After you have prepared an Active Directory group for the computers where you plan to require multi-factor authentication, you can use the Admin Portal to prepare a role for those computers.
To prepare a role in the Admin Portal:
- In the Admin Portalclick Core Services, then click Roles.
- Click Add Role.
Type a role name and, optionally, a role description.
For example, type MFA-LinuxComputers as the role name and Role for multi-factor authentication of Linux Computers as the role description, then click Save.
- After naming the role, click Members, then click Add.
Type a search string to locate the Active Directory group you are using for computers that require multi-factor authentication.
For example, if you created a group called Audited Servers in Preparing a group for Centrify-managed computers, you might type “aud” as the search string to locate that group. Alternatively, you can search for and add individual computers to the role if you are not using an Active Directory group. Adding individual computers to the role, however, is not a scalable approach for most organizations.
This step creates the link between the Centrify-managed computers and the identity service. There is no change to how you manage the computers you add to the identity service. This link is required to allow Privileged Access Service to provide authentication profiles to managed computers.
Select the group, then click Add.
Click Administrative Rights, then click Add.
Select the Computer Login and Privilege Elevation administrative right, then click Add.
This administrative right is only applicable for the computers that are members of the identity platform role. The right does not apply to users and is ignored for any users added as members of the role. In general, you should not add users to any role that is intended for multi-factor authentication on Centrify-managed computers.
- Click Save.