Creating a role definition for network access rights

Before you can make the network access rights you have defined available to users or groups, you must create one or more role definitions that include those rights. Network access rights are especially useful to include in roles for users who require remote access to network services with the privileges associated with the domain Administrator account or a service account on the remote computer.

  1. Open the Access Manager console.
  2. Expand Zones and the parent zone or child zones until you see the zone where you want to define a new role that includes a network access right.
  3. Expand the Authorization node.
  4. Select Role Definitions, right-click, then click Add Role.
  5. Type a role name and optional description for the role.

    The description can include details about time restrictions for the role and whether the role is audited or not.

  6. Click Available Times and use the grid to specify when to allow or deny access for this role definition if you want to restrict when this role is available.

  7. Click the System Rights tab and select Remote login is allowed to allow users in the role to connect to services on the remote computer.

    The user must be able to connect to the computer remotely to perform administrative tasks on that computer. If you want to allow users to log on locally, you can also select Console login is allowed.

    Users must be assigned to at least one role with either console login or remote login rights to access any computers where the Centrify Agent for Windows is installed. You can grant access using the Windows Login role definition or the system rights in any custom role definition.

    If you want to require multi-factor authentication for users to access the role, select Require multi-factor authentication. You can also require multi-factor authentication for access to individual rights when you define the rights to add to roles. For more information see Enabling multi-factor authentication for Windows rights.

  8. Click the Audit tab and select an auditing option.

    If you select Audit not requested/required, users can connect to remote audited computers without having their session activity recorded. An audit trail event is recorded in the Windows event log when users select this role to connect to remote servers, but the detailed record of what took place during the session is not captured.

    If you select Audit if possible, session activity recorded when users log on to audited computers and not recorded when they log on to computers where audit and monitoring service is not enabled or audited computers when audit and monitoring service is not currently running.

    If you select Audit required, users can only log on to audited computers when audit and monitoring service is running. If audit and monitoring service is not available or not currently running, the role is not available and users cannot use their elevated privileges.

  9. Click OK to save the role definition.

  10. Select the role definition, right-click, then click Add Right to add a network access right to the role definition.

  11. Select the network access right from the list of rights from the current zone and from any parent zones, then click OK to add the right to the role definition.