Creating a role definition with desktop rights

Before you can make the desktop rights you have defined available to users or groups, you must create one or more role definitions that include those rights. Desktop rights are especially useful to include in roles for users who frequently perform tasks that require the privileges associated with the Administrator group.

To create a new role definition with desktop rights:

  1. Open the Access Manager console.
  2. Expand Zones and the parent zone or child zones until you see the zone where you want to define a new role that includes a desktop right.
  3. Expand the Authorization node.
  4. Select Role Definitions, right-click, then click Add Role.
  5. Type a role name and optional description for the role.

    The description can include details about time restrictions for the role and whether the role is audited or not.

  6. Select Allow local accounts to be assigned to this role if you want to be able to assign local users or groups to the role you are creating.

    If you do not select this option, only Active Directory domain users can be assigned to the role.

  7. Click Available Times and use the grid to specify when to allow or deny access for this role definition if you want to restrict when this role is available.

  8. Click the System Rights tab and select Console login is allowed to allow users in the role to log on locally.

    To use the desktop right, the user must be able to log on locally on the computer. If you want to allow users to log on using a remote desktop connection, you can also select Remote login is allowed.

    Note:   Remote computers must be configured to allow remote desktop connections for the “Remote login is allowed” right to be valid. You can configure a computer to allow remote desktop connections by right-clicking Computer and selecting Properties or from the System Control Panel, then clicking Remote settings.

    Users must be assigned to at least one role with either console login or remote login rights to access any computers where the Centrify Agent for Windows is installed. You can grant access using the Windows Login role definition or the system rights in any custom role definition.

    The Windows right PowerShell remote access is allowed allows you to log on remotely to PowerShell.

    If you want to allow users to log on even when the Windows agent isn’t running or when audit and monitoring service is required but not available, you can select the rescue right. Because this right allows users to log on without having their activity audited, you should only assign roles with this right to trusted administrators or under controlled conditions. For example, assume you have a computer with sensitive information that normally requires all user activity to be audited. If that computer has application or operating system issues that require you to disable auditing temporarily, you can use a role with the rescue right to log on to that computer to diagnosis and fix the issue.

  9. In the Authentication tab, you can add multi-factor authentication. If you want to require multi-factor authentication for users to access the role, select Require multi-factor authentication for login. You can also require multi-factor authentication for access to individual rights when you define the rights to add to roles. For more information see Enabling multi-factor authentication for Windows rights.
  10. Click the Audit tab and select an option.

    If you select Audit not requested/required, users can log on to audited computers without having their session activity recorded. An audit trail event is recorded in the Windows event log when users open a desktop with this role, but the detailed record of what took place during the session is not captured.

    If you select Audit if possible, session activity is recorded when users open a desktop with elevated privileges on audited computers and not recorded when they log on to computers where audit and monitoring service is not enabled or audited computers when auditing is not currently running.

    If you select Audit required, users can only open a desktop with elevated privileges when auditing is running. If audit and monitoring service is not available or not currently running, the role is not available and users cannot use the elevated privileges.

  11. Click OK to save the role definition.

  12. Select the role definition, right-click, then click Add Right to add a desktop right to the role definition.

  13. Select the desktop right from the list of rights from the current zone and from any parent zones, then click OK to add the right to the role definition.