Elevate Rule

An elevate rule grants administrative permissions to allow an item to be run with elevated user privileges. Privilege management allows non-administrative standard users access to applications and components that they need to perform their role.

Rule creation workflow:

  1. What rule do you want to create?
  2. What items do you want to elevate ?
  3. When is the rule to be applied?
  4. Summary and Save

Create an Elevate Rule

  1. On the What do you want to do? page, select I want to elevate.
  2. Click Next.
    The What do you want to elevate? page appears.
  3. Select the type of item you want to elevate, select from:
    • Application: Select to add application files to the elevate rule.
    • Component: Select to add components, such as Management Console Snapin's and Control Panel applets, to the elevate rule.
  4. Click Next.
    The What do you want to elevate? page appears.
  5. In Select a source, use the drop-down to select the source of the items. Select from:
    • Windows Elevated/Ran as admin (only applicable when creating a rule for an Application): This populates the Source Items section with a list of all items that App Control has logged as being elevated, or run as an administrator.
    • App Templates (only applicable when creating a rule or an Application): This populates the Source Items sections with a list of all App Templates that have been created in App Control.
    • Alternatively, select Add file manually to display the Rule Item Settings panel, here you can specify which file you want to create the allow rule for.
    • Components (only applicable when creating a rule for a Component): This populates the Source Items section with a list of all components.
  6. Select the required items. On selection each item is added to the Selected Items section.
    You can edit the item settings: Properties and Metadata by clicking the ellipsis icon to open the Rule Item Settings panel.
  7. Click Next.
    The Elevate Rule - When is this assigned? page appears.
  8. In Select a source, use the drop-down to select the source of the items, any selected or added sources will display in the Selected Items section. Select from:
    • AD Groups: The AD Display and Group names are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a group, by clicking Add manually.
    • AD Users: Enter domain\username and click Add.
    • App Control Users: The username of users that App Control has recorded an event for.
    • Computer Groups: Enter the computer group, for example: CN=ComputerGroup. If you want to include nested groups select Search nested groups. Click Add.
    • Device Organizational Units: Enter the organizational unit, for example: OU=Corporation. If you want to include sub-OUs select Include sub-OUs. Click Add.
    • Devices: The Device and Host names of all Neurons discovered window devices are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a device, by clicking Add manually.
    • IP Addresses: Enter the IP addresses and select whether you want to match regular expressions against IP addresses. Click Add.
      Example:
      • 192.168.0.1: select the client device with an IP of 192.168.0.1
      • 192.168.0.*: select the client devices with an IP of 192.168.0.<any>
      • 192.168.0.15-25: select all client devices within the IP range of 192.168.0.15 to 192.168.0.25
    • Alternatively, select Everyone to create the rule for the Everyone group, this includes any user that logs on to a device that has the configuration successfully deployed, with the exception of Administrators.
  9. Once you are finished with the Selected Items. Click Next.
    The Save Rule and Rule Summary page appears.
  10. Enter a Name for the rule, and provide an optional description.
  11. The default status for the rule is to be Active, if you do not want to make the rule active yet, toggle the Rule Status to off. The toggle is only visible if the rule is being created for Applications.
  12. Click Save to save the rule and return to the configuration, where you'll see the new rule listed in the Rules section.
    Alternatively click Save & Add another, to save the rule and return to the What do you want to do? page to create another rule for the configuration.
  13. When you have added all the rules to the configuration, click Save to save the configuration as draft. Or, click Save & Publish to save the version of the configuration.
    Once published, the configuration is available for assignment to a policy.