In order to configure your deployment for zone role workflow, ensure that your deployment meets the following requirements:
Privileged Access Service for identity and privilege elevation must be installed and running on at least one computer in the domain, and the Privileged Access Service must be configured with at least one zone.
The computers you add to the Privileged Access Service for zone role workflow must be added using the fully-qualified DNS name, not the IP address, and must be serviced by a Centrify connector, have a domain specified, and be enabled for domain operations. Computers that are discovered automatically will automatically be associated with a connector, have their domain set, and be enabled for domain operations.
If you add a computer manually, you must also manually specify a domain and enable domain operations for that computer. For details about specifying domains for systems and enabling domain operations, see Setting domain operations for a system.
Computers participating in a zone role workflow must be joined to a zone.
- Linux and UNIX computers must have the Centrify agent installed, and be joined to an Active Directory domain and a zone with the adjoin command.
- Windows computers must be joined to an Active Directory domain, have the Centrify agent installed, and the agent must be joined to a Centrify zone.
To see whether a computer is joined to a zone:
- Open the Admin Portal, click Resources, then click Systems.
- Select a system to view its details, then click Advanced.
- Chek the Zone Joined Status field to verify it displays “Joined.”
If necessary, you can manually update the joined status for a computer. For more information about using the Advanced tab, see Setting system‑specific advanced options.
The Privileged Access Service periodically updates the zone joined status of systems in the domain. Use the Domains > Advanced tab as described in Setting domain-specific advanced options to view and change the update interval.
You must have a domain administrative account with read and write permission in Active Directory for each domain that participates in a zone role workflow. For details about creating domain administrative accounts, see Set domain administrative accounts. If you select an Active Directory account as the domain administrative account, the account must be given permission in Server Suite to create assignments for the computers in participating zones.
In addition, only domains that are discovered automatically by a Centrify connector can be used in a zone role workflow by default because users requesting zone role assignments must be Active Directory users. If you add domains manually, you can manually assign the connectors to use for the domain.
To see whether a domain was discovered by a connector:
- Open the Admin Portal, click Resources, then click Domains to view the list of domains.
- Check the Discovered column to verify the domain has a value of “Auto” indicating that the domain was discovered automatically.