Configuring local group mapping

With local group mapping, you can map a cloud role to a local group on a Windows system. For example, you create a group in Privileged Access Service and call it "local admins" and map it the local group Administrators. Members of the cloud role “local admins” will be added to the local Windows group Administrators when they are logged into the system.

You must have the Centrify Client for Windows installed to use Local Group Mapping.

You can map local groups on Windows systems to users and roles in Centrify Directory or any federated directory service, such as LDAP, Okta, and so forth.

You can map Active Directory users to Windows local groups, as long as the system where you are mapping users to local groups is in a different Active Directory or not joined to Active Directory.

For an overview of local group mapping, see About Windows local group mapping.

To map local Windows groups to Centrify PAS roles:

  1. Navigate to ResourcesSystems. Choose a system and click Local Group Mapping from the left-hand navigation.

  2. Select the role you would like to add by clicking Select and choose the roles you would like to add:

  3. Then add the local groups and click OK and you will see the group mapping added.

Note:   There is no verification on local group naming. If there is a typo in the group naming, the system will look for the group on the local system but may not match due to misspelling and the user will not be added. Additionally, if there is a space in the group name both words must be encased in double quote marks " ".

To verify the group membership, open the Computer Management utility and navigate to Local Users and Groups, and either:

  • Select Groups, double-click on the group you’re adding user to (Administrators in our example), or

  • Select Users, double-click on the user and then switch to the Member Of tab.