Scenario: Using multiple roles for network resources
For the local computer, users can select only one role at a time for their desktop or running an application. However, users can select more than one role to access network resources. By selecting multiple roles on the client, users can run applications that connect to multiple remote servers to perform administrative tasks.
In this scenario, Maya.Santiago uses a privileged account to open SQL Server Management Studio on her local computer. From this application, she wants to add accounts that require domain administrator privileges on a remote domain controller and modify database settings on a remote SQL Server instance. To do her work, she needs elevated privileges to run SQL Server Management Studio on her local computer and network access rights to contact the domain controller and the database server.
As the administrator, you have prepared the environment:
- You have put computers in appropriate zones and configured appropriate rights.
- You have configured a role definition,
SideBet-DC-Admin, that grants network access to the domain controller using elevated privileges.
- You have also configured a role definition,
SQL-DB-Default, that grants network access to SQL Server instances using elevated privileges.
- You have assigned Maya.Santiago to the roles.
To use an application that connects to multiple remote servers:
- Install the Centrify Agent for Windows on the domain controller, the computer that hosts the SQL Server instance, and the computer Maya.Santiago uses to manage the SQL Server instance.
- Assign Maya.Santiago the custom roles definition
SideBet-DC-Adminthat includes a desktop right and a network access right.
- Maya.Santiago logs on to her Windows computer using her Active Directory user name and password.
- On her local computer, Maya right-clicks SQL Server Management Studio, selects Run with Privilege.
- Maya clicks Advanced View to see the list of available roles and selects
SideBet‑DC‑Adminas the local role that enables her to run local applications with administrator privileges.
- Maya then clicks the Select one or more network roles option and selects the
SideBet‑DC-Adminrole for remote access to the domain controller and the
SQL‑DB‑Defaultrole for remote access to the database server, then clicks OK.
After she clicks OK, SQL Server Management Studio starts and she connects to the remote SQL Server instance using Windows authentication. The change to a role with privileges is recorded in the local Windows Application event log.
Maya uses SQL Server Management Studio to add and modify information on the domain controller and the SQL Server database.
When she is done working, she closes the application and returns to her default desktop and her login account privileges.