Privilege Elevation Policy Type

Overview

The Privilege Elevation policy provides control over the ability of a user to elevate to an administrative role. It is recommended to first apply a Least Privilege policy to ensure that standard users do not have built-in administrative privilege.

On Windows, the privilege elevation policy will trigger the Keeper Client user interface to open when the user triggers an elevation event. On macOS and Linux (Ubuntu/Gnome), the Keeper Client user interface is available for the user to initiate the request.

How it Works

On the endpoint, the Keeper agent service runs with system privilege. All elevations are executed with an ephemeral account called keeperusersession.

Managing Privilege Elevation

From the Admin Console > Endpoint Privilege Manager > Policies create a new policy. Select "Privilege Elevation" from the policy type and then "Enforce".

Select the control (Require approval, Require MFA or Require justification)

Select the desired approvers, and apply the policy to a specific User Group, Machine Collection, Application Collection and Date and Time range.

After applying the policy, the affected users on the endpoint will need to adhere to the policy in order to elevate their role on the device.

As an example, if the user attempts to run PowerShell as administrator, Keeper will intercept the request and prompt for approval.

If MFA or justification is required, the user is prompted.

The Admin receives a request to approve the elevation.

After approval, the user is able to run the approved command directly from the Keeper user interface.