Using zone role workflow

Zone role workflow allows you to set up a workflow process so that access to computers in Centrify zones can be requested, approved or rejected, and tracked.

With zone role workflow:

  1. Users can request assignment to a role that's defined for a specific computer in a Centrify zone.
  2. After the user requests the zone role assignment, the approver can grant access either temporarily or permanently or reject the request to deny access.
  3. Once the approver grants access by approving the request, the service assigns the user to the zone role on that computer and updates Active Directory automatically. The user now has all the privileges defined in that zone role.

When you enable your deployment to use zone role workflow, you also specify the following:

  • Which users can submit requests
  • Which users can approve requests
  • Which systems can have access requested and approved
  • Which zone roles a user can request that are available on the specified systems

You can enable and configure zone role workflow at the domain level. After you enable and configure a workflow at the domain level, all systems in the domain use that zone role workflow by default. You can then override or disable the default workflow at the system level. The system-specific settings that you specify override the domain settings.

For example, you might enable and configure zone role workflow at the domain level to establish default settings for role availability, approvers, and requestors. Then, you can use system-specific settings to have individual systems opt out of the zone role workflow or to override role availability and approver settings for specific systems.

Users requesting zone role assignment must be domain users, and must be assigned at least one administrative right with access to the Privileged Access Service with permission to View objects in the Admin Portal.

Approvers do not need to be domain users. Approvers can be specified individually, or by group membership.