Defining network access rights

Network access rights allow users to access services on remote computers using another user account on the remote computer. Users who are assigned to a role with network access rights are only granted the elevated privileges when accessing the remote computer.

To define a network access right:

  1. Open the Access Manager console.
  2. Expand Zones and the parent zone or child zones until you see the zone where you want to define an application right.
  3. Expand Authorization > Windows Right Definitions.
  4. Select Network Access, right-click, then click New Network Access.
  5. On the General tab, type a name and a description for the network access right.
    For thisDo this

    Name

    Type the name you want to use for this network access right.

    For example, if the right allows a user to connect remotely to a Microsoft SQL Server instance using the privileges associated with a database system administrator account, you might include the SQL login name. For example, you might use a name like sysadmin.

    Description

    Type a description for this network access right.

    The description is optional. You can use it to provide a more detailed explanation of the privileges associated with this right.

    Priority

    Set the priority for this application right.

    If more than one network access right is included in the roles selected, the priority value determines which network access right to use. The lower the value, the higher the priority. For example, a right with the priority of 1 takes precedence over a priority value of 2.

    If users have multiple roles selected, the priority value of the network access right determines which network access right takes precedence over the access rights in other roles.

    For more information about selecting multiple roles for connecting to remote servers, see Scenario: Using multiple roles for network resources.

  6. Click the Access tab to select the account that has the privileges you want to enable for accessing the remote computer.

    You can browse for and select a specific user account, create a new account, or access the remote computer using the logged-in user’s account credentials but with the elevated privileges of a specified group account. Click Add AD Groups or Add Built-in Groups to search for and select a previously‑defined or Built-in group with the privileges you want to add to the logged in user’s account.

    In most cases, you select a specific user account only if accessing the remote computer using a service account.

    Select Re-authenticate current user if you want to prevent the network access right and its privileges from being used by anyone not authorized to do so. Selecting this option also allows you to enable multi-factor authentication for the right. For more information see Enabling multi-factor authentication for Windows rights.

    If you select this option, users are prompted to re-enter their password to verify their identity before they are allowed to select a role for accessing applications on a remote computer. Forcing users to re‑authenticate ensures the privileges associated with the network access right are only granted to users who have been assigned those privileges.

    If you select this option for users who are authenticated using a smart card, users must enter a personal identification number (PIN) or a password to resume working with the remote server.

  7. Click OK to save the network access right.