Running a specific application with privileges

With desktop access rights, you can run any application using one of the roles assigned to you. Application access rights are assigned on an application-by-application basis.

If you have a role assignment with application access rights, you can run one or more specific applications using the administrative privileges defined for your role. The administrator defines the specific application rights that you have in each role you are assigned. If you have a role assignment with application access rights, the administrator specifies the location of the application executable, the arguments you can use when running the application, and the account used when you run application. You can only select a role to run a local application for which you have application rights.

Selecting Run with Privilege is similar to selecting standard Windows “Run as” or “Run as administrator” menu items, but does not require you to provide a password for an administrative or shared service account. Instead, you always use your own password to authenticate your identity.

For information about running an application as an alternate user, see Run with privilege as an alternate user.

To run a local application using a selected role:

  1. Navigate to and select the application you want to run.
  2. Right-click the executable or shortcut for the application and select Run with Privilege.

    (If you want to open the application from the Start menu, press the Shift key when you right-click.)

    If you have not been assigned to any role that has application access rights for the application you are trying to open, a message displays to inform you that you are not a member of any role associated with the selected application.

    The Centrify Run with Privilege dialog box displays. (If it doesn't display, it's because you're assigned to just one role, so there's no need to select a role.)

    Note:   Note: If you pressed the Shift key when you right-clicked the application in Step 2, the Centrify Run with Privilege dialog box displays even if you're assigned to just no roles or just one role for access to that application.

  3. Select the desired role.

  4. If the application requires network access rights for a remote server, click Advanced View to see if you have a role with network access rights available.
  5. If you'd prefer to use your environment variables instead of the variables that are associated with the selected role, select Use current environment variables instead of "Run As" user's.
  6. Click OK to continue.
  7. Enter the password for your login account, if you are prompted for it, then click OK.

    If your administrator has enabled privilege elevation justification, a dialog box appears.

  8. Enter the following information to justify why you need to run the application with privilege:

    • Ticket number: If your administrator has instructed you to enter a ticket number, do so here. (This field can be used with ticketing systems such as ServiceNow and so forth.)
    • Reason: Select the reason category that best fits your situation. Your choices are:
      • Software Installation
      • Remote System Administration
      • Local System Administration
      • Windows Feature Management
      • System Networking Change
      • Maintenance (Shutdown, Reboot, Power Off)
      • PowerShell or Other CLI
      • Centrify Operation (Services, Zone Operations, etc.)
      • Other
    • Comment: Enter any comments about your need to run with privilege.
  9. If your administrator has enabled multi-factor authentication, complete the additional authentication challenge.

  10. Click OK.

    After you've successfully authenticated, the application opens and an audit trail event is recorded in the Windows Application event log. You can use the application with the privileges granted to the specific user account or administrative group defined for your role. You have the privileges associated with the role or roles you selected until you exit the application. When you close the application, you resume working with your normal account privileges and group membership.