Request and approval workflow overview

While it is possible to give users access by statically assigning them to a role with specific administrative rights, a more secure method for controlling access is to establish a request and approval workflow. A request and approval workflow gives specific users or members of specific roles the ability to approve or reject access requests. A request and approval workflow improves security by controlling which users can request access, which users can grant access, and how long access is allowed if it is granted.

If you are a member of the System Administrator role or have the appropriate permissions, you can configure a request and approval workflow for different types of access requests. The procedure for configuring the workflow depends of the type of access request and the service offerings you use.

Note:   If Workflow is enabled on the user's account, and the user requests permission using Request Checkout, the password can only be checked out during the time period specified by the admin. For example between 1pm - 2pm. This adjusts the checkout duration to ensure the password is checked back in by the end of the time period. For example 2pm.

For details about configuring a request and approval workflow for a specific type of access request, see the following topics:

  • Zone role workflow setup overview for details about allowing Active Directory users who are registered as Privileged Access Service users to request a role assignment on a computer that is joined to a Centrify zone.

  • Using privileged account workflow for details about managing account password checkout access requests and login access for systems, domains, and databases if you have Centrify Server Suite deployed.

  • Managing application access requests for details about managing application access requests to specific applications if you have Centrify Application Services deployed.

  • Using Agent Auth workflow for details on how to enable global login workflow for privileged accounts.

  • Privilege elevation workflow for details about how to enable and use privilege elevation workflow.

If you are managing Privileged Access Service on your internal network or a private cloud, you can configure a request and approval workflow. However, request and approval messages require you to have a mail server for outgoing email requests. You can configure the settings for a custom Simple Mail Transport Protocol (SMTP) mail server in the administrative portal. For details about post-installation configuration steps when you deploy Privileged Access Service as a self-managed service, see the Installation and Configuration Guide for On-Site Deployment.