TEXAS A&M UNIVERSITY
Admin By Request
Audience: Unit administrators and Platform Engineering
Purpose: Guide for managing temporary administrative privileges and configuring role-based access control
Quick Links
| Resource | Description |
|---|---|
| Admin By Request Portal | Admin portal login |
| Run as Admin Docs | Official Run as Admin documentation |
| ABR Documentation | Official Admin By Request documentation |
| ABR Editions | Product edition comparison |
Overview
Admin By Request is a security and privilege management solution that allows users to run applications with elevated privileges without receiving full administrative rights. This promotes the principle of least privilege while maintaining productivity.
Key Features
Run as Admin
Allows end-users to run specific applications with administrative privileges when necessary:
- Temporary Elevation — Privileges granted for specific tasks without full admin rights
- Audit Logging — All elevated actions logged for compliance
- Risk Reduction — Limits malware and unauthorized changes by scoping privileges
See the official Run as Admin Overview for detailed documentation.
Privilege Management
Administrators control and manage privilege elevation:
- Assign custom roles to unit administrators
- Approve or deny user requests based on policy
- Review activities for compliance and security
- Configure approval workflows per unit
Security & Audit Logging
Comprehensive auditing ensures visibility and compliance:
- Track all privileged actions across the organization
- Monitor usage patterns and anomalies
- Export logs for compliance reporting
- Configure alerts for suspicious activity
Using the Portal
The Admin By Request portal provides access to inventory management, approval workflows, and audit capabilities.
Inventory
In the Inventory section, administrators can:
| Feature | Description |
|---|---|
| Device Details | View hardware specs, login time, and status |
| Filtering | Filter devices by status, OS, or other criteria |
| Break Glass | Bypass approval for emergency access |
| PIN Codes | Generate temporary PINs for specific tasks |
Break Glass Feature
Break Glass bypasses approval workflows for emergency situations. Improper use introduces security vulnerabilities.
Best Practices:
- Restrict access to senior administrators only
- Log all Break Glass usage
- Document reasons and actions taken
- Review usage in regular audits
PIN Code Feature
PIN Codes provide temporary administrative privileges for end-users:
Best Practices:
- Limit PIN validity period
- Do not share PINs via insecure channels
- Regularly review PIN issuance patterns
- Revoke unused PINs promptly
Approvals
In the Approvals section:
- Review incoming privilege elevation requests
- Evaluate requests against organizational policies
- Approve or deny with documented reason
- Monitor request patterns for anomalies
Audit Log
The Audit Log enables compliance tracking:
- Navigate to the Audit Log section
- Use filters to locate specific actions by user, device, or date
- Export logs for external review or compliance requirements
- Set up alerts for specific action types
Role-Based Access Control
Purpose
This Standard Operating Procedure (SOP) defines the process for managing unit-scoped RBAC within Admin By Request. Each unit receives a custom role that limits access to only their devices and users.
Custom Roles and Scoped Permissions
Administrators' permissions are scoped to their unit:
| Permission | Description |
|---|---|
| View Inventory | Access device inventory within the unit |
| Approve Requests | Approve privilege elevation for unit devices |
| View Reports | Generate reports for unit devices and users |
| Issue PIN Codes | Generate PINs for unit administrative operations |
| Manage Workstations | Perform management tasks for unit workstations |
Unit administrators cannot:
- Modify Global Settings for Windows workstations
- Create or manage Sub Settings for Windows workstations
- Access devices or users outside their assigned unit
Role Assignment Process
Step 1: Identify Unit Membership
Each unit has at least one Security Group that dynamically feeds the Security Group used for SCIM provisioning.
Step 2: Assign the Custom Role
- Director or Manager assigns users to the unit's top-level Security Group
- SCIM Provisioning automatically syncs permissions to Admin By Request
- Additional Systems (Entra ID, Intune) receive permissions automatically
Step 3: Review and Audit
- Regular Reviews — Directors/managers review Security Group memberships quarterly
- Platform Engineering Audits — Periodic verification of permission alignment
- Unauthorized Changes — Report and correct promptly
Requesting Custom Sub Settings
To request custom sub-settings for your unit:
- Identify Needs — Determine the required custom configurations
- Submit Request — Contact Platform Engineering with detailed descriptions
- Review Process — Platform Engineering evaluates the request
- Implementation — Approved settings are configured
Submit custom configuration requests through ServiceNow or contact Platform Engineering directly via Teams.
Prerequisites
Administrators using Admin By Request should have:
- Basic understanding of the Admin By Request platform
- Familiarity with Role-Based Access Control concepts
- Experience with Entra ID group management
- Basic IT administrative skills
Learning Resources
| Topic | Resource |
|---|---|
| Windows Endpoints | Overview |
| Installation Guide | Windows Install |
| User Interface | UI Overview |
| Portal Features | Portal Guide |
| Tenant Settings | Settings Guide |
| Key Terms | Definitions |
Related Resources
- Entra ID Best Practices — PIM and conditional access
- Intune Documentation — Endpoint management
- Teams Overview — Platform Engineering contact info