User Privilege Rules
In the User Privileges node for any rule, you can select the User Privilege Policies to be applied to files, folders, signatures, groups, and Windows Components when the rule is matched. You can configure self-elevation to allow a user to run an item with elevated user privileges. You can also use system controls to control the uninstallation or modification of selected applications, the management of specified services, and the clearing of event logs.
Select the User Privileges node for a rule and the work area includes four tabs - Applications, Components, Self-Elevation and System Controls.
In this section:
Click Add Item in the Privilege Management ribbon to add a file, folder, signature, or group to the Applications tab. The item is listed in the tab under the columns Item, Policy, and Description. To change the policy applied to the file, folder, or signature, double-click the item to access the edit dialog box. Select the policy to apply from the Policy drop-down list.
For more information on adding items, see Rule Items.
Because Management Console snap-ins and Control Panel Applets are not executables, they cannot be elevated using a single executable but instead must be elevated using command line matching. The User Privileges Management (UPM) components section provides easy shortcuts to configuring these items that are equivalent to an Add File UPM policy with specified arguments.
Command line arguments and spawning mechanisms will vary depending on the Operating system your individual users are using.
Control Panel components and Network Adapter features and functions are typically controlled by explorer.exe. Elevating explorer.exe to run in the context of a Local Administrator is not ideal as this can open up a range of security issues. To resolve this and enable the user to access the functionality under the context of an administrator without opening the entire explorer shell, User Privileges Management places the AppSense Control Panel components in the Windows Control Panel alongside existing components. These can now be controlled at an access level specific to the function, without changing any rights associated with explorer.exe.
Use the filter in the Select Components dialog to filter the supported components by operating system.
- Expand the applicable Group rule in the navigation pane and select the User Privileges node.
- Select the Components tab in the work area.
In the Privileges Management ribbon, select Add Item > Add Component.
The Select Components dialog displays.
- Select the components you want the user to run as an administrator, for example, Add and Remove Programs\Programs and Features.
The component is now listed in the Components tab.
- Do one of the following:
- To elevate the privileges for the selected component, select Builtin Elevate from the drop-down in the User Rights Policy column.
- To restrict the privileges for the selected component, select Builtin Restrict from the drop-down in the User Rights Policy column.
- Save the configuration.
Self-Elevation can be applied to signatures, files and folders items that would usually require administrative privileges to run and function. Self-Elevation provides an option from the Windows Explorer context menu to run an item with elevated rights. When a user attempts to elevate a specified item, a prompt can be configured to request that the user enters a reason for the elevation before it is applied.
For more information, see Self-Elevation.
System Controls are used to allow or prevent named services being stopped, event logs being cleared and specific applications being uninstalled or modified.
For more information, see System Controls.