Specify a privilege elevation validator
You can use this computer configuration group policy to validate ticket information that a user enters when she provides a ticket number along with a privilege elevation reason. You can validate ticket information using a customized PowerShell script against a ticketing system, such as ServiceNow.
If you enable this policy, here are some important things to know:
Centrify provides a sample script that you can use as a starting point for your own script. At the minimum, you need to enter your ServiceNow URL for the $url parameter. You can get the sample script from github: in the centrify-agent-windows repo, go to Samples > ITSM validation > servicenow.
- If the ticket ID is not validated successfully, the user's request for elevated privilege is rejected.
- The custom PowerShell script must be available and accessible on each Windows computer where the validation occurs. If you're not running the PowerShell script on a local computer, be sure to allow remote PowerShell access for the script.
- This group policy works in conjunction with the Require justification on privilege elevation policy. If you only set one of these policies, any affected user is prompted to provide a reason for privilege escalation.
- If the script cannot validate the ticket entry within the specified timeout duration, then the validation fails. By default, the timeout value is 2 minutes.
Please consult the group policy explain text for more details.
There are two settings for this group policy:
- By default, when this policy is Disabled or Not Configured, users can run with elevated privileges as normal.
- When this policy is Enabled, you specify the PowerShell script filename and users entries are validated against the third-party ticketing system before granting privileged access.
You can view the reason information that users enter in the audit trail event.