This option is visible in the UI but is not yet functional. It will be enabled in version 4.2.6.

About privilege profiles

Prev Next

Privilege profiles provide an alternative to traditional policy segregation in EPM. Administrators can group multiple policies into reusable profiles and assign them to users or devices, simplifying permission management across large environments.

Features

  • Referential grouping: privilege profiles group policies by reference (using their ID and name) instead of duplicating them. Modifying an individual policy automatically updates all profiles that contain it.
  • Mass assignment: allows you to manage access for entire departments by linking multiple users or devices to the privilege profile simultaneously.
  • Unlimited capacity: there is no limit to the number of policies or targets that can be added to a single privilege profile.

Applicability

When multiple privilege profiles are applied to the same target (user or device), the EPM agent evaluates the policies based on resolution and precedence rules. For all supported operating systems, the default behavior is as follows:

  • Fallback behavior: if a target requests policies but there is no active privilege profile assigned to its specific user or device, the system will apply the standard EPM policies according to the existing individual segregations (if the global parameter is disabled).

Windows devices

On Windows devices, policy evaluation follows these guidelines:

  • Conflict resolution: the system will always apply the most permissive rule for each functionality.
    • Access policies: Allowlist > Denylist.
    • Directory and file control and System registry control: Allow > Deny.
  • Global precedence: the overall evaluation order remains (Allowlist with elevation > Allowlist without elevation > Denylist).

More information about privilege profiles on EPM Windows in How to create privilege profiles on EPM Windows.

System impact

Changing the Enable Privilege Profile? * parameter alters the system's behavior:

  • If set to Yes, individual policy segregations are ignored and managed exclusively by the privilege profiles. An alert will be displayed in the individual policy reports.
  • If set to No, configured privilege profiles lose their effect, and an alert is displayed on the Privilege profile report.
Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved