How to create a user-based access policy

Prev Next

This document guides you through creating a user-based access policy in EPM macOS, allowing you to apply rules for executing applications and commands to specific accounts.

Access path

  1. In Segura, on the navigation bar, hover over the Product Menu and select EPM.
  2. In the side menu, select Policies > macOS > Access Policies.
  3. Click Add to start a new policy.

Segregation screen

  1. On the Segregation screen, select the Users option.
  2. Click Continue.

General tab

  1. Fill in the following fields:
    • Category: select Applications
    • Name: enter a representative name for the policy
    • Status: check Enabled to apply it immediately
    • Action: select the main action of the policy:
      • Allowlist: allows only the defined applications
      • Denylist: blocks the defined applications
  2. Click Continue to proceed.

Applications tab

On this tab, define the policy rules and enable session recording if necessary.

  1. To record user activities during application usage, enable the Record session for these applications option.
  2. Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
  3. In Strategy, select how the criteria will be evaluated:
    • Match any: the policy is applied if any criterion is met
    • Match all: the policy is applied only if all criteria are met
  4. Use the Add button to include rules based on:
    • Application Name
    • Bundle Identifier
    • Code Signature
    • Installation Path
    • Developer Identity
    • Version
    • SHA256 / SHA512
    • Executable Name
    • Application Category
    • User
    • Arguments
  5. Click Continue.

Workflow tab

The Workflow tab will only be displayed if you have selected Allowlist as the main action of the policy.
In this step, define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.

Elevation settings

  1. Check User can elevate applications to allow the user to initiate the elevation process.
  2. Check Require justification to elevate applications to require the user to provide a reason for the request.
  3. Check Require approval to elevate applications if you want the elevation to depend on approval.

If approval is enabled, also configure:

  1. Approvals required: minimum number of approvals to release execution.
  2. Rejections required to cancel: number of rejections that will end the request.
  3. Approval in levels: enables chained approval logic with multiple levels.

Access request settings

  1. Check Require governance code when justifying? if you want to require this field.
  2. Check Always add the user’s manager to the approvers? to automatically include the requester’s manager in the flow.
  3. Click Continue to proceed to the next step.

Users tab

  1. The Users tab displays a table with registered accounts.
  2. Click Add.
  3. In the displayed window, check the desired users.
  4. Use the search field to locate by name, domain, or ID.
  5. Click Add in the lower corner of the window.
  6. The selected users will be listed in the table.
  7. Click Continue to proceed.

Review tab

  1. Review all policy information.
  2. If everything is correct, click Save to complete the registration.