User account sources

Privileged Access Service supports user accounts from multiple identity stores/account sources -- Active Directory or another LDAP-based service, G-Suite (Google), Privileged Access Service. On the User page, the Source column indicates the ID repository for that user account.

  • Active Directory/LDAP

    These users are authenticated using their Active Directory/LDAP accounts. The Active Directory/LDAP account domain is shown in the parenthesis.

    Privileged Access Service does not replicate Active Directory/LDAP accounts and their attributes in the Privileged Access Service. Instead, the new user accounts are brought into Privileged Access Service when the user registers a device or opens a password-protected application.

    If you have multiple connectors managing multiple, independent domain trees or forests, the Source column also shows the source domain.

    To use Active Directory/LDAP as a source, you must install the connector. See How to install a Centrify Connector for the details.

    You must add an Active Directory/LDAP accounts to a role to deploy applications to those users. You can add either the user Active Directory/LDAP accounts or the user Active Directory/LDAP groups to the role. See Assigning users to roles for the details.

  • G-Suite

    These users are authenticated using their G-Suite (Google) accounts.

    Privileged Access Service does not replicate G-Suite accounts and their attributes in the Privileged Access Service. Instead, the accounts are referenced when the user registers a device or opens a password-protected application.

    To use G-Suite as an account source, you must add it to Privileged Access Service. See How to add a directory service.

  • Centrify Directory

    Centrify Directory: Privileged Access Service includes this built-in identity repository. With this option, the Privileged Access Service account is used to authenticate users. These users have a Centrify Directory account and the account information resides in Privileged Access Service only.

    You must create Centrify Directory accounts explicitly before these users can register a device. You can add Centrify Directory accounts individually or in bulk from a CSV file or Excel spreadsheet.

    Centrify Directory: Privileged Access Service includes this built-in identity repository. With this option, the Privileged Access Service account is used to authenticate users.

You can use all identity stores simultaneously. For example, if you decide to use Active Directory/LDAP as your primary identity store, the Privileged Access Service can provide a convenient supplemental repository for the following types of users:

  • Emergency administrators: If there is ever a network break down to the Active Directory domain controller, no one with just an Active Directory/LDAP account can log in. However, if you create administrator accounts in Privileged Access Service, these users can log in to Admin Portal launch web applications.
  • Temporary user: Some organization’s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task. If you have a temporary worker who needs access to just the applications you deploy through the Privileged Access Service, it may be simpler to add the account to Privileged Access Service.
  • Contractors or less-trusted users: Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAP account provides. In this case, you create the account in the Privileged Access Service only.

To avoid users logging in to unintended repository accounts and other account related confusion, we recommend that you do not create duplicate accounts (same user name/password) in both the Centrify Directory and Active Directory/LDAP.