We have a role-based setup in our company that allows the Helpdesk role to grant temporary unlocks in urgent situations. However, certain options and modules should not be accessible to this role.

In particular, for Application Control, it is critical that the Helpdesk can perform only a standard Application Control unlock. The options under “Executable files to add to the local hash database”, specifically:

Files written to the computer during the unlock period
Executables (and DLLs) launched during the unlock period

must not be available to the Helpdesk role. These capabilities should be restricted exclusively to the Administrator role.

A possibility to choose which options are available for specific Roles or atleast in general would be great.

Thanks :)