Local users and groups

This DriveLock functionality allows you to restrict important access rights for specific users and groups, making it easier to implement your zero-trust strategy.

For example, you can add specific users to the local administrators group so that you can have different local administrators for a specific group of computers. This involves specifying who gets local admin rights on particular systems. Users with these local admin rights will be able to make changes to their computers. To get these permissions (temporarily), a user is issued a password that is valid only on that specific computer for a certain period of time. Passwords remain stored in the system, they are protected by certificates and have an expiration date.

How it works:

Role-based permissions: The functionality is based on a role that allows specific users to temporarily work with elevated permissions.

Password with expiration date: The provided passwords have an expiration date, so users can work with elevated permissions only for a limited time.

Local password limitation: The temporary password is valid only on the user's own endpoint and cannot be used on other endpoints.

Passwords in DriveLock: Passwords are stored in DriveLock. Administrators with the appropriate role have access to the passwords and can view them in plain text in order to give them to users.

Workflow:

Administrator actions:

• The Administrator role is assigned to a user to grant temporary local administrator privileges.

• A user who requires elevated privileges on a temporary basis contacts the administrator and requests a temporary password.

End user actions:

• The end user enters the temporary password received to work with elevated privileges for the specified period of time.

• Once the time expires, the elevated privileges are automatically revoked.

Offline functionality:

If the end user is offline, the policy is still applied locally and the elevated privileges remain active until the set time expires.