rule script is assigned to a Workstyle, you are told this and again prompted whether you wish to continue.
  3. Click OK to delete the rule script or Cancel to leave it in place.

Import a Settings File

Once you have added a rule script (*.ps1), you can optionally add an associated settings file (*.json) if one is required for the integration. The settings file contains any information that is specific to your integration environment, such as URLs, usernames, and passwords. The settings file is encrypted on the endpoint using SHA1.

To import a settings file (*.json) and associate it with a rule script:

  1. Click Import Settings and then Choose file to navigate to the settings file.
  2. Select the settings file, click Open, and then OK to import it.

Once you have associated a settings (*.json) file with a rule script (*.ps1), it is always associated with that rule script wherever you use it. For example, if you associate a settings file with a rule script for an Application Rule and select the same rule script in an On-Demand Application Rule, the same settings file is used. Changes made to the settings or rule script file in either location are applied wherever it's used.

Edit a Settings File

You can edit the settings file before you import it into the Policy Editor or you can edit it once you have imported it.

To edit it in the Policy Editor:

  1. Select a rule script that has an associated settings file.
  2. Click Edit Settings. Make any required changes and click OK. The OK button is not enabled until you have changed the settings file.

Delete a Settings File

To delete an existing settings file:

  1. Select a rule script that has an associated settings file.
  2. Click Delete Settings. You are prompted to delete the settings file. Click OK to proceed or Cancel to leave the settings file in place.
  1. Select the rule script you want to edit from the left side.
  2. Click Edit Script on the bottom.
  3. Make any required changes and click OK.

Delete a Rule Script

Rule scripts can be deleted even if they are assigned to a Workstyle. In this instance, you are prompted to confirm that you want to remove the association with the Workstyle. To determine if a rule script is assigned to a an Application Rule in a Workstyle, select it from the list. If the rule script is assigned to an Application Rule in a Workstyle, this is indicated under the Timeout dropdown.

  1. Select the rule script from the list on the left.
  2. Whether or not the rule script is assigned to an Application Group in a Workstyle is indicated under the Timeout setting dropdown. Click Delete Script. You are prompted to confirm the deletion. If the rule script is assigned to a Workstyle you are told this and again prompted whether you wish to continue.
  3. Click OK to delete the rule script or Cancel to leave it in place.

Import a Settings File

Once you have added a rule script (*.ps1), you can optionally add an associated settings file (*.json) if one is required for the integration. The settings file contains any information that is specific to your integration environment, such as URLs, usernames, and passwords. The settings file is encrypted on the endpoint using SHA1.

To import a settings file (*.json) and associate it with a rule script:

  1. Click Import Settings and then Choose file to navigate to the settings file.
  2. Select the settings file and click Open, and then OK to import it.

Once you have associated a settings (*.json) file with a rule script (*.ps1), it is always associated with that rule script wherever you use it. For example, if you associate a settings file with a rule script for an Application Rule and select the same rule script in an On-Demand Application Rule, the same settings file is used. Changes made to the settings or rule script file in either location are applied wherever it's used.

Edit a Settings File

You can edit a settings file in the Policy Editor before you import it, or you can edit it once you have imported it.

  1. Select a rule script that has an associated settings file.
  2. Click Edit Settings. Make any required changes and click OK. The OK button is not enabled until you have changed the settings file.

Delete a Settings File

  1. Select a rule script that has an associated settings file.
  2. Click Delete Settings. You are prompted to delete the settings file. Click OK to proceed or Cancel to leave the settings file in place.