Provide temporary access to offline users

This topic describes how EPM enables authorized Set administrators to provide elevation for offline users.

Overview

The Offline Policy Authorization Generator tool is a stand-alone executable that enables EPM admins to provide authorization codes to end users who request use of an application that is currently unavailable to them. This is useful for end users who temporarily do not have EPM server connectivity, and are unable to get policy updates pushed to them until they are connected again.

In addition, the Offline Policy Authorization Generator tool allows administrators to proactively generate authorization codes for end users, without waiting for requests from them. These codes are generated by running the tool in CLI mode.

The IT manager can provide other administrative users with the appropriate file to use on their local machines, thereby helping them manage end user requests for temporary authorization. For further information, refer to Enable authorization codes.

The validation period indicates how long the authorization code is valid. For details about how long the Request for Authorization window is open on an endpoint users' screen, see Configure requests.

Download the OPAG tool

Download the relevant tool and save it locally.

From v23.6.0, you can only download the updated OPAG utility.

EPM agents earlier than 23.6.0 only work with the previous version of the OPAG utility, which you can't download any more. If you have not yet upgraded your EPM agent to 23.6.0, contact customer support.

For agent versions lower than 23.6.0, download the OPAG utility from the CyberArk Marketplace.

In the EPM Management Console, go to My Computers > Download Center and display the Tools tab.
Under Offline authorization, download the Offline Policy Authorization Generator tool (EPM_OPAG_tool.exe) and save it locally.

Logs

When you run the tool, a log file is generated in the same folder where the EPM_OPAG_tool.exe is found. This log file includes information about current operations in the tool and is called EPM-OPAG-tool.log .

End user interface

You can customize the interface for the Offline Policy Authorization Generator feature for the following actions:

Action	Customizes ...
Context menu	The text in the Windows Explorer context menu when launching an application with OPAG. On Windows agents, the following items are displayed in the context menu. This can be changed for Windows agents. Run with authorization code - Open a dialog and paste the authorization code you received from the EPM set administrator, as described below in Run using Authorization Code. Request authorization - Send a request to the EPM set administrator for a code to run the application, as described below in Request authorization. On mac OS agents, the following item is displayed in the context menu. This cannot be customized. CyberArk EPM: Run using Authorization Code - Send a request to the EPM set administrator for a code to run the application. For details, see Configure requests for authorization codes.
Request authorization	The dialog that appears when a user requests authorization. In the EPM Management Console, go to End-user UI > Dialogs, then customize the Request for Authorization dialog in either the Windows or macOS section. For more details, see Configure requests for authorization codes.
Run using Authorization Code	The dialog that appears when a user receives an authorization code directly from the administrator without sending a request first. In the EPM Management Console go to End-user UI and then to Dialogs, then customize the Run using Authorization Code dialog in the Windows section. For more details, see Create an authorization code without a request.
Blocked access	The dialog that appears when an application is blocked or requires administrative privileges. For Windows agents, customize either the Application Block notification or Policy Automation (UAC) dialog. For macOS agents, customize the Application Block notification dialog.

Customize the Windows Explorer Context Menu item

From the EPM Management Console go to Advanced and then to Agent Configuration.
In the Offline Policy Authorization Generator section, change the value of the Shell Run Authorization Menu Text parameter.
Click Save at the top of the screen to save your changes.

Disable OPAG for sudo commands on macOS endpoints

The CYBERARK_EPM_DISABLE_OPAG_SUDO environment variable determines whether or not EPM administrators can request an authorization code to run sudo commands on macOS endpoints.

Enable administrators to request an authorization code

In the environment variables, set CYBERARK_EPM_DISABLE_OPAG_SUDO to NO. This is the default setting.

When a user attempts to run an unauthorized sudo command, a message displays the Request ID for this action, which must be included in the request for an authorization code.

Prevent users from running sudo commands

In the environment variables, set CYBERARK_EPM_DISABLE_OPAG_SUDO to YES.

Users will not be able to run unauthorized sudo commands, and the Offline Policy Authorization Generator tool will not be activated.