Creating an application right

An application right lets you run a specific application as a different user. An administrator assigns an application right rather than a desktop right when the user needs only occasional administrative responsibilities for a specific application and needs only temporary or infrequent use of the elevated privileges. (Desktop rights provide administrative access to more than a single application at a time. See Creating a desktop right for details about desktop rights.)

If you have completed the exercises in the previous sections, you are ready to create your first application right. If you have not completed all of the exercises to this point, you might not be able to perform all of the following exercises successfully.

In the following exercises, you will:

  • Verify the Active Directory domain user amy.adams does not have permission to use the Windows Control Panel to change security settings.
  • Configure a new application right that gives administrative privileges for the Control Panel application.
  • Define a new role that uses the application right.
  • Assign the role definition that includes the Control Panel application right to the Active Directory domain user amy.adams.
  • Verify that the role assignment grants the user amy.adams the right to change a setting in Control Panel.
  1. On the Windows client computer, log on as the amy.adams domain user account.
  2. Use Windows Explorer to open the C:\Windows\System32 folder.
  3. Create a shortcut for the control.exe program on the desktop.
  4. Use the shortcut to open the Control Panel, select System and Security, then open Allow a program through Windows Firewall.

    Notice that you cannot make changes to the list of Allowed programs and features. If you click Change Settings, you are prompted to enter an administrator account name and password.

  5. Click Cancel to close Allow programs to communicate through Windows Firewall and close the Control Panel.

  6. Log off as amy.adams and log on with your administrator account.

  1. On the Windows client computer, open Access Manager and expand to display Authorization > Windows Right Definitions.
  2. Select Applications, right-click, then select New Windows Application.
  3. On the General tab, type Control Panel Right for the name of this application right and an optional description.
  4. Click the Match Criteria tab, then click Add.

    In the Match Criteria tab, you specify one or more application executable files to be included in this application right. You can specify application executable files in many ways. The capability to specify more than one executable file in a single application right takes into account situations in which one application might reside in different locations on different computers. For details about different ways of specifying executable files, see the “Defining desktop application rights” help topic in the Access Manager online help.

    In this example, you will specify one application executable file using the application executable name and path.

  5. Type a name for the criteria definition, select Path, then type the application executable name control.exe to specify the Windows Control Panel as the application to which this right grants access. For example:

  6. Click OK to use the default standard system path for the application without specifying any other criteria.

  7. Click the Run As tab, select Self with added group privileges, then click Add Built-in Groups to select the administrative group to use.

    For the evaluation, you should use a built-in group to avoid adding test users and groups to your Active Directory environment. Alternatively, you could specify an existing user account, create a new user account for this right, or select Self with added group privileges, then click Add AD Groups to search for and select a previously-defined Active Directory group with administrative privileges.

  8. Select the Administrators group, then click OK.

  9. Select Re-authenticate current user to require users to authenticate their identity when they use a role with this right.

  10. Select Require multi-factor authentication If you would like to enable multi-factor authentication for the right.

    Before you enable multi-factor authentication, you should be aware that multi-factor authentication for Centrify-managed Windows computers relies on the infrastructure provided by Privileged Access Service. For more information on preparing to use multi-factor authentication, see the Multi-factor Authentication Quick Start Guide.

  11. Click OK again to complete the definition of the application right.

    The new application right is now defined. Next you must create a new role definition to use the application right.

  12. To update the list of application rights in Access Manager so that you can review the new application right, select Action > Refresh.

  1. Select Role Definitions, right-click, then select Add Role.
  2. In the General tab, type ControlPanelAdmin as the name of the new role.

    Do not change the default settings for the System Rights tab and the Audit tab.

  3. Click OK.

    The new role definition is created, but the role does not have any rights yet.

  4. Select the ControlPanelAdmin role listed under Role Definitions, right-click, then select Add Right.

  5. Select Control Panel Right in the list of rights, then click OK.

    You can filter the list of rights. For example, you can filter rights by name, type, zone, or description. After you select the right and click OK, the role definition has one right. You can add other rights to it. After you have identified all of the access rights for the role definition, you can assign the role to a user or group.

  1. Select Role Assignments, right-click, then select Assign Role.
  2. Select ControlPanelAdmin in the list of role definitions, then click OK to display Assign Role.
  3. Click Add AD Account to search for and select the user amy.adams, then click OK.
  4. Select Role Assignments to see that the user amy.adams is assigned the Windows Login and ControlPanelAdmin roles.
  5. Open the Privilege Elevation Service Settings (from the Agent Configuration shortcut > Centrify Privilege Elevation Service > Settings), click the Troubleshooting tab, then click Refresh to force the agent to get the latest authorization information without waiting for the cache to expire.
  1. Log off as the administrator and log in as amy.adams.
  2. Right-click the control.exe shortcut on the desktop.

    If you want to open an application from the Start menu, press the Shift key when you right-click.

  3. Select Run with Privilege.

    Selecting Run with Privilege is similar to selecting standard Windows “Run as” or “Run as administrator” menu items, but does not require you to provide a password for an administrative or shared service account. Instead, you always use your own password to authenticate your identity.

  4. Select ControlPanelAdmin in the list of the roles available, then click OK.

  5. Type the password for the amy.adams login account, then click OK.

  6. Select System and Security, then open Allow a program through Windows Firewall.

    Notice that you can now make changes to the list of programs allowed through the firewall.

This section showed you how to set up a role that allows privilege escalation for a single application and how the user can select that role to run the application with privileges without knowing the administrator’s user name or password.