Overview

Centrify DirectAuthorize's centralized, role-based privilege management features help you manage and enforce fine-grained control over user access and privileges on UNIX and Linux systems. According to Gartner, UNIX and Linux systems inherently lack a scalable and simple model for administrative delegation, and organizations that give too many users root permission run unnecessary security risks and will invariably fail audits. By controlling how users access systems and what they can do, DirectAuthorize enables you to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. DirectAuthorize also delivers robust entitlement management for UNIX and Linux that goes well beyond complex, script-based authorization management products.

Features and Benefits

Gain Centralized Control over Access to Root Accounts on UNIX and Linux
DirectAuthorize also delivers fine-grained control over how and when users can access UNIX & Linux systems

Role-Based Privilege Management
Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords

• IT security administrators can define rights to execute specific privileged commands, storing the required account information securely in Active Directory. Once that right is assigned to a role, users or groups in that role can execute the privileged command without having to switch accounts or know the passwords of privileged accounts. For example, a backup operator role can be granted the right to execute backup commands with enough privilege to ensure all files are backed up – without needing the root password.

Assign users a Restricted Environment with access only to a specific "whitelist" of commands

• To completely lock down sensitive systems, DirectAuthorize’s unique Restricted Environment further enables IT security administrators to limit users or groups within a role just to specific commands. For example, a database administrator role can be assigned a Restricted Environment that permits only database-related commands.

Simplify the execution of privileged commands for users

• Users in a Restricted Environment no longer need to switch to root or other privileged accounts in order to run commands that require privilege. Instead, users can simply log in with their Active Directory account and seamlessly execute, with privilege, the commands available to them within their role without changing their behavior or learning to use a new command like sudo.

Role-Based Access Controls
Lock down sensitive systems with fine-grained access controls that specify who can access a system and how

• Centrify DirectAuthorize is part of the Centrify Suite’s single, unified architecture for authentication, access control, authorization and auditing. Centrify DirectControl is the base component of the suite, enabling organizations to centrally manage UNIX, Linux and Mac systems within Active Directory. Using Centrify's patented Zone technology, organizations can segregate systems into logical groups, and only users who are authorized for a Zone can log in to systems within that Zone.
• DirectAuthorize is a seamlessly integrated component of the Centrify Suite. It adds finer-grained access controls by enabling IT security managers to define user roles within a specific Zone. The role specifies which PAM-enabled interfaces or applications a user in that role can use to access systems in the Zone (for example, a backup operator may have access only through SSH).

Set time windows when a role can access a system, and set time periods when a role assignment is active

• Backup operators may need access to sensitive systems only for a limited time during a maintenance window. Or a contract system administrator may be on staff only for a specific time period. DirectAuthorize roles can, for example, specify that the backup operator can log in to systems within a Zone only on Wednesdays and Fridays between the hours of 5:00 p.m. and 9:00 p.m. The contract system administrator’s account could be set to a start date of Monday, August 4th, and an expiration date of Friday, August 29th. Modeled on the same Active Directory settings available for Windows accounts, DirectAuthorize’s date- and time-based access settings enable consistent, role-based policy enforcement across your heterogeneous enterprise.

Tie users’ UNIX and Linux entitlements to centrally managed Active Directory identities and run reports for a global view of entitlements

• DirectControl is used to join UNIX and Linux systems to your Active Directory domain, enabling users to log in to these systems using their Active Directory account. If the user then switches (su) to root, a service account, or a local account, DirectControl still associates that activity with each user’s Active Directory account.
• DirectAuthorize entitlements are assigned to users and groups that are centrally administered from Active Directory. Thus authentication, access controls and authorizations are tied to a single Active Directory identity, providing the accountability that is the heart of IT security and compliance best practices.