Enabling zone role workflow

The Privileged Access Service will query Active Directory to find the roles available for assignment. When you select the roles you want to make available to requestors, you can see whether the roles are available for UNIX computers, Windows computers, or both. You can also modify whether the roles are available to UNIX, Windows, or both.

Enabling zone role workflow for a domain and configuring the available roles

When you enable a domain for zone role workflow, you also specify which zone-based roles can be requested.

To enable a default zone role workflow for all computers in a domain:

  1. Open the Admin Portal, click Resources, then click Domains to view the list of domains.
  2. Select a domain to view its details.
  3. Click Zone Role Workflow.
  4. Select Enable zone role requests for systems in this domain.
  5. Under Assignable Zone Roles, click Add.

  6. Select a role you want to make available to requestors from the list of roles available for the domain, then click Add.

    To search for a role, start typing the name of the role. When you find the role you want to add, select it and click Add. You can add as many roles as you need by repeating Step 5 and Step 6.

  7. Modify the role availability, if needed, then continue to .

Enabling zone role workflow for a specific computer

To enable, configure, or override the workflow for a specific computer

  1. Open the Admin Portal, click Resources, then click Systems to view the list of systems.
  2. Select a system to view its details.
  3. Click Zone Role Workflow.
  4. Check Use Domain Administrator Account for Zone Role Workflow operations to enable zone role workflow for the system.

    When setting up zone role workflows, you can only request zone roles for a system whose zone status is joined. The status of a system is periodically refreshed but you can also select Check Now for an on-demand refresh of the zone joined status (also see Setting domain-specific advanced options). The zone joined status can be one of the following:

    • Joined—System is joined to a hierarchical zone.
    • Not Joined—System is not joined to any hierarchical zone.
    • Undetermined—he zone status was added using an IP address instead of a DNS (DNS is not specified).
  5. In the Enable zone role requests for this system field, select one of the following choices:
    • Select -- to use the default zone role workflow settings defined for the domain.
    • Select Yes to define zone role workflow settings specific to this computer. The settings that you define here override the domain settings. Note that only users with the Edit permission for the system and the system domain, can enable zone role workflow for the system (see Setting domain-specific permissions and Setting system-specific permissions ).
    • Select No to disable zone role workflow for this computer even if it is enabled at the domain level.

    If you select -- or No, click Save to save your changes.

  6. If you selected Yes, under Assignable Zone Roles, select one of the following choices:

    • Select Use domain assignments to use the roles defined for the domain.
    • Select Choose to override the roles defined for the domain.
  7. If you are overriding the roles defined for the domain, click Add to search for and select a role you want to make available to requestors from the list of roles available for the domain.
  8. Select one or more roles, then click Add.

    You can add more roles by repeating Step 6 and Step 7.

  9. Modify the role availability, if needed, then continue to Configuring users to be requestors.