List of Default Actions
This topic describes the out-of-the-box actions that are available in Privilege Manager and can be used to make your policy configuration process easy.
Actions Catalog
Here is the complete list of Actions that come with Privilege Manager out-of-the-box, according to OS and category type:
macOS
| Type | Action | Description |
|---|---|---|
| Adjust Effective Process Rights Action | Run as Root | Adjust the process rights of the application to run as the root user (macOS) |
| ~~Allow Copy Action~~ | Allow Copy to Applications Directory | Note: This action is deprecated and can only be used with macOS agents versions prior to 11.2. This action is used by policies that allow users to copy applications to the root Applications directory as standard users using Privilege Manager.app. |
| Allow Package Installation | This action is used by policies that allow users to run the package installer elevated. | |
| AuthorizationDB Right Action | Activity Monitor Kill Authorization Right (com.apple.activitymonitor.kill) | This action grants the com.apple.activitymonitor.kill right in the authorizationdb for the duration of an applicable process. |
| Bless Helper Authorization Right (com.apple.ServiceManagement.blesshelper) | This action grants the com.apple.ServiceManagement.blesshelper right in the authorizationdb for the duration of an applicable process. | |
| Install Apple Software Authorization Right (system.install.apple-software) | This action grants the system.install.apple-software right in the authorizationdb for the duration of an applicable process. | |
| Modify System Keychain Authorization Right (system.keychain.modify) | This action grants the system.keychain.modify right in the authorizationdb for the duration of an applicable process. | |
| Xcode FLE Authorization Right (com.apple.dt.Xcode.LicenseAgreementXPCServiceRights) | This action grants the com.apple.dt.Xcode.LicenseAgreementXPCServiceRights right in the authorizationdb for the duration of an applicable process. | |
| CLI Justification Message (Application Action) | Command Line Justification Message | Justification message to execute before allowing the process to continue. |
| Display Advanced Message Action | Application Approval Request (with Offline Fallback) Message Action | Application Approval Request Message Action for macOS. |
| Application Approval Request (with ServiceNow Request Item Number) Message Action | This action will display an approval request form for ServiceNow integrations for approval before allowing application to run on macOS endpoints. | |
| Application Approval Request Message Action | Application Approval Request Message Action for macOS. | |
| Application Denied Message Action | This action will display a modal denial notification message to the user and prevent application execution on macOS. | |
| Application Justification Message Action | Application Justification Message Action for macOS. | |
| Application Warning Message Action | Application Warning Message Action for macOS. | |
| Just in Time Group Membership Action | Just in Time Group Membership Action | This action will add a user to a specified group for a specified time. |
| Display User Message Action | Deny Execute Message | This action displays a message to the user informing them that an application has been denied execution |
| Deny Execute Action | Deny Execute | This action stops specified applications from executing |
| Quarantine File Action | File Quarantine | This action can be used to quarantine a file by moving it to the default agent quarantine path |
Windows
| Type | Action | Description |
|---|---|---|
| Adjust Process Rights Action | Add Administrative Rights | This action adds basic administrative rights needed to install and run specified applications |
| Add Administrator Rights – Unrestricted | This action adds administrative rights at a higher integrity level for specified applications. Usually you will only need to use this type of action if an application or installer needs to create a global object, such as a service, or if system changes require unrestricted administrator rights | |
| Remove Administrator Rights | This action removes administrative rights for specified applications | |
| Remove Advanced Privileges Action | This action removes advanced privileges for specified applications from the process token | |
| Application Verifier Action | Application Compatibility Testing | This action triggers application compatibility testing while the process runs and sends the results to the server |
| Apply SVS Layer Action | Workspace Virtualization Global Layer | This action places specified applications in a common Workspace Virtualization global layer |
| Workspace Virtualization Isolation Layer | This action places specified applications in a common Workspace Virtualization isolation layer | |
| Create Children Processes as User | De-elevate Child Processes | Ensures that all child processes are created without administrator rights. Forces all new processes created by the targeted application to be launched by a de-elevated token. |
| Deny Execute Action | Deny Execute | This action stops specified applications from executing |
| Deny File Access Action | Deny Read/Write Access to Microsoft Office Document Files | This action can be used to deny read and write access to Microsoft Office documents |
| Deny Write Access to Executable Files | This action can be used to deny write access to common executable files | |
| Deny Windows Hooking Action | Deny Windows Hooking | This action limits specified applications from interacting in malicious ways with other applications |
| Display Advanced (Xaml) Windows Message | Application Denied Message Action | This action will display a modal denial notification message to the user and prevent application execution on Windows |
| Application Denied Notification Action | This action will display a notification to the user that the process has been denied by a policy. The notification window will fade in and out and automatically close after a period of time | |
| Application Warning Message Action | Application Warning Message Action for Windows. | |
| Approval Request (with Offline Fallback) Form Action | This action will display an approval request form for approval before allowing application to run. | |
| Approval Request (with ServiceNow Request Item Number) Form Action | This action will display an approval request form for ServiceNow integrations for approval before allowing application to run. | |
| Approval Request Form Action | This action will display an approval request form for approval before allowing application to run | |
| Authenticated Justification Message Action | This action will display a customized message to the user, allowing for feedback and requiring authentication before running an application | |
| Group Member Authenticated Message Action | This action will display a customized message to the user and requires authentication by a member of the specified group if the end-user is not a member | |
| Justify Application Elevation Action | This action will display a justification prompt to the user before continuing to the process controlled by a policy | |
| Justify Application Message Action | This action will display a justification prompt to the user before continuing to the process controlled by a policy | |
| Mobile Approval Request Form Action | This action will display a approval request form for approval before allowing application to run. | |
| Display User Message Action | Deny Execute Message | This action displays a message to the user informing them that an application has been denied execution |
| Deny Files Read and Write Access Message | This action displays a message to the user informing them that an application will be restricted from certain file access | |
| Limit Process Rights for New Applications Message | This action displays a message to the user informing them that an application has had its rights reduced | |
| Quarantine Message | This action displays a message to the user informing them that an application has been quarantined | |
| Remove Rights Message | This action displays a message to the user informing them of an associated action | |
| SWV Global Layer User Message | This action displays a message to the user informing them that an application has been placed in SWV global layer | |
| SWV Isolation Layer User Message | This action displays a message to the user informing them that an application has been placed in SWV isolation layer | |
| Windows Hooking Message | This action displays a message to the user informing them that an application will be stopped from interacting with other applications | |
| Encrypt Application Files | Encrypt Common Application Documents | This action can be used to automatically encrypt common application documents using Windows EFS. |
| Encrypt Microsoft Office Documents | This action can be used to automatically encrypt Microsoft Office documents using Windows EFS. | |
| Execute Application Action | Immediate File Inventory | This action will inventory the file being executed |
| GenericDetourAction | Enable UAC Virtualization | This action will turn on UAC virtualization for the target process. |
| Meter Application Action | Meter Application Usage | This action meters the usage of the specified applications |
| Quarantine File Action | File Quarantine | This action can be used to quarantine a file by moving it to the default agent quarantine path |
| Restrict File Dialogs | Restrict File Dialogs | This action prevents users from abusing the elevated rights of the application via the file open and save dialogs. This is a recommended action that customers should add to their elevation policies. |
| Set Environment Variable Action | Suppress User Account Control Consent Dialog | This action will prevent the UAC consent dialog from being displayed. |
| Set Process Security Descriptor Action | Locked down Service Process Security Descriptor | This action applies a restrictive security descriptor disallowing Administrators the right to terminate the process. |
| Win32 API Control Action Examples |
Block Local User Management | This is a new action that, when applied, blocks the target process from adding, removing, or modifying local users. The powershell "'localuser'" cmdlets are what this action will block. It will block these actions from any application including Windows utilities, command-line utilities, etc. |
| Block Local Group Management | This is a new action that when applied block the target process from adding, removing, modifying, or changing the membership of local groups. The powershell "'localgroup'" cmdlets are what this action will block. It will block these actions from any application including Windows utilities, command-line utilities, etc. | |
| Block LSA Privilege Management | This is a new action that when applied blocks the target process from changing local privileges. It will block these actions from any application including Windows utilities, command-line utilities, etc. |
Unix/Linux
| Type | Action | Description |
|---|---|---|
| Display User Message Action | Deny Execute Message | This action displays a message to the user informing them that an application has been denied execution |
| Deny Execute Action | Deny Execute | This action stops specified applications from executing |
