Setting permissions for the service user

After migrating to the Centrify Client for Linux the Active Directory computer account which was used by Centrify CLI Toolkit no longer represents the Linux computer in the Privileged Access Service. Instead, registration creates a new service user account—such as rhel$@centrifydemo.vms—to represent the Linux computer in the Privileged Access Service.

The permissions that you previously granted to the Active Directory computer account— such as the permission to check out passwords— are no longer applicable after migrating to the Centrify Client for Linux. Instead, new permissions need to be granted to the service user. This is especially important for service-to-service password management scenario to ensure remote computers have the permission to check out service passwords.

Service-to-service password checkout

To allow service accounts on the sles12 computer to check out an account password from the Privileged Access Service to access accounts on the centos-6 computer, the service user for the sles12 computer must have the Checkout permission for the centos-6 account stored in the Privileged Access Service. For example, the sles12$@cpubs.net account must be able to check out the password for the root user on the centos-6.cpubs.net computer. In addition, the sles12 computer must have an account in the Privileged Access Service that can run root-level commands locally on the sles12 computer to get the password for the remote account.

Grant permissions

Users must have the Grant permission for a Privileged Access Service account to grant the Checkout permission to other users, groups, or roles. By default, members of the System Administrator role and the user or role who registered a computer are assigned the Grant permission.

Accounts might also be assigned the Grant permission in the following situations:

  • If you add the account to the Privileged Access Service by running the Centrify client csetaccount command, the service user account is assigned the Grant permission.
  • If you add the account to Privileged Access Service from within the Admin Portal, your logged-in user account is assigned the Grant permission.
  • If you added the account to Privileged Access Service by running the Centrify CLI toolkit csetaccount command, the Active Directory computer account is assigned the Grant permission.