How PEM Works

For Admins

With PEM, you will manage users’ privileged access to executables and processes via policies within the PEM server interface.

Image

Policies enable you to fine-tune exactly which processes users may elevate on an endpoint (i.e. run a process as administrator). You can set a policy as either Allow or Deny, and define each policy by one or more attribute (filepath, signer, hash)

Image

You can create policies one at a time manually, or use Learning Mode to automatically create 'Allow' polices based on user activity.

Image

You may want to explicitly deny a process, such as blocking a single version of an allowed elevation. You may do this by creating a 'Deny' policy specifying the executable's hash. A 'Deny' policy will take precedence.

Image

Policies are applied to groups of users at the AD security user group level.

Image

Individual end users will have an effective policy set based on their AD security group membership.

Image

After policy creation and hardening, members of groups will only be able to elevate processes defined by an 'Allow' policy for their group. Anything not defined by a policy will be denied by default.

Image

Once satisfied with the policy set for a particular group of users, manage requests for additional policies through your internal processes.

Image

You can add, review, edit, and delete policies anytime.

Image

You can review elevations attempted via PEM in the “Elevations” page.

Image




For End-Users

After installing PEM, users will access executables and processes they wish to run as administrator by right-clicking an application icon and choosing the option Run as Administrator using PEM

Image

If a user is permitted to perform the process, their own credentials will temporarily serve as “Administrator Credentials”. Users enter their own credentials when prompted.

Image

If a user is not permitted to perform a process, they will need to request access for a change in policy. If granted, they may attempt the process again.

Image