How DirectAuthorize Works

DirectAuthorize, a seamlessly integrated component of Centrify Suite, leverages the scalable and robust DirectControl architecture, which joins UNIX, Linux and Mac systems to Active Directory and enables non-Windows identities to be centrally managed within Active Directory. DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights needed to perform duties within a role. Rights describe both access methods and privileges, specifically:

• PAM (Pluggable Authentication Module) Access rights identify the specific PAM-enabled interfaces and applications the user can access, such as FTP, Telnet, SSH, or Informix.
• Privileged Commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account. On the UNIX and Linux system, these privileged commands are run via the command line "dzdo," which operates similar to and replaces "sudo." The dzdo command acquires its policy from Active Directory only, and this is cached for offline enforcement.
• Restricted Environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (sash). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.

Roles are defined for a Centrify Zone, which is a logical collection of DirectControl-managed systems. Active Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Zone, or to a specific computer. For example, in the Engineering Zone the user Chris could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.

Roles can be active and available for use during specific hours of the day or days of the week. For example, you can specify that a backup operator role is available only on Wednesdays and Fridays between the hours of 5:00 p.m. and 9:00 p.m. Users and groups in that role are allowed to perform the operations associated with the role during the days and times you have defined.

An individual user or group role assignment can be given an effective starting date and time, an expiration date and time, or both. For example, if the user Jane needs to be a database administrator temporarily for four weeks in August, you can assign this user to the database administrator role with a start date of Monday, August 4th, and an expiration date of Friday, August 29th. Or, a patch role might be assigned to user Fred for a short time while he works on a trouble ticket.

Like DirectControl, DirectAuthorize is tightly integrated into Active Directory, meaning no additional servers or infrastructure is required to run DirectAuthorize. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and above. This means no Active Directory schema extensions are required to install and use DirectAuthorize, and you can leverage the pre-existing Authorization Manager (AzMan) APIs to access DirectAuthorize's roles and rights data.

DirectAuthorize is delivered as a core component of the DirectControl solution, and together DirectControl and DirectAuthorize form the Centrify Suite, Standard Edition. The DirectAuthorize user interface is integrated with the DirectControl Administrator's Console. The DirectAuthorize rights enforcers are integrated into the DirectControl Agent. And unlike other solutions, DirectAuthorize requires no UNIX kernel changes or system reboots.