Email
 
Feedback
 
Print
 

Feb 23, 2019

Admin Portal administrative rights

The following table describes the administrative rights (also referred to as permissions) you can assign to a role. Users cannot log in to Admin Portal unless they have at least one of the following administrative rights.

If an administrator attempts to perform a task in Admin Portal for which they do not have the associated administrative right, Admin Portal displays an error message. In addition, Admin Portal does not display data if it’s not pertinent to the administrator’s privileges. For example, if the administrator has the Application Management privilege only, Admin Portal does not display any devices on the Devices page.

Some administrative rights also grant reporting permissions, but only for data that the user has been granted rights to read.

Administrative right Associated permissions

Application Management

Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application.

Computer Login and Privilege Elevation

Logging on to Windows, Linux, or UNIX computers where a Centrify agent is installed. This administrative right is only applicable for the computers that are members of an Privileged Access Service role with this right.

Federation Management

Permission to create, manage, and delete federation partnerships. See How to set up business partner federation for information on setting up partner federations.

Linux System Enrollment

Permission for non-admin users to register Linux machines.

Privileged Access Service Administrator

If you add this administrative right to a role, members of the role can add new objects—systems, domains, databases, services, or accounts—to the Privileged Access Service. Members of a role with this right become the default owner of the objects that they add. If there’s more than one member of the role, each administrator is only the owner of the objects he adds by default. Members of a role with this right can perform all administrative tasks on the objects they own. However, this right also allows administrators to take ownership of any objects stored in the Privileged Access Service because they have the Grant permission that allows them to assign any permissions.

Privileged Access Service Power User

If you add this administrative right to a role, members of the role can see all objects you add to the Privileged Access Service in the Admin Portal. By default, however, members of a role with this right are not granted the Login, Checkout, or Rotate permissions. The system, domain, database, service, or account owner (or a member of the System Administrator role) must explicitly grant the appropriate permissions. Members of this role cannot add new objects to the Privileged Access Service.

Privileged Access Service User

If you add this administrative right to a role, members of the role can see the objects on which they have been granted View permissions in the Admin Portal. This administrative right is primarily for users who need some administrative access to a selected set of objects. Members of a role with this right are granted the Login, Checkout, and Rotate password permissions. Members of a role with this right can only perform these tasks for the accounts or systems where they have the View permission. Members of this role cannot add new objects to the Privileged Access Service.

RADIUS Management

Permission to create, manage, and delete the RADIUS server. See How to configure Centrify Privileged Access Service for RADIUS for information on using the Centrify Connector as a RADIUS server.

Read Only System Administrator

Access to all of the Admin Portal tabs, however, the user cannot make any changes. An error message is displayed when the user attempts to save the change.

Note: If you enable read-only access for a support technician, the Privileged Access Service creates a temporary account that it adds as a member to this role.

Register and Administer connectors

Register a Centrify Connector in your Privileged Access Service account.

During the connector installation, the wizard prompts you to enter the account of a user that has the Register connectors right. This must be a Centrify Directory account. Make sure the account you specify is a member of a role with this permission.

Report Management

Create, delete, and run reports.

Role Management

Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights.

User Management

Permission to use the Add User and Bulk User Import buttons to add users and modify Centrify Directory user properties. Additionally, this permission allows users to import and delete OATH tokens.

See Adding roles for instructions on how to add administrative rights to a role.