Privilege elevation

Privilege elevation provides a way for users to log in as themselves with limited privilege and then request to elevate their access in order to perform privileged operations. Users can then provide additional MFA credentials to continue and run the privileged commands or applications.

By using privilege elevation, you grant access based on Zero Trust principles and then grant privileged access only when needed for a specific operation.

How privilege elevation works

Here's an example of how privilege elevation works on Windows systems:

  1. The admin configures the Windows system so that the bob@acme.com account has privilege elevation access and sets a policy that anyone logging in Monday through Friday needs to provide a password when running privileged applications or commands.

  2. User bob@acme.com logs on to a Windows system on a Tuesday with just enough privilege to do normal tasks.

  3. Bob needs to run some PowerShell scripts as Administrator. He opens a PowerShell Administrator window.

    An elevation consent dialog box displays.

  4. Bob selects Run with Privilege.

  5. Because of the privilege elevation policy, the service prompts him for his password.

    After the user enters the correct, additional authentication credentials, he can run the privileged application.

 

Here's an example of how privilege elevation works on Linux systems:

  1. The admin configures the Linux system so that the bob@acme.com account has privilege elevation access and sets a policy that anyone logging in Monday through Friday needs to provide a password when running privileged applications or commands.

  2. User bob@acme.com logs on to a Linux system on a Tuesday with just enough privilege to do normal tasks.

  3. Bob needs to run cdiag as root, so at the terminal, he enters the following command:

    sudo cdiag

  4. Because of the privilege elevation policy, the service prompts Bob to enter his password.

    After the user enters the correct, additional authentication credentials, he can run the privileged command.

 

Note:   For the 21.1 release, privilege elevation is in preview mode and grants access to all privileged applications. In a future release there will be the capability to grant elevated privileges more specifically.

Privilege elevation requirements

In order to have your users be able to use privilege elevation on a system, here are the requirements:

  • You the administrator need to have these permissions:

    • Privilege Elevation Management administrative rights (assigned to your role) in order to grant privilege elevation access to others. For details, see Admin Portal administrative rights

    • Manage Assignment permission - this can be set either on a specific system, a set of systems, or globally.

  • Install and enroll the Centrify Client on the desired systems. For details, see Installing and using the Centrify Client for Windows and Enrolling and managing computers using the Centrify Client for Linux.

  • Enable the Agent Auth (client-based login) feature for the affected systems. For details, see Setting system-specific permissions

    • The Server Suite Agent cannot be installed on the same computer; if the Server Suite Agent is also installed, you can't enable Agent Auth.

  • Configure privilege elevation access to users, roles, or groups for a specific system, a set of systems, or all systems (see the procedures below)

  • If desired, configure privilege elevation authentication policy settings to enforce MFA at elevation—when users go to run an privileged application or command on a designated system. You can set the policy for a single system, a set, or for all systems. For details, see Setting system‑specific policies.

Configuring privilege elevation access

To configure privilege elevation access

  1. Navigate to the Privilege Elevation tab for the systems that you want to grant people access to:

    • All systems (global): go to Settings Resources Security Global Privilege Elevation.

    • A set of systems: In the Systems view, select the desired set and click the menu item (...) and choose Modify, and then click Member Privilege Elevation.

    • One system: In the Systems view, open the desired system, and then click Privilege Elevation.

  2. To add roles, groups, or users, click Add.

    The Select User, Group, or Role dialog opens.

  3. Search for or select the users, groups, or roles that you want to grant access to, select them in the results list, and click Add.

    The users, groups, or roles that you added now display in the list on the Privilege Elevation tab. Users, groups, or roles added here must have the Agent Auth permission on the affected system.

    If you specify permissions at the set or global level, you can see the inherited permissions when you view a single system affected by those settings.

    Note:   The ability to configure a valid date or time span when the privilege elevation applies is coming in a later release. For now, ignore the Starts and Expires columns.

  4. If desired, you can select Bypass MFA for any of the users, groups, or roles that you've granted privilege elevation access to. Selecting this option grants them access but they don't have to provide any additional authentication credentials.

  5. Click Save to save your changes.

    Your designated users can now run applications with elevated privilege on the designated systems.

 

To configure privilege elevation challenge rules and default authentication profiles

  1. Open the policy tab for the desired systems:

    • One system: In the Systems area, open the desired system, then click the Policy tab.

    • Some or all systems: In the Policies area, open or edit a policy set.

  2. In the policy, navigate to Resources Systems, and then the Privilege Elevation Challenge Rules section of the page.

  3. In the Privilege Elevation Challenge Rules area, add rules that specify for a particular condition, apply a particular authentication profile.

  4. For the Default Privilege Elevation Profile, specify which authentication profile applies if none of the conditions in the challenge rules are met.

  5. Click Save to save your changes.

    The challenge rules and default authentication profile changes for privilege elevation take effect when the affected users next log try to run an application with privilege on an affected system.