Privileged Access Service deployment checklist
You will need to perform the following initial tasks to:
• Gain access to the Privileged Access Service Admin Portal
• Configure users and roles
• Add and configure resources to be managed by the Privileged Access Service
The initial steps below are included for customer-managed deployments. For additional customer-managed deployment requirements, see Customer-managed Privileged Access Service additional requirements. If your deployment is a cloud-based deployment, you can start at the Access the Admin Portal step.
Privileged Access Service steps: | Configuration location: | Detailed Instructions: |
---|---|---|
(Customer-managed deployments only) Prepare the virtual machines |
||
On both systems, join your domain using the system properties or with an administrative PowerShell window.
|
|
Installation and Configuration Guide for On-Site Deployment |
(Customer-managed deployments only) Configure a shared virtual disc host |
||
Note: The following steps are not needed if you are using a customer-managed PostgreSQL database. Make sure the database is configured to be reachable by DNS and have the database user configured. |
||
|
Server Manager > Local Server > File and Storage Services > iSCSI. |
Installation and Configuration Guide for On-Site Deployment |
|
Start > Search > Type iSCSI and open iSCSI Initiator. |
Installation and Configuration Guide for On-Site Deployment |
|
Administrative Tools > Disk Management. |
Installation and Configuration Guide for On-Site Deployment |
(Customer-managed deployments only) Install Privileged Access Service |
||
|
On primary server logged in as a privileged domain user. On primary server logged in as Domain Admin. Admin Portal > Settings > Network. On secondary server logged in as a privileged domain user. |
Installation and Configuration Guide for On-Site Deployment |
(Customer-managed deployments only) Configure Windows failover cluster |
||
|
Administrative Tools > Failover Cluster Manager > Actions, select Create Cluster, this opens the Failover Cluster Wizard. |
Installation and Configuration Guide for On-Site Deployment |
|
Administrative Tools > Failover Cluster Manager > Actions > Configure Role. |
Installation and Configuration Guide for On-Site Deployment |
(Customer-managed deployments only) Add Centrify connectors |
||
|
Connector configuration Wizard. |
Installation and Configuration Guide for On-Site Deployment |
(Customer-managed deployments only) Test failover |
||
|
Vault properties window. |
Installation and Configuration Guide for On-Site Deployment |
|
|
Installation and Configuration Guide for On-Site Deployment |
|
|
Installation and Configuration Guide for On-Site Deployment |
→ Access the Admin Portal |
||
|
https://www.centrify.com/free-trial/ |
|
|
Email account
|
|
The account used to log on for the first time is a Centrify Directory account and is automatically made a member of the System Administrator role with all administrative rights. |
Admin Portal Login Screen |
|
Set and confirm the new password to activate your account. |
Admin Portal Login Screen |
|
Install the Centrify Connector, Integrate Active Directory or LDAP or Federated Users, and Configure Subnet Mapping |
||
If you are using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP. |
Online help |
Determining whether you need a connector Integrating Centrify Privileged Access Service with Microsoft Azure Active Directory Integrating Centrify Privileged Access Service and Idaptive tenants |
|
Network |
|
|
Admin Portal> Settings > Network > Centrify Connector |
|
|
Admin Portal> Settings > Resources > System Subnet Mapping |
|
(Optional) Customize the Admin Portal |
||
|
Admin Portal > Settings > General |
|
|
Admin Portal > Settings > General > Account Customization
|
|
Add Corporate IP Range |
||
|
Admin Portal > Settings > Network > Corporate IP Range > Add |
|
Add Users and Roles to the Centrify Directory |
||
|
Admin Portal > Access > Users |
|
By default, users are added to the Everybody role. You can add additional roles with different Administrative rights to control access over who can do what or which policies should be applied to different groups of users. |
Admin Portal > Access > Roles |
|
Configure Policies |
||
|
Admin Portal > Access > Policies |
|
|
(MFA mobile) Identity store—such as Active Directory or another LDAP-based service. (MFA email) Identity store—such as Active Directory or another LDAP-based service (RADIUS) Access > Policies > User Security Policies > RADIUS Also refer to your RADIUS client documentation for additional configuration procedures and guidelines. (OATH) Access > Policies > User Security Policies > OATH OTP Exact configuration steps are dependent on your OATH method. |
How to configure MFA for Third Party Integration Configuring the Centrify Connector for use as a RADIUS server |
|
Admin Portal > Settings > Resources > Security Settings |
|
Configure Password Profiles |
||
|
Admin Portal > Settings > Resources > Password Profiles
|
|
Add and Configure Resources |
||
Add resources, such as Systems, Databases, Domains, Accounts, Secrets, SSH keys, Services, that you want managed by the Privileged Access Service using one of the following methods:
If you are using Discovery, identify an Active Directory account with local administrator permissions to access resources that will be discovered.
|
(Import) Admin Portal > Resources > Systems > Import or Github to download the PowerShell script.
(Discovery) Admin Portal > Discovery > Systems and Accounts or Alternate Accounts > Profiles
(Manually) Admin Portal > Resources >Systems, Databases, Domains, Accounts, Secrets, SSH keys, or Services |
|
Configure service settings for the following:
|
Admin Portal > Resources > Services |
|
Configure permission access for resources.
|
(Individual) Admin Portal >Resources > select resource type> Permissions (Global) Admin Portal > Access > Global Account Permissions or Global System Permissions (Sets) Admin Portal > Resources > select resource type> Sets |
Individual Setting system-specific permissions Setting domain-specific permissions Setting database-specific permissions Setting secret, folder, and set permissions Setting service-specific permissions Global Setting global account permissions Setting global system permissions Sets: See Individual references above.
|
Configure Web Apps |
||
|
Admin Portal > Apps > Add Web Apps |
|
Configure Desktop Apps |
||
|
Admin Portal > Apps > Add Desktop Apps |
|
(Optional) Configure Workflow |
||
Configure workflow (request and approval access) for Web applications, desktop applications and accounts.
To simplify the process of configuring a “request and approval” workflow, you can enable workflow for all accounts stored in thePrivileged Access Service. |
Applications: Admin Portal > Web Apps or Desktop Apps > select application > Workflow Accounts: Admin Portal > Resources > Accounts > select account > Workflow Global Account Configuration: Admin Portal > Settings > Resources > Global Account Workflow |
Managing application access requests |
(Optional) Configure Zone Role Workflow (requires Authentication Service and Privilege Elevation Service) |
||
Systems must be joined to a zone. |
Systems: Admin Portal > Resources > Systems > select system > Zone Role Workflow Domains: Admin Portal > Resources > Systems > select system > Zone Role Workflow |
|
Configure Remote Access Kit |
||
|
Admin Portal > Settings > Resources > User Preferences |
|
Enable Auditing for remote sessions |
||
See the Audit and Monitoring Checklist for additional details. |
Admin Portal > Settings > Resources > DirectAudit |
|
Install Centrify Clients |
||
Install the Centrify Client for Linux or the Centrify Client for Windows to allow computer accounts to run services and to check out account passwords that are stored in the Privileged Access Service. |
Admin Portal > Downloads |
Installing and using the Centrify Client for Windows Enrolling and managing computers using the Centrify Client for Linux |
Educate end users |
||
Educate end users on how to:
|
(User profile) Click Profile under your user name in the Admin Portal. (Register devices) Click Profile > Devices > Add Device under your user name in the Admin Portal. (Launch Apps) Admin Portal > Apps > Web Apps or Desktop Apps |