Desktop access rights enable you to create a separate desktop working environment for each role the administrator has assigned to you. You might have multiple role assignments with different desktop access rights so that you can run applications with elevated privileges. For example, you might be assigned two separate roles—one for running applications as a member of the domain administrators group and another for running applications as a member of the local administrators group.
If you have been assigned roles that have desktop access rights, you can create a desktop for each role.
To create a new desktop:
- Click the Centrify icon in the notification area.
Select New Desktop.
If you have not been assigned to any role that has a desktop access right, a message is displayed to inform you that you are not a member of any role that permits opening a new desktop.
If you have been assigned to any roles that have desktop access rights, you can continue to the next step.
Select a role from the list of your available roles, then click OK.
For example, if you are assigned multiple roles that include desktop access rights, you can select from these role assignments to control which account privileges are in effect for the new desktop.
Note that the roles listed might allow you to run as your own account locally, but grant access to remote servers. To see more information about the context associated with your roles, click Advanced View.
When you select a role, you also have the option to run the desktop with User Account Control (UAC) restrictions enforced. Selecting this option gives you filtered privileges, prompting you to confirm actions before continuing with operations that require elevated privileges. You can leave this option unselected to use a desktop with full privileges and without being prompted to confirm your actions. You should note, however, that when you run a desktop without enforcing UAC restrictions, no warnings are displayed, even if you have configured User Account Control Settings on the local computer.
- Type the password for your login account, if you are prompted for it, then click OK.
If your administrator has enabled privilege elevation justification, a dialog box appears. Enter the following information to justify why you need to run the application with privilege:
- Ticket number: If your administrator has instructed you to enter a ticket number, do so here. (This field can be used with ticketing systems such as ServiceNow and so forth.)
- Reason: Select the reason category that best fits your situation. Your choices are:
- Software Installation
- Remote System Administration
- Local System Administration
- Windows Feature Management
- System Networking Change
- Maintenance (Shutdown, Reboot, Power Off)
- PowerShell or Other CLI
- Centrify Operation (Services, Zone Operations, etc.)
- Comment: Enter any comments about your need to create a new desktop.
- If your administrator has enabled multi-factor authentication, complete the additional authentication challenges after entering your password.
After you select a role and click OK, the new desktop becomes your working environment. You can view the local and network roles you are using for the new desktop by left-clicking on the Centrify icon in the system Notification Area on the taskbar.
If the role is only applicable on a remote computer, the local role is displayed as Self. If the role does not have network access rights, the network role is displayed as Self.
To see complete information about the desktop, application, and network access rights for each of your roles, open the Authorization Center as described in Checking your rights and role assignments.