Admin Portal administrative rights

The following table describes the administrative rights you can assign to a role. Users cannot log in to the Admin Portal unless they have at least one of the following administrative rights.

If an administrator attempts to perform a task in the Admin Portal for which they do not have the associated administrative right, the Admin Portal displays an error message. In addition, the Admin Portal does not display data if it’s not pertinent to the administrator’s rights. For example, if the administrator has the Application Management right only, that user is not allowed to change policy settings.

Note:   Some administrative rights also grant reporting rights, but only for data that the user has been granted rights to read. Additionally, see the administrative right descriptions below.

Administrative right Description

Admin Portal Login

Access to the Admin Portal.

Application Management

Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application.

Computer Login and Privilege Elevation

Logging on to Windows, Linux, or UNIX computers where a Centrify agent is installed. This administrative right is only applicable for the computers that are members of an Centrify PAS role with this right.

Federation Management

Permission to create, manage, and delete federation partnerships. See How to set up business partner federation for information on setting up partner federations.

MFA Unlock

Suspend multifactor authentication for 10 minutes.

System Enrollment

Permission for non-admin users to register Linux and Windows machines.

Privileged Access Service Administrator

If you add this administrative right to a role, members of the role can add new objects—systems, domains, databases, services, or accounts—to the Centrify PAS. Members of a role with this right become the default owner of the objects that they add. If there’s more than one member of the role, each administrator is only the owner of the objects they add by default. Members of a role with this right can perform all administrative tasks on the objects they own.

Privileged Access Service Power User

If you add this administrative right to a role, members of the role can see all objects you add to the Centrify PAS in the Admin Portal. By default, however, members of a role with this right are not granted the Login, Checkout, or Rotate permissions. The system, domain, database, service, or account owner (or a member of the System Administrator role) must explicitly grant the appropriate permissions. Members of this role cannot add new objects to the Centrify PAS.

Privileged Access Service User

If you add this administrative right to a role, members of the role can see the objects on which they have been granted View permissions in the Admin Portal. This administrative right is primarily for users who need some administrative access to a selected set of objects. Members of a role with this right are granted the Login, Checkout, and Rotate password permissions. Members of a role with this right can only perform these tasks for the accounts or systems where they have the View permission. Members of this role cannot add new objects to the Centrify PAS.

RADIUS Management

Permission to create, manage, and delete the RADIUS server. See How to configure Centrify Privileged Access Service for RADIUS for information on using the Centrify Connector as a RADIUS server.

Read Only System Administrator

Provides read-only access to some of the Admin Portal tabs. For instance, certain Admin Portal tabs are not available, such as Resources, Desktop Apps, Global Account Permissions, and Global System Permissions. If the user attempts to make a change, an error message is displayed when the user attempts to save the change. If you need to have read-only access to Resources (objects), see Privileged Access Service Power User above.

Note: If you enable read-only access for a support technician, the Centrify PAS creates a temporary account that it adds as a member to this role.

Register and Administer connectors

Register a Centrify Connector in your Centrify PAS account.

During the connector installation, the wizard prompts you to enter the account of a user that has the Register connector right. This must be a Centrify Directory account. Make sure the account you specify is a member of a role with this permission.

Report Management

Create, delete, and run reports.

Role Management

Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights.

User Management

Permission to use the Add User and Bulk User Import buttons to add users and modify Centrify Directory user properties. Additionally, this permission allows users to import and delete OATH tokens.

See Adding roles for instructions on how to add administrative rights to a role.