Using Agent Auth workflow

Workflow for AgentAuth provides a user who has only view permission on a system to request Agent Auth access. Once the request is made, one or more approvers indicate whether the request is granted. If granted, the permissions on the system are updated to give the user access. The following sections detail how to use the global Agent Auth workflow:

  1. Enabling Agent Auth workflow.
  2. Requesting Agent Auth access.
  3. Agent Auth access request process.
  4. AgentAuth access permissions.

Enabling Agent Auth workflow

You can enable Agent Auth workflow one of two ways: globally for all systems or locally on the system level.

The approvers may be:

  • the user's manager.
  • a specific user.
  • a role.

Once enabled, anyone who has view access to a system may request Agent Auth access through workflow. More than one approver may be specified. As such, each approver, in turn, must approve the request. By default, the global workflow settings apply to all systems. An an individual system, however, may specify that Centrify PAS:

  • Use the global setting - this is the default settings.
  • Override the global setting to disable workflow for this system.
  • Override the global setting to enable workflow, specifying a set of approvers that apply only to this system.

For more information on enabling global Agent Auth workflow, see Configuring global Agent Auth workflow.

Requesting Agent Auth access

Once Agent Auth is enabled, users with View access on an enrolled system with no permanent Agent Auth access may right-click on a system select Request Agent Auth Access on a system as seen below.

and you will see the Agent Auth request screen:

whereby you can make the following settings and click Submit.

  • Reason Message.
  • Assignment Type.
  • Start Time after approval.
  • Duration.
  • Ticket.

Agent Auth access request process

Once the request is submitted, the following occurs:

Agent Auth access permissions

If approved, you will have the following permissions with Agent Auth workflow:

  • The AgentAuth access right is added to the System / <system> / Permissions tab. The permissions list has Starts and Expires columns to indicate a windowed assignment of permission.
  • The requester is permitted to use the AgentAuth to login to the system directly using his or her account or may Use My Account(as seen below). As with any other permission, the administrator may remove the permission assignment at any time.