This feature allows the implementation of secure, time-bound administrative access for end-users, ensuring that only authorized personnel can elevate their privileges when necessary, while also maintaining strict control over the duration and scope of such privileges.
What Is End-User Elevation?
-
End-User Elevation (EUE) allows end-users to temporarily elevate their privileges to perform administrative tasks.
Our implementation uses a structured approval process where technicians can review and approve or deny elevation requests.
-
Why User End-User Elevation?
Implementing End-User Elevation is essential for maintaining a secure and controlled IT environment. Here’s why:
- Enhanced Security - It reduces the risk of unauthorized access by ensuring that elevated privileges are granted only when necessary and are automatically revoked after a set period. You will no longer have to have all users have privileged access to the "administrators" 24/7.
- Operational Efficiency - End users can perform necessary administrative tasks without permanent admin access, reducing the burden on IT support teams. When an end-user elevation request is "approved," they will be placed into the administrative group in a time-bound manner.
-
Compliance - Provides a documented and auditable trail of approved and denied Elevation Requests, supporting compliance with security policies and regulations.
Prerequisites
Technician Access
- You need to have super or primary role permissions to enable or disable End-User Elevation Feature at the tenant level for all or specific customers
- End User Elevation Product is enabled by your Account Rep
Contact Rep -
End User Accounts Imported to the Quickpass Dashboard End User Accounts screen for your Customer
Automatic Import linked to O365/Azure
Automatic Import not linked to O365/Azure
Automatic Import O365/Azure Only
Manual Import - Technicians who do not have the Primary or Super role will be able to approve or deny requests based on their customer and end-user account access. (See Configuring CyberQP Customer Groups, Global Password Folders, CyberQP Account Security Options)
End-User Accounts
- Ensure all relevant end-users are imported into the system.
External Tools
- The Quickpass Agent must be installed on the system that the End User will elevate from.
- When End-User Elevation is enable for your customers, the CyberQP Agent will create new processes with the following details. You may have to adjust your monitoring/endpoint detection tools to prevent notifications or to allow for the processes to run..
Task Manager Process Name:
Priviledge Access Management Service (32 bit)
Executable Name:
Quickpass.ElevateApp.exe
Steps
Administrator Actions - Enabling End-User Elevation
-
Access your Tenant Settings
- Sign in to CyberQP > Click "Settings" > Scroll down to "Enable end-user elevation"
- Sign in to CyberQP > Click "Settings" > Scroll down to "Enable end-user elevation"
-
Enabling End-User Elevation
- Toggle the switch to enable End-User Elevation for your tenant.
- Specify a specific customer to enable End-User Elevation, or click the flag for "All current and future customers" to allow all existing and any newly added customers access to the elevation feature.
- Click the save button when you're satisfied.
Warning: If this is the first time you're enabling this feature, we highly recommend trying it out with a test customer so you can experiment and see how the end-user elevation feature works. You can always come back to this setting later and activate it for a group of real customers at a later time.
-
Configuring your Email Alerts
- In your tenant sidebar > scroll down to "Alerts"
- In the "End-User Elevation" section > Select any combination of the toggle to control what email alerts you want to be sent from our platform
- Click the "+Add Email" button to specify the email address for where you want the email alerts to go to.
- Click the save button when you're satisfied.
We recommend you enter the email address of your PSA system. This will enable our alert emails to automatically generate tickets on your PSA system (e.g. Connectwise, Autotask, HaloPSA). Our alert emails will already include customer names, end-user names, and other relevant information, allowing you to create PSA rules to automatically assign the newly created ticket to the correct customer and potentially, the correct end user. Refer to your PSA provider's Knowledgebase for further information.
-
Upload a Customer System Tray Icon (optional)
You can upload a custom ICO file for your helpdesk that will appear in the system tray for enabled systems that belong to End-User Elevation enabled customers.
- In your tenant sidebar > Click "Settings"
- In the "Company Information" section > "Icon" > Click the pencil icon.
Note: The icon file should be in ICO format with a maximum size of 256x256 pixels. The icon should have a square aspect ratio (1:1), such as 16x16 or 32x32 pixels.
The icon will appear in the tray of any system with the Quickpass Agent installed.
Testing and Usage of Elevation
https://support.getquickpass.com/hc/en-us/articles/26509703276951-End-User-Elevation-How-to-use
FAQs
-
What happens if the end-user does not activate the elevation within 24 hours?
- The request will automatically expire, and the end-user will need to submit a new request.
- The request will automatically expire, and the end-user will need to submit a new request.
By following these steps, you can ensure that your organization effectively manages temporary administrative privileges, maintaining security while empowering end-users to perform necessary tasks.
Comments
0 comments
Please sign in to leave a comment.