Specify a privilege elevation validator

You can use this computer configuration group policy to validate ticket information that a user enters when she provides a ticket number along with a privilege elevation reason. You can validate ticket information using a customized PowerShell script against a ticketing system, such as ServiceNow.

If you enable this policy, here are some important things to know:

  • Centrify provides a sample script that you can use as a starting point for your own script. At the minimum, you need to enter your ServiceNow URL for the $url parameter. You can get the sample script from github: in the centrify-agent-windows repo, go to Samples > ITSM validation > servicenow.

  • If the ticket ID is not validated successfully, the user's request for elevated privilege is rejected.
  • The custom PowerShell script must be available and accessible on each Windows computer where the validation occurs. If you're not running the PowerShell script on a local computer, be sure to allow remote PowerShell access for the script.
  • This group policy works in conjunction with the Require justification on privilege elevation policy. If you only set one of these policies, any affected user is prompted to provide a reason for privilege escalation.
  • If the script cannot validate the ticket entry within the specified timeout duration, then the validation fails. By default, the timeout value is 2 minutes.

Please consult the group policy explain text for more details.

There are two settings for this group policy:

  • By default, when this policy is Disabled or Not Configured, users can run with elevated privileges as normal.
  • When this policy is Enabled, you specify the PowerShell script filename and users entries are validated against the third-party ticketing system before granting privileged access.

You can view the reason information that users enter in the audit trail event.