Selecting an identity repository

Privileged Access Service requires an identity repository for storing user data and authenticating these users. You can use either or both of the following:

  • Centrify Directory: Privileged Access Service includes this built-in identity repository. With this option, we use the Privileged Access Service account to authenticate users and, if you are using the Privileged Access Service for mobile device management, to store the registered device records.
  • Active Directory/LDAP: Privileged Access Service securely connects with your existing Active Directory/LDAP infrastructure through the Centrify Connector to authenticate users when they log in to the web portals and register devices. Privileged Access Service does not replicate Active Directory/LDAP accounts or attributes in the Privileged Access Service.

If your organization is heavily invested in Active Directory/LDAP, you can continue to use it as your primary identity store and use the same tools (for example, Active Directory Users and Computers) to manage users and mobile devices.

You can use both identity stores simultaneously, too. For example, if you decide to use Active Directory/LDAP as your primary identity store, the Privileged Access Service can provide a convenient supplemental repository for the following types of users:

  • Emergency administrators: If there is ever a network break down to the Active Directory domain controller, no one with just an Active Directory/LDAP account can log in. However, if you create administrator accounts in Privileged Access Service, these users can log in to Admin Portal launch web applications.
  • Temporary user: Some organization’s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task. If you have a temporary worker who needs access to just the applications you deploy through the Privileged Access Service, it may be simpler to add the account to Privileged Access Service.
  • Contractors or less-trusted users: Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAP account provides. In this case, you create the account in the Privileged Access Service only.

To avoid users logging in to unintended repository accounts and other account related confusion, we recommend that you do not create duplicate accounts (same user name/password) in both the Centrify Directory and Active Directory/LDAP.