Safeguard Privilege Manager for Windows 4.4 - Administrator Guide

Customizing self-service request email messages

The approval and denial email messages that are sent as a response to the user's Self-Service Elevation request can be customized.

The default Approval message says the following:

MESSAGE_NAME:ApprovedRequest

MESSAGE:

Your request to run the following application with elevated privileges has been "approved".

Request Date: <ExecutionDate>

Requested Application:

<ProductName>

<Path>

<Arguments>

Reason for request: <Reason>

This new privilege should be available on your computer once Windows has refreshed its domain security policies.

The default Denial message says the following:

MESSAGE_NAME:NotApprovedRequest

MESSAGE:

Your request to run the following application with elevated privileges has "not" been approved.

<ProductName>

<Path>

Please contact your administrator for more details.

These messages can be customized by opening the MessageTemplates.cfg file in the Privilege \Console folder.

Each message in the CFG file starts with ======StartOfMessage========= and ends with ======EndOfMessage============.

The text between these delimiters can be customized to your liking.

Text delimited with angle brackets "< >" are variables that are replaced with data at runtime.

The following variables may be used in the Approval message:

• ExecutionDate
• ProductName
• Path
• Arguments
• Reason

The following variables may be used in the Denial message:

• ProductName
• Path

Using self-service notifications

If you would like to receive an email when a user on a client computer submits a Self-Service Elevation Request Form, you can set up a Self-Service Notification. You can configure it to go to multiple recipients, including you, your manager, and/or the help desk. In addition, you can set the subject line to meet the requirements of your help desk.

To set up Self-Service Notifications:

1. Configure the Server.

   1. Use the Privilege Manager Server Setup Wizard to configure the Server Email Notification Configuration settings on the first screen of the wizard.
   2. If you previously completed the wizard, the remaining screens are automatically populated.
   3. Refer to the Privilege Manager for Windows Quick Start Guide for step-by-step instructions.

2. Configure the recipient.

   1. Use the Settings tab on the Self-Service Elevation Request Settings Wizard to configure the Email Notification Settings.
   2. For more information on the wizard, see Using the Self-Service Elevation Request Settings Wizard.
   3. For more information on setting up Email Notification Settings, see Send an email notification to the administrator whenever a user submits a Self-Service Elevation Request

3. Check your email for the Self-Service Notification, containing information on the user, the request, and the client’s computer.
4. Accept or reject the user's request Using the Self-Service Elevation Request Processing Wizard.
5. Inform the end user of your decision Using the Console Email Configuration screen.

Using the Self-Service Elevation Request Processing Wizard

Shortly after a user on a client computer has submitted a Self-Service Elevation Request Form, you can view and/or process it within the Self-Service Elevation Requests section of the Console (provided that your environment is properly configured according to the Maximum Sleep Time setting).

You can only view data stored in the database of the server that is selected in the Server configuration (under Setup Tasks > Configure a Server).

When processing a Self-Service Elevation request, you can either create a rule to elevate privileges for the process or deny the request. You can then email your decision to the user using the Console Email Configuration screen.

To view or process Self-Service Elevation requests:

1. Open the Self-Service Elevation Requests section from the navigation pane of the Console. The requests apper in the window on the right.

2. Click the Display requests button to list the Self-Service Elevation requests submitted by users, based on the default filter settings shown in the Applied Filters section at the top of the screen.

3. Select a request in the Self-Service Elevation Requests grid below. Use the grid's column headers to sort the requests.

4. Use the Applied Filters wizard to modify the list. You can create multiple shared filter sets and save settings that other administrators can use. For more information, see Using the Applied Filters Wizard.
5. Select a record and then click Process request to open the Self-Service Elevation Request Processing Wizard.

6. On the first tab of the wizard, view the details for a process that failed to start, and the reason for requesting Elevation privileges. Click Next.

7. Indicate whether you want to create a rule to elevate the privileges for this process, or deny the request.

   1. If you approve the request, the Create Rule wizard appears, allowing you to create a rule for the requested process. By default, the rule is created for a specific user at a specific computer, and the Administrators group (stored within the BUILTIN\Administrators Active Directory OU) is added to the rule. Use the Validation Logic tab to modify this setting.
   2. When a request is processed and a rule is created for it (or it has been denied), the Processed Action column displays a rule created or ignored value.
   3. To view ignored requests or requests for which the rules were created, change the Process Date of Item filter on the Applied Filters Wizard from None: Item has not been processed to the corresponding Date Range.

8. Select whether or not to email your decision to the user. This feature requires that you set up the Console Email Configuration settings.

9. Click Finish to save.

   The rule created from the request is added to the selected GPO with a default name.

10. Select Export to export the list of requests presented on the grid. The list will be saved as an .xls file.

After the rule has been created:

• The rule is added to the target GPO of the Group Policy Settings section.
• The rule applies after the GPO settings are updated on the client computer.

Using the Console Email Configuration screen

If you want Privilege Manager to send an email message to the user after approving or denying their Self-Service Elevation request, you can configure the settings using the Console Email Configuration screen found under Setup Tasks.

To configure the Server to send your Self-Service Elevation request approval or refusal:

1. Select Console Email Configuration from the Setup Tasks section.

2. Configure the following fields:

   1. Host Name: Enter the SMTP Server name of the email account from which you are going to send your emails.
   2. SMTP Port: Enter the port number.
   3. SMTP User Name and Password: If necessary, enter the authentication information and check the SSL check box.
   4. From Email: Enter the corresponding email.

3. Click Send Test Email to send an email to the account specified in the From Email field.

   1. If Privilege Manager succeeds in sending the email, the corresponding message appears.
   2. Log into an email program with the corresponding account and locate the sent email folder, with Privilege Manager Test Email in the subject.
4. Click OK to save the settings and quit.