Elevate Policy Group
In this step, users will be configuring child processes. When an application is launched it may be required to run some child processes to make the application function. Since not every application requires this and it could be used as an attack vector, system admins can decide whether this application will be permitted to call and execute child processes or not. If this is not configured with care, it can prevent applications from running normally.
In the last step, the user is expected to configure a just-in-time access configuration. When an agent blocks an application users can ask for an elevation to access the blocked application. Users can configure the required security steps to grant access to the user. This can be configured separately for admins and standard users. To get access depending on the configuration users can be asked for MFA and Managerial approval via email.
Upon creating an application group successfully, the user is supposed to assign applications to that group. When the user clicks on the settings icon on the application policy group a menu will be opened. From this menu, a user can edit existing attributes of an application group, add a new application to the group, or delete the application group. Clicking on edit will prompt the exact same flow while creating a group with existing attributes.
Upon clicking add a new application button, Kron PAM will ask for application attributes. As said earlier, the user can either manually input these attributes or select discovered applications as shown in the figure below. Application name is mandatory while adding a new application, but users can choose to add its hash or not.
The match Type of the application is Exactly and Start with.
The match Type of the hash is only Exactly.
The match Type of the version is Exactly, Greater Than, and Less Than.
While adding a policy if the application or process has the parameters it can be written in the application name section.
After selecting the application name or other values, the user can optionally select the child process configuration of this application. Since this is also selected while creating an application policy group, users’ choice here will overwrite that configuration is a different choice is made. After clicking the save button application will add to the group successfully.