You can use the policy system in Admin Portal> Access > Policies to create policy rules for users and resources added to Privileged Access Service. The Policy System allows you to configure options in the following areas:
You can configure authentication policy controls for web logins to Centrify PAS and build rules to define authentication challenge requirements, You can also configure authentication policy controls for Windows and Linux clients, Privilege Elevation Service for UNIX (dzdo), and Privilege Elevation.
You can configure policy controls for Self Service Controls, user password management, OATH OTP integration, User Account Settings, and RADIUS client security policies.
You can configure policy controls and apply to sets of resources added to Centrify PAS.
You can configure policy rules to define authentication challenge requirements for third party integrations.
You can configure policy controls for device registration and usage.
Policy can be applied to users and resources by the following assignment options:
- Everything policy assignment that applies to everything.
- Specified Roles policy assignment that applies to roles you specify.
- Sets policy assignment that applies to specific sets.
For more information on policy assignments, see Creating policy sets and policy assignments.
Depending on the policy assignment you choose, certain policy settings may not be available. For example, if you choose the Sets policy assignment and choose Systems as the set type, you will only see policy settings that apply to system resources.
Note: Policy assignment settings cannot be changed once the policy set is saved.
Policy hierarchy and overrides
Policy sets are applied to users and resources from top to bottom when viewing the Policy Sets on the Policy page. If the same policy has different settings in different policy sets, the setting in the first policy set—the top-most—is applied.
You can apply multiple policy sets to the same role or the same resource set. For example, you might create a policy to define basic policies for Everything (all users and resources) and then create more policy sets for a subset of those users or resources. If you want one policy setting to be enforced over another one, drag that policy set up in the list.
If more than one system administrator is updating the same policy or re-prioritizing the policy sets, the changes made first (by clicking the Save button or dragging the policy set) will be saved. The administrator who’s changes were not saved must refresh the policy and make the changes again.
Configuring policy settings for resources are available in various locations in the Admin Portal: Settings > Resources > Security Settings, Access > Policies > Resources, and Resources > Policies.
In most cases, you can override global settings (configured in the Access or Settings page) for individual resource in the specific Policy page for the resource (Resources >Policies). The global settings only apply where you have not explicitly configured a setting for an individual resource. Centrify PAS prioritizes the policy settings using the following order:
- Account overrides configured in Resources > Accounts > Policies
- Account policy settings configured in Access > Policies > Resources > Accounts
- Resource overrides configured in the Resources > Systems > Policies
- Resource policy setting configured in Access > Policies > Resources > Systems
- Resource Global policies configured in Settings> Resources > Security Settings
- System default value.
Note: If the account is a domain or database account, all references to “system” are “domain.”
Policy summary pages are available to view policy allocation for users and resources. You can access policy summary pages in the following locations in the Admin Portal:
Policy Set: Access > Policies > [select policy set] > Summary
Displays the current policy configuration settings for the set but does not show the default value for policies you have not modified.
Resource overrides: Resources > [select resource] > Policy Summary
Displays the policy settings and overrides for an individual resource. These policies are set at the resource. By default, the summary is for the logged-in user viewing the summary as shown in the selected user field at the top of the screen.
Specific user: Access > Users > [select user] > Policy Summary
Displays the policy settings for an individual user.