Additional system permissions

There are a few permissions that are unique to systems. These permissions can be set for individual systems, sets of systems, or globally for all systems.

If you are working with systems, you can set the following additional permissions:

  • Select Manage Session to allow users to watch or terminate active sessions on systems.
  • Select Agent Auth to allow users to authenticate and log on to systems where the Centrify agent is installed. The Agent Auth permission enables users who have an account on the Privileged Access Service to log on to a registered Linux or Windows computer. For example, if your organization uses Privileged Access Service, you might have Centrify user account defined for each employee or for employees in specific roles. You can enable all employees or employees in the selected roles to log on to the Centrify portal using their Privileged Access ServicePrivileged Access Service user account and to use that same account to log on to registered Linux or Windows computers if they are granted the Agent Auth permission on that registered Linux or Windows computer.
  • Select Request Zone Role to allow users to request access to a collection of rights for computers in a zone. The Request Zone Role permission allows a user to request assignment of a particular Privileged Access Service zone role to use the elevated privileges associated with the role on the computers in a domain or zone.This permission requires several preliminary steps to be completed. For example, you must enable the zone role workflow for the domain and configure the list of zone roles that can be requested by a user, the system must be joined to a zone, and the requesting user must be an Active Directory user. For more details about the preliminary steps for using this feature and permission, see Managing zone role assignment requests and related topics. For an introduction to rights and roles, role assignments that do not use a request and approval workflow, and managing privilege elevation for computers in zones, see Authentication and Privilege Elevation services for managed computers.
  • Select Add Account to allow a user to add Privileged Access Service accounts to a system. If this system permission is not selected, attempting to add a new account to a system will fail.
  • Select Unlock Account to allow accounts (used to access a system) the permission to manually unlock managed local accounts. This permission only applies to systems with the correct policies in place for local account password reconciliation (see Configuring Windows local account password reconciliation).