Using the User Context Filter
The User Context Filter is part of the Application Filter templates listed for Windows, macOS, and Unix/Linux operating systems. User Context Filters in Privilege Manager can be used across different operating systems, and there are some differences in how they are applied on Windows, macOS, and Unix/Linux systems.
Requirements
Active Directory (AD)
To use this filter, your user groups must be synced with Privilege Manager in order to identify the user group and memberships required by the User Context Filter type.
If you are using a User Context Filter and modifying user groups, users must perform a full login while connected to the domain. Otherwise, their login token won't be updated with the new group membership and the filter won't work.
-
With Active Directory (AD), Privilege Manager relies on the user's login token for a SID to refresh group membership.
-
With Entra ID, Privilege Manager must check the group membership for logged users in order to refresh group membership.
-
On Unix/Linux systems, you specify local account names, UIDs, and group names.
You can import groups from Entra ID and have them work with AD if the Entra ID group has an on-premises SID.
Inclusion and Exclusion Filters
Ensure that any Inclusion or Exclusion filters are defined n the associated policy, as needed. Refer to Using Include and Exclude Filters.
Configuration
The configuration parameters requested by each operating system are as follows.
| Operating System | |||
|---|---|---|---|
| Configuration Parameter | Windows | macOS | Linux/Unix |
| Built-in Accounts | x | x | x |
| Well-known Accounts | x | ||
| Domain User Groups | x | x | x |
| Specific Users | x | ||
| Local Account Names | x | x | x |
| Local Group Names | x | x | x |
| User SIDs/Local UIDs | x | x | |
| Group SIDs | x | x | |
Additional settings provided are:
-
Set the All specified conditions must be met switch to Yes, if ALL conditions must be met. Leave the switch set to No to match ANY.
-
(Windows only) You can also specify if accounts must be enabled to be targeted. The Require accounts to be enabled checkbox is an important to set if specific users have been added.
