Enforcement of rights and roles by the agent

For identity and privilege management, the key component for deployment is the Centrify Agent for Windows. After you install the agent on a server or workstation and identify a zone for the computer to join, the computer becomes a Centrify-managed computer. If you have enabled access management features for the agent, you can then define access rights and role-based policies to control what different sets of users can do on those computers in each zone.

After you deploy the Centrify Agent for Windows and select access management on a computer, the agent provides the following identity and privilege management features:

  • Users logging on to the computer must be assigned to a role that allows them to log on.
  • Users who are assigned to a role with application rights can run a specific application with elevated privileges.
  • Users who are assigned to a role with desktop rights can create new Windows desktops that enables them to run all local applications with elevated privileges.
  • Users who are assigned to a role with network access rights can connect to network resources with elevated privileges.

The following illustration provides a simplified view of the components for identity and privilege management.

In this illustration, a Centrify Agent is installed on an individual user’s workstation and on a server accessed remotely. The administrative consoles that you use to manage zones, access rights, role definitions, and Active Directory accounts are installed on two separate computers. As shown in the illustration, all of these computers are part of an Active Directory domain and have access to an Active Directory domain controller. If you work with other platforms, the architecture is the same but you would have additional platform-specific agents.

To ensure that you can centrally manage access to Windows computers with the privilege elevation service and the Centrify Agent for Windows, you should check that your network meets a few basic requirements:

  • You have at least one Active Directory forest and domain controller.
  • All of the computers you want to manage must be joined to an Active Directory domain and can communicate with an Active Directory domain controller over the network or through a firewall.
  • You have a basic deployment plan in place that identifies your primary goals, team members and responsibilities, and a target set of computers.