While it is possible to give users access by statically assigning them to a role with specific administrative rights, a more secure method for controlling access is to establish a request and approval work flow. A request and approval work flow gives specific users or members of specific roles the ability to approve or reject access requests. A request and approval work flow improves security by controlling which users can request access, which users can grant access, and how long access is allowed if it is granted.
If you are a member of the System Administrator role or have the appropriate permissions, you can configure a request and approval work flow for different types of access requests. For example, you can configure a request and approval work flow for the following:
- Access to specific applications if you have Centrify Application Services deployed.
- Checkout access for stored account passwords if you have Centrify Privileged Access Service deployed.
- Login access for systems, domains, and databases if you have Centrify Privileged Access Service deployed.
- Elevated privileges associated with the roles defined in zones if you have Centrify Privileged Access Service deployed.
The underpinnings for configuring a request and approval work flow are part of the Privileged Access Service core services. However, the procedure for configuring the work flow depends of the type of access request and the service offerings you use. For details about configuring a request and approval work flow for a specific type of access request, see the following topics:
- Managing application access requests for details about managing application access requests.
- Managing privileged account access requests for details about managing account checkout and login access requests.
- Managing zone role assignment requests for details about allowing Active Directory users who are registered as Privileged Access Service users to request a role assignment on a computer that is joined to a Centrify zone.
If you are managing Privileged Access Service on your internal network or a private cloud, you can configure a request and approval work flow. However, request and approval messages require you to have a mail server for outgoing email requests. You can configure the settings for a custom Simple Mail Transport Protocol (SMTP) mail server in the administrative portal. For details about post-installation configuration steps when you deploy Privileged Access Service as a self-managed service, see the Installation and Configuration Guide for On-Site Deployment.