Self-Elevate Rule

A self-elevate rule allows a user to elevate an item that usually requires administrative privileges to run. Self-elevation provides an option on the Windows Explorer context menu to run an item with elevated rights. The name of the menu item is customizable in the Configuration Settings, and you can decide whether a reason for elevation is a mandatory requirement, if selected, when a user attempts to elevate the specified item, a prompt displays to request the user enter a reason for the elevation.

App Control currently allows you to specify the folders that can be self-elevated.

Rule creation workflow steps:

  1. What Rule do you want to create?
  2. What do you want to self-elevate?
  3. When is the rule assigned?
  4. Summary and Save

Create an Elevate Rule

  1. On the What do you want to do? page, select I want to self-elevate.
  2. Click Next.
    The What do you want self-elevate? page appears.
  3. In Select a source, select the source of items: currently the only option is Folders.
  4. In the Folders section, you can either:
    • Enable for all folders: Select to enable the rule for all folders. Once selected the Path field is automatically populated with *.* and the use of regular expressions, and the inclusion of subfolders is selected.
    • Path: Enter a specific folder path to which the rule will apply.. You can select whether to use regular expressions and include subfolders for the path provided.
  5. Click Add.
    The specified folders are added to the Selected Items section.
  6. You can make the folder selection more granular by clicking the ellipsis icon icon next to the folder path, then select Edit.
    The Rule Item Settings panel appears. Complete the folder properties and metadata as required, and click Save.
  7. Click Next.
    The Self-elevate rule - When is this assigned? page appears.
  8. In Select a source, use the drop-down to select the source of the items, any selected or added sources will display in the Selected Items section. Select from:
    • AD Groups: The AD Display and Group names are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a group, by clicking Add manually.
    • AD Users: Enter domain\username and click Add.
    • App Control Users: The username of users that App Control has recorded an event for. Select the required users.
    • Computer Groups: Enter the computer group, for example: CN=ComputerGroup. If you want to include nested groups select Search nested groups. Click Add.
    • Device Organizational Units: Enter the organizational unit, for example: OU=Corporation. If you want to include sub-OUs select Include sub-OUs. Click Add.
    • Devices: The Device and Host names of all Neurons discovered window devices are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a device, by clicking Add manually.
    • IP Addresses: Enter the IP addresses and select whether you want to match regular expressions against IP addresses. Click Add.
      Example:
      • 192.168.0.1: select the client device with an IP of 192.168.0.1
      • 192.168.0.*: select the client devices with an IP of 192.168.0.<any>
      • 192.168.0.15-25: select all client devices within the IP range of 192.168.0.15 to 192.168.0.25
    • Alternatively, select Everyone to create the rule for the Everyone group, this includes any user that logs on to a device that has the configuration successfully deployed, with the exception of Administrators.
  9. Once you are finished with the Selected Items. Click Next.
    The Save Rule and Rule Summary page appears.
  10. Enter a Name for the rule, and provide an optional Description.
  11. In Categories, enter an optional category tag for the rule.
    You can add an existing category, or create a new one. The Categories assigned to a rule are visible in the Configuration Rules table.
    • To add: Click in Categories to display a drop-down list of existing categories, select the required categories.
    • To create: Click in Categories and type the new category tag, click out of the field to create and save the category.
  12. The default status for the rule is to be Active, if you do not want to make the rule active yet, toggle the Rule Status to off. The toggle is only visible if the rule is being created for Applications.
  13. Click Save to save the rule and return to the configuration, where you'll see the new rule listed in the Rules section.
    Alternatively click Save & Add another, to save the rule and return to the What do you want to do? page to create another rule for the configuration.
  14. When you have added all the rules to the configuration, click Save to save the configuration as draft. Or, click Save & Publish to save the version of the configuration.
    Once published, the configuration is available for assignment to a policy.