IT admins can use the elevation control feature in Workspace Environment Management (WEM) to restrict users to standard user accounts, while giving them the ability to run apps that require admin privileges so they can achieve their business goals. With the elevation control feature, IT admins must provision rules that identify the target applications, but defining all the target apps with rules can be a laborious and time-consuming process.

In this blog post, we’ll look at a new WEM feature — self-elevation — that gives IT admins a simple solution that can help them to save time and effort and give users the privileges the need.

New self-elevation feature tab

Think about dealing with an elevation situation for an experienced IT user. They know which applications require admin privileges and which can be trusted. However, the admins haven’t provisioned rules that provide those privileges to users. Besides, it may not be necessary for administrator to define all those target applications needed, as just needed by him/her along.

Self-elevation gives users themselves the ability to run apps that are elevated as part of a predefined allow list or that aren’t on a predefined deny list. This makes it easy for IT admins to provide these privileges.

Self-elevation feature configuration panel

Provisioning for self-elevation is similar to the elevation control feature, though there’s only one self-elevation rule per configuration set. After enabling this feature, choose to use an allow list Allow option or a deny list Deny option. You can then add multiple conditions around items to the allow list or deny list, like defining an elevation rule target by path, publisher, or hash. There are also options that allow defining if the elevation applies to child processes and the applicable time. Finally, assign the self-elevation rule to the needed user or group and apply to complete the configuration.

After applying the configuration, an end user will be able to self-elevate programs from the right-click context menu in WEM.

Agent side user right click context menu option to run Self-elevation

The new Run with Administrator Privileges menu option will use the WEM service to elevate the chosen program if it matches the configured criteria. In addition to executable binaries, the new option could be used for other targets like msi packages and scripts (like .ps1 and .cmd) files. The WEM service will use the default executables to run these packages or scripts. If the elevation is granted, it will be recorded for audit.

With the help of self-elevation, IT admins can grant users the right to elevate programs with flexibility, making the work of creating elevation rules easy and neat. The end user can now run certain applications with elevated privileges, rather wait for IT admins to collect the information needed and create the specific elevation rules, improving the end user experience.

Learn more about the self-elevation feature in Workspace Environment Management (WEM).