How to configure application access lists

  • 2 minute(s) read
Prev Next

This document explains how to configure application access lists on Segura® EPM Windows clients. You will learn how to set up general segregation policies to allow or deny access to applications across all workstations, using a variety of criteria to increase security and control.

Requirements

  • You must be at least an EPM Administrator.
  • Have information about the applications according to the selected criteria (e.g., certificate, file hash, directory, etc.).

Configure application access lists

  1. In Segura®, access the Access Lists page:
    1. Navigate to Grid Menu > EPM > Policies > Windows > Access lists.
  2. Click on the Show actions button (represented by three vertical dots).
  3. Select segregation General, Device or Organizational Unit.
  4. In the General tab, fill in the following fields:
    • Choose category screen, select Applications.
    • Name*: Set a name for this policy.
    • Status*: Set as active or inactive.
    • Action*: Choose between allowlist (to allow) or denylist (to block).
    • Segura® Intelligence Suggestions: Enable this option to allow administrators to gain insights from Segura® AI regarding the accuracy and effectiveness of this policy.
  1. In the Applications tab, complete the following:
    • Control Parent Process*:
      • If Enabled, all child processes created by the parent will follow the access list permissions.
      • If Disabled, all processes are evaluated individually by the access list.
    • Control Child Process*:
      • If Enabled, the access list is applied to all processes originating from the child process.
      • If Disabled, all processes are evaluated individually.
    • In Criteria, add one or more (you can check all criterias in the Applications Criteria List EPM Windows).
  2. If using Workstation or Organizational Unit segregation, additional tabs will appear to complete the following steps:
    • For Workstation segregation, select one or more registered Workstations.
    • For Organizational Unit segregation, add a New OU and enter the OU name in the ou field. Note: enter only the OU name (e.g., "MyOUName"), not the full distinguished name (e.g., "ou=myOUName, DC=mydomain, DC=local").
  3. In the Workflow tab, complete the following:
    1. In the Elevation Setting options, select as needed:
      - User can upgrade applications
      - Requires justification to elevate applications
      - Requires approval to upgrade applications
      - Allow emergency access
      - Approval in levels: Requires approvers defined in Approval workflow.
    2. If Require approval to elevate applications is checked, set the number of times for each specific action:
      • Required approvals: Number of approvals necessary for privilege elevation.
      • Deprecations required: Number of actions to cancel elevation.
    3. Answer Yes or No to the following Access Request Settings:
      • Is it mandatory to specify governance code when justifying?
      • Always add the user manager to approvers?
  4. Go to Review tab, check if all is correct.
  5. Click Save to apply the access list configuration.