Creating a role definition with application rights

Before you can make the application rights you have defined available to users or groups, you must create one or more role definitions that include those rights. Application rights are especially useful to include in roles for users who infrequently require access to specific applications with the privileges associated with the Administrator account or a service account on a local computer.

To create a new role definition with application rights:

  1. Open the Access Manager console.
  2. Expand Zones and the parent zone or child zones until you see the zone where you want to define a new role that includes an application right.
  3. Expand the Authorization node.
  4. Select Role Definitions, right-click, then click Add Role.
  5. Type a role name and optional description for the role.

    The description can include details about time restrictions for the role and whether the role is audited or not.

  6. Click Available Times and use the grid to specify when to allow or deny access for this role definition if you want to restrict when this role is available.

  7. Click the System Rights tab and select Console login is allowed to allow users in the role to log on locally.

    To use the Run as selected role utility and an application right, the user must be able to log on locally on the computer where the application runs. If you want to allow users to log on using a remote desktop connection, you can also select Remote login is allowed.

    Users must be assigned to at least one role with either console login or remote login rights to access any computers where the Centrify Agent for Windows is installed. You can grant access using the Windows Login role definition or the system rights in any custom role definition.

    If you want to require multi-factor authentication for users to access the role, select Require multi-factor authentication. You can also require multi-factor authentication for access to individual rights when you define the rights to add to roles. For more information see Enabling multi-factor authentication for Windows rights.

  8. Click the Audit tab and select an audit and monitoring service option.
    • If you select Audit not requested/required, users can log on to audited computers without having their session activity recorded. An audit trail event is recorded in the Windows event log when users select this role to run the application, but the detailed record of what took place during the session is not captured.
    • If you select Audit if possible, session activity is recorded when users select this role to run the application and not recorded when they use the application on computers where audit and monitoring service is not enabled or audited computers when audit and monitoring service is not currently running.
    • If you select Audit required, users can only select this role to run the application when audit and monitoring service is running. If audit and monitoring service is not available or not currently running, the role is not available and users cannot use their elevated privileges.
  9. Click OK to save the role definition.

  10. Select the role definition, right-click, then click Add Right to add the application right to the role definition.

  11. Select the application right from the list of rights from the current zone and from any parent zones, then click OK to add the right to the role definition.