# Usage guide: Manage local admin permissions

{% hint style="warning" %}
This page outlines various ways to use the pack, including use case examples.

Administrators can refer to the [Configuration guide: Manage local admin permissions](https://docs.nexthink.com/platform/library-packs/l1-support/workflow-grant-temporary-local-admin-permission/configuration-guide-zscaler-vpn-assisted-troubleshooting) to set up and customize the installed content.
{% endhint %}

The **Manage local admin permission** library pack enables IT teams to:

* Automate the approval and revocation of local admin rights.
* Reduce the risk of security breaches by ensuring admin access is strictly temporary.
* Improve IT operational efficiency by minimizing manual intervention.
* Strengthen compliance with IT policies through automated logging and auditing.
* Provide employees with a seamless and timely process for requesting admin privileges.

## Library pack uses

{% hint style="info" %}
Jump to [Use cases](#use-cases) on this page to see relevant scenario applications.
{% endhint %}

Use the library pack content for the following purposes.

### **Visibility** <a href="#visibility" id="visibility"></a>

This library pack focuses on the **Manage local admin permission** [workflow](https://docs.nexthink.com/platform/user-guide/workflows). It streamlines the process of granting and revoking temporary local administrator privileges. All actions are logged in the IT service management (ITSM) ticketing system, ensuring a complete audit trail for compliance and security purposes.

### **Workflow triggering** <a href="#workflow-triggering" id="workflow-triggering"></a>

This workflow is designed to be initiated on a specific device during a support call with an employee or in response to a request for temporary local admin privileges. It can be triggered from [device view](https://docs.nexthink.com/platform/user-guide/device-view) (as shown below) or [Amplify](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/deploying-nexthink-in-non-vdi-environment/configure-amplify). The workflow utilizes the **Incident number** parameter to track progress.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-20c9411a6bf2d352aef4cbfa0333122c450bdc24%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Use cases

In addition to the relevant use cases covered below, you may uncover other troubleshooting scenarios specific to your environment.

### **Initial compliance check**

Granting local administrator rights to a user, even for a temporary period, can lead to abuse and carries a significant risk. Any change of this nature should be reported in ITSM and a pre-existing ticket should be created before this workflow is launched.\
The workflow includes a parameter that allows the ticket ID to be entered upon workflow execution.

To ensure that the user making the request is the same person using the device, an additional step is required. The workflow contains a parameter for username, which has to be filled out at the point of execution. The workflow will check this username against the currently logged-in user and will only proceed if they match.

The final check is authorization by the user's manager. This is obtained by sending an MS Teams message.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-1c36dc0fdefb6c7ba6e1ac4dade765dc66ddc456%2FCompliance.png?alt=media" alt=""><figcaption></figcaption></figure>

### Grant local admin permission, and set a delay

If all compliance checks are complete and manager approval has been granted, the user will now be granted local administrator privileges on the device. This can be achieved for both Windows and macOS devices using different remote actions. In both cases, the successful execution of the remote action is checked and the ITSM ticket is updated in case of failure.

Following successful executions of the remote action(s), the ITSM ticket is updated and the user is then informed, allowing them to perform the local action that triggered the ticket generation. A custom-defined time delay (defaulting to 30 minutes) is then initiated.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-87c650cbc96bb734c7053c0f34389452315207c7%2Fexecution.png?alt=media" alt=""><figcaption></figcaption></figure>

### Removal of local admin permissions

To minimize the risk associated with elevated permissions, after the predefined delay, the workflow will continue and revoke the local admin permission on the device using the same operating-specific remote actions used earlier.

The execution of each remote action is checked, and any failures are logged in ITSM for further investigation and manual revocation of admin rights.

If the process is successful, the ITMS ticket is updated and then closed.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-0c7b07b59cec75d58c82245f372f57b57411073a%2FRemoval.png?alt=media" alt=""><figcaption></figcaption></figure>

***

RELATED TOPICS

* [Manage Workflows](https://docs.nexthink.com/platform/user-guide/workflows/managing-workflows)
* [Manage Campaigns](https://docs.nexthink.com/platform/user-guide/campaigns/managing-campaigns)
* [Manage Remote Actions](https://docs.nexthink.com/platform/user-guide/remote-actions/managing-remote-actions)
* ​[Configuration guide: Manage local admin permissions](https://docs.nexthink.com/platform/library-packs/l1-support/workflow-grant-temporary-local-admin-permission/configuration-guide-zscaler-vpn-assisted-troubleshooting)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/library-packs/l1-support/workflow-grant-temporary-local-admin-permission/grant-local-admin-permission.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.