Policy: Privilege Elevation Justification Policy for Keeper Utilities
This example shows a Privilege Elevation policy that targets a specific “Keeper Utilities” application (via a single App ID) and requires the user to provide a justification before the process can run with elevated privileges. It’s useful for demonstrating how to add accountability and audit context around privileged use of approved administrative tools without requiring an approval workflow.
What This Policy Does
Applies a Privilege Elevation rule in enforce mode.
Targets:
Any user (
*)A specific application (one App ID, representing the Keeper Utilities process)
One specific endpoint (one Machine ID)
On a match, it requires JUSTIFY (the user must enter a justification) before the elevation proceeds.
Does not require the user to acknowledge the notification (
NotificationRequiresAcknowledge: false).Assigns a Risk Level of 50.
Why It Behaves This Way
Application-Scoped Control: Because the application targeting is a single App ID (not
*), only the intended Keeper Utilities process is affected.Broad User Coverage: With a wildcard user scope, any user on the targeted endpoint is subject to the same justification requirement.
Justification As The Control: Using JUSTIFY adds user-provided context and creates an audit trail while still allowing work to continue when there’s a legitimate need.
Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restriction lists are empty, so the match is primarily driven by user + machine + application targeting.
Revise To Apply To Multiple Endpoints
Right now, machine targeting includes a single endpoint identifier. To apply this same justification requirement across multiple endpoints, update machine targeting so it includes more than one endpoint identifier (or use your endpoint grouping approach). For example:
Before: Machine targeting lists one endpoint.
After: Machine targeting contains multiple endpoint identifiers.
No other changes are required to broaden endpoint coverage.
What The User Experiences
When a user attempts to run the targeted Keeper Utilities process as an administrator on an in-scope endpoint, they’ll be prompted to enter a justification.
After entering the justification, the elevation proceeds (this policy is “prompt and record,” not “block”).
Because acknowledgement is disabled, there’s no extra “click to dismiss” step beyond the justification prompt.
Important Notes And Common Adjustments
Fix The Notification Message: The current message references “monitor mode” and mentions MFA/request, but the configured control is JUSTIFY only. Update the message so it accurately reflects that justification is required for elevation of this tool (or remove the message entirely).
Decide If You Need Approval Or MFA:
Use JUSTIFY when you want accountability without slowing work.
Use APPROVAL when elevation should require explicit authorization.
Add MFA when you want a stronger step-up control for privileged actions.
Tune Risk Level: If you’re using risk scoring for reporting or prioritization, set the Risk Level to align with how sensitive the tool is in your environment.
Example JSON
Last updated
Was this helpful?