Restricting access to administrative privileges

By defining roles with specific access permissions, you can use Access Manager to specify the conditions under which users can perform privileged operations. A user logs on to the Windows computer with his or her normal, restricted login, and then selects the role they need to perform a privileged operation only when that access is needed. You can restrict a role or desktop to certain times or days of the week, and you can set a beginning and expiration date for the access. You can set any role or desktop to require auditing, so that the user cannot use the role or desktop unless it is being audited.

Access Manager provides three kinds of Windows access rights. For Windows computers, these specialized access rights are:

  • Desktop access rights enable you to create additional working environments and run any application in that desktop as a member of Active Directory or built-in group.
  • Application access rights enable you to run a specific local application as another user or as a member of an Active Directory or built-in group. This access right is similar to the standard Run as menu option, except that someone assigned a role with this right doesn’t need to know the privileged user’s password to use it.
  • Network access rights enable you to connect to a remote computer as another user or as a member of an Active Directory or built-in group to perform operations, such as start and stop services, that require administrative privileges on the remote computer.

You configure these access rights using the Access Manager console. The rights are enforced through a Centrify Agent for Windows installed on each computer you want to manage.