Centrify Zone Role Workflow integration in ServiceNow

Zones enable you to grant specific rights to users in specific roles on specific computers. By assigning roles, you can control the scope of resources any particular group of users can access and what those users can do. For example, all of the computers in the finance department could be grouped into a single zone called “finance” and the members of that zone could be restricted to finance employees and senior managers, each with specific rights, such as permission to log on locally, access a database, update certain files, or generate reports.

Rights represent specific operations users are allowed to perform. A role is a collection of rights that can be defined in a parent or child zone and inherited. For example, a role defined in a parent zone can be used in a child zone, in a computer role, or at the computer level.

While it is possible to give users access by statically assigning them to a role with specific administrative rights, a more secure method for controlling access is to establish a request and approval work flow. A request and approval work flow gives specific users or members of specific roles the ability to approve or reject access requests. A request and approval work flow improves security by controlling which users can request access, which users can grant access, and how long access is allowed if it is granted.

The Centrify Zone Role Workflow integration allows you to use ServiceNow to request and approve access to zone roles. The Zone Role Workflow integration is a feature of the Centrify Privileged Access Request application available through the ServiceNow store. See Managing zone role assignment requests for more information about zone role workflow.

The Zone Role Workflow integration requires the following:

  • The ServiceNow app configured.
  • Zones and roles configured on the registered and verified ServiceNow domain.
  • Zone Role Workflow enabled in the Admin Portal tenant.
  • A registered and verified ServiceNow domain.
  • A ServiceNow account with administrator privileges.

To configure the Zone Role Workflow integration

Create role mappings for users and approvers.

  • Map the user(s)' role to the Destination Role user.
  • Map the approver(s)' role to two Destination Roles (itil and x_cenr3_priv_access.approver).

    Note:   The Destination Role itil gives approvers the ability to process or fulfill requests through the ServiceNow Catalog. The Destination Role x_cenr3_app_access.approver limits approvers scope to the functionality provided under Centrify Privileged Access Request.

    For example:

    Name

    Destination Role

    ServiceNow Approvers Role

    itil, x_cenr3_priv_access.approver

    ServiceNow End Users Role

    user

After you configure Centrify Privileged Access Request to integrate Centrify Privileged Access with ServiceNow, Centrify requesters and approvers have the following user experience.

User

Experience

Requester

  1. Access ServiceNow through the Admin Portal.

    This should be an AD user in the domain that is registered and verified with ServiceNow.

  2. Select the Service Catalog, then search for Centrify Zone Role Workflow.

  3. Create the request for the resource(s) and role you need, then click Order Now.

    The fields for the request mirror those in the Admin Portal.

    ServiceNow generates a request number that you can use to track the request.

  4. Once the request is approved, ServiceNow contacts the Centrify PAS through an API and the requester is given access to the requested role.

    Users can then access computers in the zone and perform tasks available to the role they were granted access to.

Approver

  1. Access ServiceNow through the Admin Portal.
  2. Select ServiceNow > Centrify Privileged Access Request, then click My Approvals.
  3. Close the task by granting windowed, temporary, or permanent access, then clicking Close Task.

    See Responding to zone-based role assignment requests for more information.

Requesting assignment to a role

  1. Navigate to the Zone Role Workflow and provide information for the following fields:

  • Resource
  • Role
  • Assignment Type
  • Duration Type
  • Duration
  • Priority
  • Parent Task
  • Request Justification
  1. Once you have the request information correctly entered, navigate to the top right corner. Select quantity and add to cart or order the request:

Once submitted, you will see an order summary with information like description, delivery date, and stage of procurement:

To find Centrify Privileged Access Request logs

Centrify Privileged Access Request provides detailed logs for errors you might encounter providing access to zone roles.

Go to ServiceNow > Centrify Privileged Access Request > Admin > Logs to find the logs.