Centrify Zone Role Workflow integration in ServiceNow
Zones enable you to grant specific rights to users in specific roles on specific computers. By assigning roles, you can control the scope of resources any particular group of users can access and what those users can do. For example, all of the computers in the finance department could be grouped into a single zone called “finance” and the members of that zone could be restricted to finance employees and senior managers, each with specific rights, such as permission to log on locally, access a database, update certain files, or generate reports.
Rights represent specific operations users are allowed to perform. A role is a collection of rights that can be defined in a parent or child zone and inherited. For example, a role defined in a parent zone can be used in a child zone, in a computer role, or at the computer level.
While it is possible to give users access by statically assigning them to a role with specific administrative rights, a more secure method for controlling access is to establish a request and approval work flow. A request and approval work flow gives specific users or members of specific roles the ability to approve or reject access requests. A request and approval work flow improves security by controlling which users can request access, which users can grant access, and how long access is allowed if it is granted.
The Centrify Zone Role Workflow integration allows you to use ServiceNow to request and approve access to zone roles. The Zone Role Workflow integration is a feature of the Centrify Privileged Access Request application available through the ServiceNow store. See Managing zone role assignment requests for more information about zone role workflow.
The Zone Role Workflow integration requires the following:
- The ServiceNow app configured.
- Zones and roles configured on the registered and verified ServiceNow domain.
- Zone Role Workflow enabled in the Admin Portal tenant.
- A registered and verified ServiceNow domain.
- A ServiceNow account with administrator privileges.
To configure the Zone Role Workflow integration
Create role mappings for users and approvers.
- Map the user(s)' role to the Destination Role
user
. - Map the approver(s)' role to two Destination Roles (
itil
andx_cenr3_priv_access.approver
).Note: The Destination Role
itil
gives approvers the ability to process or fulfill requests through the ServiceNow Catalog. The Destination Rolex_cenr3_app_access.approver
limits approvers scope to the functionality provided under Centrify Privileged Access Request.For example:
Name
Destination Role
ServiceNow Approvers Role
itil, x_cenr3_priv_access.approver
ServiceNow End Users Role
user
After you configure Centrify Privileged Access Request to integrate Privileged Access Service with ServiceNow, Centrify requesters and approvers have the fo
User |
Experience |
Requester |
|
Approver |
|
Requesting assignment to a role
- Navigate to the Zone Role Workflow and provide information for the following fields:
- Resource
- Role
- Assignment Type
- Duration Type
- Duration
- Priority
- Parent Task
- Request Justification
- Once you have the request information correctly entered, navigate to the top right corner. Select quantity and add to cart or order the request:
Once submitted, you will see an order summary with information like description, delivery date, and stage of procurement:
To find Centrify Privileged Access Request logs
Centrify Privileged Access Request provides detailed logs for errors you might encounter providing access to zone roles.
Go to ServiceNow > Centrify Privileged Access Request > Admin > Logs to find the logs.