Privileged Access Service deployment checklist

You will need to perform the following initial tasks to:

• Gain access to the Privileged Access Service Admin Portal

• Configure users and roles

• Add and configure resources to be managed by the Privileged Access Service

The initial steps below are included for customer-managed deployments. For additional customer-managed deployment requirements, see Customer-managed Privileged Access Service additional requirements. If your deployment is a cloud-based deployment, you can start at the Access the Admin Portal step.

Privileged Access Service steps:	Configuration location:	Detailed Instructions:
(Customer-managed deployments only) Prepare the virtual machines
Join primary server node and secondary server nodes to the domain: Download primary server and secondary server and import into VMWare. On both systems, join your domain using the system properties or with an administrative PowerShell window. Install the Windows Failover Clustering feature on both nodes (with Server Manager or using PowerShell).		Installation and Configuration Guide for On-Site Deployment
(Customer-managed deployments only) Configure a shared virtual disc host
Note: The following steps are not needed if you are using a customer-managed PostgreSQL database. Make sure the database is configured to be reachable by DNS and have the database user configured.
Install and configure the required services. Configure iSCSI disks and target.	Server Manager > Local Server > File and Storage Services > iSCSI.	Installation and Configuration Guide for On-Site Deployment
Configure iSCSI Initiators on primary server and secondary server.	Start > Search > Type iSCSI and open iSCSI Initiator.	Installation and Configuration Guide for On-Site Deployment
Initialize the Virtual Disks using the Primary Node (primary server).	Administrative Tools > Disk Management.	Installation and Configuration Guide for On-Site Deployment
(Customer-managed deployments only) Install Privileged Access Service
Establish temporary name resolution for primary node. Install Privileged Access Serviceon the primary node. Primary Node verification and hosts file cleanup. Install Privileged Access Serviceon the secondary server.	On primary server logged in as a privileged domain user. On primary server logged in as Domain Admin. Admin Portal > Settings > Network. On secondary server logged in as a privileged domain user.	Installation and Configuration Guide for On-Site Deployment
(Customer-managed deployments only) Configure Windows failover cluster
Create and validate the cluster.	Administrative Tools > Failover Cluster Manager > Actions, select Create Cluster, this opens the Failover Cluster Wizard.	Installation and Configuration Guide for On-Site Deployment
Configure Privilege Service as a clustered application.	Administrative Tools > Failover Cluster Manager > Actions > Configure Role.	Installation and Configuration Guide for On-Site Deployment
(Customer-managed deployments only) Add Centrify connectors
Configure Wizard.	Connector configuration Wizard.	Installation and Configuration Guide for On-Site Deployment
(Customer-managed deployments only) Test failover
Review failover policies.	Vault properties window.	Installation and Configuration Guide for On-Site Deployment
Conduct failover tests: Maintenance Mode (drain) Transfer the role to a different cluster node Simulate Disk Failure Simulate Network Failure Stop cisdb-pgsql Stop IIS Web Service (W3SVC) Operations: Node recoverability Operations: Backup Operations: Upgrade Operations: Restore Operations Recover from replicated file		Installation and Configuration Guide for On-Site Deployment
Test the Privileged Access Serviceinstance. Backup and recovery of Privileged Access Service.		Installation and Configuration Guide for On-Site Deployment
→ Access the Admin Portal
Request a free trial or subscription. Note: This step is not required if you are performing a customer-managed deployment.	https://www.centrify.com/free-trial/	Registering for service
Register for a Centrify account with a valid email address. You will receive an “Activate Your Centrify Account” email followed by a “Your Centrify Account Is Ready - Next Steps” email with your account details. Your account details include the user name for an administrative account, a temporary password, and a unique customer identifier. Note: This step is not required if you are performing a customer-managed deployment.	Email account	Registering for service
Log in to the Centrify Admin Portal using the account name, temporary password, and URL from the email notification. The account used to log on for the first time is a Centrify Directory account and is automatically made a member of the System Administrator role with all administrative rights.	Admin Portal Login Screen	Registering for service
Set and confirm the new password to activate your account.	Admin Portal Login Screen
Install the Centrify Connector, Integrate Active Directory or LDAP or Federated Users, and Configure Subnet Mapping
Review Connector requirements. Check firewall rules for the connections between the Centrify Connectors to the Privileged Access Service. If you are using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP.	Online help	Review the firewall rules Determining whether you need a connector Integrating with Microsoft Azure Active Directory Integrating with Idaptive tenants Integrating with Okta
Select a host computer to install the Centrify Connector.	Network	Configuring the Centrify Connector
On the host computer, log in to the Admin Portal and select to add a connector and complete installation. Installing the Centrify Connector integrates your Active Directory/LDAP service with Privileged Access Service. The connector allows you to specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to Privileged Access Service to update enrolled devices.	Admin Portal> Settings > Network > Centrify Connector	Installing a Centrify Connector
Map a subnet pattern to a selected set of connectors.	Admin Portal> Settings > Resources > System Subnet Mapping	Mapping system subnets to connectors
(Optional) Customize the Admin Portal
Customize settings such as login suffix and tenant URLs.	Admin Portal > Settings > General	Settings UI fields
Configure additional customization such as logos and colors for the Admin Portal.	Admin Portal > Settings > General > Account Customization	How to customize the admin and login window
Add Corporate IP Range
Add IP ranges to identify internal and external networks which can be used to specify authentication requirements.	Admin Portal > Settings > Network > Corporate IP Range > Add	How to set Corporate IP ranges
Add Users and Roles to the Centrify Directory
Manually create additional System Administrator accounts in the Centrify Cloud Directory. You can add Active Directory users in later steps (after you configure the Centrify Connector). Manually create Centrify Directory user accounts in the Centrify Cloud Directory. You can also bulk import Centrify Directory users accounts, see How to Bulk import user accounts.	Admin Portal > Access > Users	Creating individual directory service users
Add System Administrator accounts to System Administrator roles. Add Centrify Directory user accounts to roles. By default, users are added to the Everybody role. You can add additional roles with different Administrative rights to control access over who can do what or which policies should be applied to different groups of users.	Admin Portal > Access > Roles	Adding roles
Configure Policies
Configure user security forPrivileged Access Service, such as password-based authentication. In particular, be sure to configure: Authentication Policies > Centrify Services User Security Policies Devices	Admin Portal > Access > Policies	How to create a policy set and assign it to users Reference content — Roles
Configure multi-factor authentication if applicable: For MFA with mobile device phone numbers: check that these attributes exist and are provisioned in their directory source (Active Directory, Federation etc.) For MFA with email: check that email attributes exist and have been provisioned in their directory source (Active Directory, Federation etc.) For RADIUS for MFA: configure RADIUSFor OATH for MFA: configure OATH	(MFA mobile) Identity store—such as Active Directory or another LDAP-based service. (MFA email) Identity store—such as Active Directory or another LDAP-based service (RADIUS) Access > Policies > User Security Policies > RADIUS Also refer to your RADIUS client documentation for additional configuration procedures and guidelines. (OATH) Access > Policies > User Security Policies > OATH OTP Exact configuration steps are dependent on your OATH method.	How to configure MFA for Third Party Integration Configuring the Centrify Connector for use as a RADIUS server How to configure OATH OTP
Configure global security settings such as frequency of password rotation, minimum password age, how long passwords can be checked out, etc.	Admin Portal > Settings > Resources > Security Settings	How to set authentication security options
Configure Password Profiles
Customize password profiles for systems, domains, and databases.	Admin Portal > Settings > Resources > Password Profiles	Configuring password profiles
Add and Configure Resources
Add resources, such as Systems, Databases, Domains, Accounts, Secrets, SSH keys, Services, that you want managed by the Privileged Access Service using one of the following methods: Import function (Admin Portal Import function or through PowerShell) Discovery (for Systems and Accounts only) If you are using Discovery, identify an Active Directory account with local administrator permissions to access resources that will be discovered. Manually	(Import) Admin Portal > Resources > Systems > Import or Github to download the PowerShell script. (Discovery) Admin Portal > Discovery > Systems and Accounts or Alternate Accounts > Profiles (Manually) Admin Portal > Resources >Systems, Databases, Domains, Accounts, Secrets, SSH keys, or Services	Importing systems, accounts, domains, databases Discovering systems Using the wizard to add systems
Configure service settings for the following: Accounts used to run Windows services or scheduled tasks IIS application pools Multiplexed accounts used to rotate the password for service accounts	Admin Portal > Resources > Services	Managing services
Configure permission access for resources. Individual (all) Global (Systems and Accounts) Sets (all)	(Individual) Admin Portal >Resources > select resource type> Permissions (Global) Admin Portal > Access > Global Account Permissions or Global System Permissions (Sets) Admin Portal > Resources > select resource type> Sets	Individual Setting system-specific permissions Setting domain-specific permissions Setting database-specific permissions Setting secret, folder, and set permissions Setting service-specific permissions Global Setting global account permissions Setting global system permissions Sets: See Individual references above.
Configure Web Apps
Add web applications to the Admin Portal app catalog. Configure application settings. Assign roles to the application.	Admin Portal > Apps > Add Web Apps	Adding web applications by using the Admin Portal
Configure Desktop Apps
Add desktop applications to the Admin Portall app catalog. Configure application settings. Assign roles to the application.	Admin Portal > Apps > Add Desktop Apps	Adding Desktop Apps using the Admin Portal
(Optional) Configure Workflow
Configure workflow (request and approval access) for Web applications, desktop applications and accounts. Configure roles for requestors and approvers Enable workflow for an application or an account Add approver To simplify the process of configuring a “request and approval” workflow, you can enable workflow for all accounts stored in thePrivileged Access Service.	Applications: Admin Portal > Web Apps or Desktop Apps > select application > Workflow Accounts: Admin Portal > Resources > Accounts > select account > Workflow Global Account Configuration: Admin Portal > Settings > Resources > Global Account Workflow	Managing application access requests Enabling request and approval workflow Configuring global account workflow
(Optional) Configure Zone Role Workflow (requires Authentication Service and Privilege Elevation Service)
Configure Zone Role Workflow (request and approval access) for Systems and Domains. Configure roles for requestors and approvers. Enable Zone Role Workflow for all computers in a domain. Add approver Systems must be joined to a zone.	Systems: Admin Portal > Resources > Systems > select system > Zone Role Workflow Domains: Admin Portal > Resources > Systems > select system > Zone Role Workflow	Using zone role workflow
Configure Remote Access Kit
If you require remote access to systems using PuTTY or local RDP, install a local client kit and enable access for individual users.	Admin Portal > Settings > Resources > User Preferences	Selecting user preferences
Enable Auditing for remote sessions
Create an audit installation and verify that the environment is working. Enable auditing and specify the installation name for the systems you manage in the Admin Portal. See the Audit and Monitoring Checklist for additional details.	Admin Portal > Settings > Resources > DirectAudit	Enabling auditing for remote sessions
Install Centrify Clients
Install the Centrify Client for Linux or the Centrify Client for Windows to allow computer accounts to run services and to check out account passwords that are stored in the Privileged Access Service.	Admin Portal > Downloads	Installing and using the Centrify Client for Windows Enrolling and managing computers using the Centrify Client for Linux
Educate end users
Educate end users on how to: Configure a user profile Register devices Launch web and desktop apps	(User profile) Click Profile under your user name in the Admin Portal. (Register devices) Click Profile > Devices > Add Device under your user name in the Admin Portal. (Launch Apps) Admin Portal > Apps > Web Apps or Desktop Apps	Using the tabs Launching applications Selecting actions for desktop apps