Defining an application right manually

This section describes how to create an application right by manually typing or pasting information into several application right definition forms.

Note:   Alternatively, you can import information into application right definition forms from an executable file or from a running process that was launched by the executable file. See Using an installed application or running process to create application rights for more information.

To define an application right manually:

  1. Open the Access Manager console.
  2. Expand Zones and the parent zone or child zones until you see the zone where you want to define an application right.
  3. Expand Authorization > Windows Right Definitions.
  4. Select Applications, right-click, then click New Windows Application.
  5. On the General tab, type a name and a description for the application right, and specify a priority for the application right.
    For thisDo this

    Name

    Type the name you want to use for this application right.

    For example, if the right allows a user to run SQL Server Configuration Manager using the privileges associated with a security group, you might include the service account in the name. For example, you might use a name like SQL Config Manager.

    Description

    Type a description for this application right.

    The description is optional. You can use it to provide a more detailed explanation of the privileges associated with running the application.

     

    Set the priority for this application right.

    If more than one application right is added to the same role definition, the priority value determines the application right to use when users assigned to that role open that application. The lower the value, the higher the priority. For example, a right with the priority of 1 takes precedence over a priority value of 2.

    If the application rights have the same priority value, the application right listed first under the role definition is used.

  6. Click the Match Criteria tab and use it to create or edit application definitions. Each application definition specifies one application or a group of applications. The set of application definitions displayed in the Match Criteria tab defines the set of applications that can be run by this application right.

    In the Match Criteria tab, click Add to create a new application definition.

    The Definition Settings dialog appears.

  7. In the upper portion of the Definition Settings dialog, provide this information about the application definition.
    For thisDo this

    Description

    Type a description for this application definition.

    For example, if the definition specifies one executable file (such as SQL Server Management Studio for Windows 2005), you might type Windows 2005 SQL Server Management Studio here. Or, if the definition specifies more general criteria so that multiple executable files (such as SQL Server Management Studio for all versions of Window) can run, you might type a more general description such as SQL Server Management Studio.

    File Type

    Select the type of executable file for this definition. If you are constructing the definition so that it specifies multiple executable files, all files must all be of the type that you specify here. Supported file types are:

    • .bat
    • .cmd
    • .com
    • .cpl
    • .exe
    • .msc
    • .msi
    • .msp
    • .ps1
    • .vbs
    • .wsf
  8. To specify executable files in this definition by typing or pasting the file name and location, select the Path option. Go to Step 9 and continue from there.

    Specifying files in this way is recommended only if you need to include a small number of files in the definition—typically just one or two.

    To specify a larger number of executable files in this definition, it is recommended that you select file parameters that are common to the set of files. Files that match the parameters are then included in the definition. To do this, go to Step 10 and continue from there.

  9. Perform this step to specify a small number of executable files in this definition. In this step, you type or paste information about the executable file name, location(s), and arguments. When you are done with this step, go to Step 11 and continue from there.
    For thisDo this

    Name

    Type the name of the application executable file. If this field is defined, you must also select a path option (standard system path or a specified path).

    For example, to specify the SQL Server Management Studio executable, type Ssms.exe.

    Standard system path

    Select Standard system path to use the directories where the user would normally find the application specified.

    For example, to use the application executable in its default directory, select Standard system path.

    Specify path

    Select Specify path if you want to define the location of the application specified. If you select this option, you can specify one or more paths, separated by a semicolon (;).

    Supported path variables are %systemroot%, %system32%, %syswow64%, %program files%, %winagentinstall%, and %program files(x86)% (note that a space between “program” and “files” is required).

    For example, to specify the location of the SQL Server Management Studio executable file in Windows 2008, type C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE.

    Arguments

    If you selected a file type of .msc in Step 7, the Arguments option is required. The Arguments option is optional for all other file types.

    Select the Arguments option and leave the argument field blank to specify that the application cannot accept any arguments.

    To specify that the application can run using any argument, leave the Arguments option deselected. For example, if you specified the SQL Server Management Studio executable and left the Arguments option deselected, users can run SQL Server Management Studio with any option on a local computer with elevated privileges.

    If you want to restrict the arguments allowed, in the argument field type the list of arguments to allow. Valid arguments be must enclosed by quotation marks and separated by a space. For example, to allow users to run the specified application using argument1, argument2, or argument3, you would specify the list of arguments like this:

    “argument1” “argument2” “argument3”

    By default, arguments that you specify do not need to be a case‑sensitive match, but do need to be an exact match (that is, a match is returned if the actual argument is a partial match of the argument string that you specify). If arguments must be a case‑sensitive match for a particular application, select the Keep arguments case sensitive option. If arguments can be a partial match for a particular application, deselect the Match whole string only option.

  10. Perform this step to specify a larger number of executable files in this definition. In this step, you use the File details area to specify characteristics that are used to search for applications to include in this definition. All of the characteristics that you specify must be met in order for an application to be a match. For example, if you specify a product name of Microsoft SQL Server and a company name of Microsoft Corporation, all executable files that meet both of those criteria are included in this definition.

    Note:   This step describes how to manually fill in each field in the File details area. You can select any combination of these fields to specify the file characteristics for which to search. Alternatively, you can populate fields in the Definition Settings dialog by importing values from an installed executable file or from a running process. Filling in fields by importing is faster and more accurate than filling in fields manually one at a time. For details about filling in fields by importing, see Using an installed application or running process to create application rights.

    For thisDo this

    Product Name

    Select an operator (is or contains) from the drop-down list and in the provided field type the product name for which to search. If you select is, matches are returned for product names that exactly match the string that you type here. If you select contains, matches are returned for product names that contain the string that you type here anywhere in the product name.

    Company

    Select an operator (is or contains) from the drop-down list and in the provided field type a company name for which to search.

    File Description

    Select an operator (is or contains) from the drop-down list and in the provided field type a file description for which to search.

    Volume Serial #

    Select an operator (is, contains, starts with, or ends with) from the drop-down list and in the provided field type a serial number for which to search.

    The supported format is 8-character hex string (FFFFFFFF).

    This criterion is matched only if the executable file was from CD/DVD media.

    Publisher

    Select an operator (is, contains, starts with, or ends with) from the drop-down list and in the provided field type publisher information for which to search.

    For example, publisher information could look similar to:

    CN=Centrify Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Centrify Corporation, L=Sunnyvale

    Product Version

    Select an operator (equal, earlier or equal, or later or equal) from the drop-down list and in the provided field type product version information for which to search.

    For example, the product version could look similar to:

    3.1

    File Version

    Select an operator (equal, earlier or equal, or later or equal) from the drop-down list and in the provided field type file version information for which to search.

    For example, the file version could look similar to:

    3.1.2

    File Hash

    Select this option to match applications using the encrypted file hash for the application. The file hash for the application is generated using the SHA-1 encryption algorithm, which is FIPS‑compliant.

    You can click Import Process or Import File and select an application to populate the File Hash field for which to search. Only applications with a hash string that is exactly the same as the string generated by the MD5 algorithm are matched.

    You can only use file hash matching to identify an application for files that are less than 500MB to limit the CPU and memory used to calculate the file hash. If the file with matching hash information is larger than 500MB, an empty value is returned for the file hash field.

    Owner

    In the provided field, type owner information for which to search. Matches are returned for owner information that exactly matches the string that you type here.

    Owner information can be:

    • AD user/group/builtin (SID)
    • local user (user name)
    • local group (group name)

    For example, the owner could look similar to:

    • NT AUTHORITY\SYSTEM
    • DEMO\Ed.Admin (this is an AD user account)
    • Amy Adams (this is a local user account)
  11. Optionally select the Application requires administrative user option to specify that applications in this definition run only if RequestedExecutionLevel is set to requireAdministrator in the application manifest. If you select this option, the applications in this definition run only for administrators and require that the applications be launched with the full access token of an administrator. This option applies only to .exe files.
  12. Click OK to save the definition. You are returned to the Match Criteria tab, and the new or modified definition appears in the Match Criteria list of definitions.
  13. Click the Run As tab and select the account that has the privileges you want to enable for this application right.

    You can browse for and select a specific user account or have the application run using the logged in user’s account credentials but with the elevated privileges of a specified group. Click Add AD Groups or Add Built-in Groups to search for and select a previously‑defined or Built-in group with the privileges you want to add to the logged in user’s account.

    In most cases, you select a specific user account only if the application should run as a service account. However, some applications require a specific privileged user account to be used. For example, Microsoft System Center Operations Manager (SCOM) and Exchange require a user account. If you are defining an application right for an application that requires a privileged user account rather than membership in a privileged group, you should create a service account and use that account for the run-as account.

    Select Re-authenticate current user if you want to prevent the application right and its privileges from being used by anyone not authorized to do so. Selecting this option also allows you to enable multi-factor authentication for the right. For more information see Enabling multi-factor authentication for Windows rights.

    If you select this option, users are prompted to re-enter their password to verify their identity before they are allowed to select a role for running a local application. Forcing users to re‑authenticate ensures the privileges associated with the application right are only granted to users who have been assigned those privileges.

    If you select this option for users who are authenticated using a smart card, users must enter a personal identification number (PIN) or a password to resume working with the application.

  14. Click OK to save the application right.