Gain Centralized Control over Access to Root Accounts on UNIX and Linux

DirectAuthorize also delivers fine-grained control over how and when users can access UNIX & Linux systems

Select a topic below to learn more about Centrify DirectAuthorize's features and benefits. Also see Why Customers Choose DirectAuthorize for a closer examination of DirectAuthorize's unique advantages and features.

Role-Based Privilege Management

Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords

IT security administrators can define rights to execute specific privileged commands, storing the required account information securely in Active Directory. Once that right is assigned to a role, users or groups in that role can execute the privileged command without having to switch accounts or know the passwords of privileged accounts. For example, a backup operator role can be granted the right to execute backup commands with enough privilege to ensure all files are backed up – without needing the root password.

Assign users a Restricted Environment with access only to a specific “whitelist” of commands

To completely lock down sensitive systems, DirectAuthorize’s unique Restricted Environment further enables IT security administrators to limit users or groups within a role just to specific commands. For example, a database administrator role can be assigned a Restricted Environment that permits only database-related commands.

Simplify the execution of privileged commands for users

Users in a Restricted Environment no longer need to switch to root or other privileged accounts in order to run commands that require privilege. Instead, users can simply log in with their Active Directory account and seamlessly execute, with privilege, the commands available to them within their role without changing their behavior or learning to use a new command like sudo.

Role-Based Access Controls

Lock down sensitive systems with fine-grained access controls that specify who can access a system and how

Centrify DirectAuthorize is part of the Centrify Suite’s single, unified architecture for authentication, access control, authorization and auditing. Centrify DirectControl is the base component of the suite, enabling organizations to centrally manage UNIX, Linux and Mac systems within Active Directory. Using DirectControl’s patent-pending Zone technology, organizations can segregate systems into logical groups, and only users who are authorized for a Zone can log in to systems within that Zone.

DirectAuthorize is a seamlessly integrated component of the Centrify Suite. It adds finer-grained access controls by enabling IT security managers to define user roles within a specific Zone. The role specifies which PAM-enabled interfaces or applications a user in that role can use to access systems in the Zone (for example, a backup operator may have access only through SSH).

Set time windows when a role can access a system, and set time periods when a role assignment is active

Backup operators may need access to sensitive systems only for a limited time during a maintenance window. Or a contract system administrator may be on staff only for a specific time period. DirectAuthorize roles can, for example, specify that the backup operator can log in to systems within a Zone only on Wednesdays and Fridays between the hours of 5:00 p.m. and 9:00 p.m. The contract system administrator’s account could be set to a start date of Monday, August 4th, and an expiration date of Friday, August 29th. Modeled on the same Active Directory settings available for Windows accounts, DirectAuthorize’s date- and time-based access settings enable consistent, role-based policy enforcement across your heterogeneous enterprise.

Tie users’ UNIX and Linux entitlements to centrally managed Active Directory identities and run reports for a global view of entitlements

DirectControl is used to join UNIX and Linux systems to your Active Directory domain, enabling users to log in to these systems using their Active Directory account. If the user then switches (su) to root, a service account, or a local account, DirectControl still associates that activity with each user’s Active Directory account.

DirectAuthorize entitlements are assigned to users and groups that are centrally administered from Active Directory. Thus authentication, access controls and authorizations are tied to a single Active Directory identity, providing the accountability that is the heart of IT security and compliance best practices.