Privilege elevation workflow

Privilege elevation workflow provides a way for a user to request access to commands that require elevated privileges when the user doesn't already have that access. After the user submits a request, one or more approvers can grant or deny access. If the request is granted, the user can then operate privileged commands on the specified system for the specified time frame.

Here's the overall process for using the privilege elevation workflow:

  1. Enable privilege elevation workflow, either for a system or for all systems (global).

  2. A user requests access.

  3. The access request process.

  4. If granted, the user has privileged command permissions on the affected system.

For information about privilege elevation in general, such as requirements, see Privilege elevation.

Enabling privilege elevation workflow

You can enable privilege elevation workflow either for a system, all systems, or both. If you enable privilege elevation workflow for a system and all systems, the service uses the approver list specified on the individual system.

Requesting privilege elevation access

You must have at least View and Agent Auth (login) access to a system in order to request privilege elevation access.

To request privilege elevation access from a Windows system

  1. Log in to the Windows system and try to run a privileged operation (for example, open a PowerShell window as Administrator).

    The Windows User Account Control displays with a message saying that you're not authorized to run with privilege and asks you if you want to submit a workflow request.

  2. Select the type of workflow request:

    • Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).

    • Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).

    • Permanent: You can also enter a relevant ticket number (if applicable).

    Click Yes to continue.

    The service forwards your request.

To request privilege elevation access from a Linux system

  1. Log in to the Linux system and try to run a privileged operation (for example, try to run sudo).

    The Linux system displays a message saying that you're not authorized to run with privilege and asks you if you want to submit a workflow request.

  2. Enter Y and press Enter to submit a workflow request.

  3. Enter a reason for the request and press Enter.

    You don't have to enter a reason, but it can be helpful to enter additional information (for example, a link to a ticketing system).

  4. If your organization requires a support ticket, enter it and press Enter.

    If not, just press Enter.

  5. Enter the number for the type of workflow request and then press Enter:

    • 1- Permanent: You can also enter a relevant ticket number (if applicable).

    • 2- Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).

    • 3- Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).

    The service forwards your request.

 

To request privilege elevation access on a Windows or Linux system from the Admin Portal

  1. In the Systems view of the Admin Portal, right-click the desired system and select Request Privilege Elevation.

    If you're in the system details page, go to the Action menu and select Request Privilege Elevation.

    The Request Privilege Elevation Permission dialog box displays.

  2. Enter a reason message. The text box has the following prompt message automatically started for you: "I need to run the requested commands with privilege because..."

  3. Select the type of workflow request:

    • Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).

    • Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).

    • Permanent: You can also enter a relevant ticket number (if applicable).

    Click Submit to continue.

    The service forwards your request.

The access request process

Here's what happens after you submit a request:

Privilege elevation permissions

If your request is approved, the Privilege Elevation tab lists your account. If you have temporary access, the page displays the start and ending timestamps.

As with any other permission, an administrator may remove the permission assignment at any time.