Help

Self Service+ Privilege Elevation Preference Setup

jhathcock
New Contributor III

2 weeks ago

We're setting up the config profiles for Self Service+ and I'm trying to get Privilege Elevation Preferences set up for User Promotion Role to limit the use to just members of the faculty and staff groups in Entra. I have the Group Names in the list but its not working. Is there a specific type of group requirement or does the Entra app for Connect need a specific permission to read group memberships? I'm hitting a wall here and the online help article is not helpful.

plist: 

    <dict>
      <key>TemporaryUserPromotion</key>
      <true/>
      <key>UserPromotionTimer</key>
      <true/>
      <key>UserPromotionReason</key>
      <true/>
      <key>UserPromotionLimit</key>
      <integer>20</integer>
      <key>UserPromotionRole</key>
      <array>
        <dict>
          <key>Name</key>
          <string>Faculty - All</string>
          <key>Duration</key>
          <integer>15</integer>
        </dict>
        <dict>
          <key>Name</key>
          <string>Staff - All</string>
          <key>Duration</key>
          <integer>30</integer>
        </dict>
        <dict>
          <key>Name</key>
          <string>Staff - RBC</string>
          <key>Duration</key>
          <integer>60</integer>
        </dict>
      </array>
      <key>UserPromotionChoices</key>
      <array>
        <string>Printer Installation</string>
        <string>Software Installation</string>
        <string>OS or Software Update</string>
      </array>
      <key>UserPromotionDuration</key>
      <integer>0</integer>
    </dict>

0 Kudos
Reply
3 REPLIES 3

easyedc
Valued Contributor II

a week ago

For the life of me I think I remember one of the learn articles or videos mentioned that spaces in group names was discouraged to avoid issues.  If you created a group in Entra without a space 

 <string>Staff-All</string>

does it work? 

0 Kudos
Reply

McAwesome
Valued Contributor

a week ago

I'd recommend against this route for a simple reason: it doesn't limit to specific devices, so any time you give someone admin on one machine you're giving it to them on all machines.  That's not ideal, doubly so when something like SAP Privileges can limit admin elevation to only the assigned user for the machine.

0 Kudos
Reply

jhathcock
New Contributor III
In response to McAwesome

a week ago

That's actually the reason we would prefer this option. It allows us to keep the students from accessing it but allows teachers and staff to log onto devices to perform updates or install a software package that can't be pushed. 

0 Kudos
Reply