Install the Privilege Management ePO Extension
The Privilege ManagementePO Extension:
- Allows you to use Trellix ePolicy Orchestrator to manage your endpoints.
- The installer is a ZIP file and includes the build number in its name.
Requirements
For more information, please see Privilege Management ePO Extension 22.7 Release Notes.
Install the Extension
To install the Privilege Management ePO Extension extension:
- Log in to Trellix ePolicy Orchestrator and navigate to Menu > Software > Extensions.
- Click Install Extension in the top-left corner. The Install Extension dialog box appears.
- Enter or browse to the location of the Privilege Management server extension package Defendpoint_x_x_x_xx.zip and click OK.
- On the Install Extension summary screen, click OK in the bottom-right corner to proceed with the installation.
The BeyondTrust Privilege Management ePO Extension is now installed on your ePO server.
Configure ePO User Permission Sets
There are four permission sets in ePO by default. You can view these at Menu > User Management > Permission Sets, on the left menu. Installing the Privilege Management ePO Extension grants some privilege management permissions to the following default ePO permissions sets:
- Executive Reviewer: Privilege Management Policy Permission: View and Change Settings
This enables the user to access the policy catalog, but not to view or change the policy. The user requires Run permission for BeyondTrust Privilege Management under BeyondTrust Privilege Management to view policy.
- Global Reviewer: Privilege Management Policy Permission: View Settings
This enables the user to access the policy catalog, but not to view or change the policy. The user requires Run permission for BeyondTrust Privilege Management under BeyondTrust Privilege Management to view policy.
- Group Admin: No Privilege Management permissions.
- Group Reviewer: No Privilege Management permissions.
Users need to be members of the permission sets required for Privilege Management. Please refer to Trellix documentation for how to add users to permission sets.
Alternatively, you can create your own permission sets in ePO by selecting New Permission Set. After this is selected, you can name the permission set and assign users. Once you click Save, you can apply permissions.
If a user needs to view or change BeyondTrust policies, they require the Run permission for BeyondTrustPrivilege Management permission under BeyondTrustPrivilege Management and the View settings or View and change settings permission under BeyondTrustPrivilege Management Policy.
Assign Privilege Management Permissions
Permissions that can be configured for each Privilege Management permission set are:
- Privilege Management
- Privilege Management Policy
- Policy Assignment Rule
- Policy Management
Configure Permissions
To configure user permissions for Privilege Management in the ePO Server.
- In Trellix ePolicy Orchestrator, navigate to Menu > User Management > Permission Sets.
- Select the permission set that you want to configure.
Privilege Management
- Locate BeyondTrust Privilege Management and click Edit.
- Select a permission:
- Run permission for BeyondTrustPrivilege Management: Users can manage Privilege Management only.
- Run permission for BeyondTrust Response Generator: Users can manage the Privilege Management ePO Response Generator only.
- Run permissions for BeyondTrustPrivilege Management and for Response Generator: Users can manage both.
- No permissions: Users cannot manage either component.
- Click Save.
Privilege Management Policy
- Locate BeyondTrust Privilege Management Policy and click Edit.
- Select a permission:
- View and change task settings: Users can edit policy and Workstyles.
- View settings: Users can read but not edit policy and Workstyles.
- No permissions: Users cannot read or edit policy and Workstyles.
- Click Save.
Policy Assignment Rule
- Locate Policy Assignment Rule in the list and click Edit.
- Select a permission:
- View and Edit Rules: Users can manage policy rules.
- View Rules: Users can view but not manage policy rules.
- No permissions: Users cannot view or manage policy rules.
- Click Save.
Policy Management
Add users who can make policy changes independently, including approving or rejecting policy change requests.
- Locate Policy Management in the list and click Edit.
- Select one of the following:
- No Permission - Users with this permission must submit policy changes for approval
- Approver Permission - Users with this permission can make policy changes independently. This includes the ability to approve or reject policy change requests
- Click Save.
Configure Additional Permissions
Other user permissions you, as an admin, may want to consider granting include those below, in order to:
- Modify deployment of the Privilege Management endpoint client
- Access the System Tree tab
- Edit the groups and systems within the System Tree
- Wake and deploy agents
- Assign policies or client tasks to a group
- Create client tasks with the software or with the Software Catalog
To edit the permissions, navigate to Menu > User Management > Permission Sets and select the appropriate permission set. Alternatively, create a permission set by clicking the New Permission Set button. A list of settings you can edit appears in the right panel. Click Edit on the appropriate setting to edit it. Once finished, click Save.
Trellix Agent: Policy and Trellix Agent: Tasks
A user may need Trellix Agent permissions if they need to view or change client deployment tasks of Privilege Management for Windows or Privilege Management for Mac.
Systems
A user may need the Systems permission so they can access the System Tree tab, wake up agents, edit the groups and systems in the System Tree, and deploy agents.
System Tree
A user may need the System Tree access permission if they need access to certain groups (assigning policies or client tasks to a group, for example).
Software and Software Catalog
A user may need the Software and Software Catalog permissions if they need to create client tasks with software.
