New Features for the Centrify Privileged Access Service:

Set Visibility 

Today with Centrify Privileged Access Service (PAS), users must be given the "View" permission to gain visibility to a specific set or group of sets. Similarly, members of the System Administrator role must be assigned individual permissions on each set to gain visibility. This manual process increases administrative overhead, especially for large numbers of sets. This new feature solves this problem with a global setting that, when enabled, provides set visibility across all resources of all System Administrators.



Granular Admin Rights

The current Centrify Platform Administrative Rights are broad in scope and do not offer the ability to define and manage which users can add what resource types. In this first phase of the Granular Admin Rights capability, we have created new Administrative Rights for three resource actions that can be assigned to users. These rights can be combined with existing and more restrictive rights, such as the Centrify Privileged Access Service User (View access), to create a custom role that gives the user just enough privilege.
New rights have been added to the Administrative Rights list for the following:

• Adding Systems
• Adding Databases
• Adding SSH Keys
  
  

Centrify Remote Access Kit (RAK) for Centrify 'Use My Account' (UMA) Feature

The Centrify Remote Access Kit allows a user to perform remote operations using a preferred local client. With this new feature, any session launched using Centrify's UMA authentication from the Centrify Portal will honor the "User Preference" of launching a native remote client application for UMA-initiated sessions, rather than launching the default Web‑based client.


New Features for Centrify Clients for Linux and Windows:

Privilege Elevation for CClient - Phase I (preview)

This is the first phase of privilege elevation support for Centrify CClient. This phase will provide all or nothing elevation to root on Linux systems and local Administrator for Windows systems. From the Centrify Portal, customers can now centrally configure, enable, or disable privilege elevation for Active Directory, Centrify Directory, Google Cloud Directory, or federated users. Also in this phase, you can enable multi-factor authentication (MFA) at elevation for extra protection and validation of a user's identity. This phase is marked as a preview for release 21.1. 




Vaulting Support for Windows Workstations 

Centrify CClient now provides vaulting support for Windows workstations. Vault local administrator accounts and leverage the Centrify vault's client-based password reconciliation feature to reconcile out-of-sync passwords. Please note that this phase only supports the Windows 8 and Windows 10 platforms and local account reconciliation. Other Centrify CClient features such as Agent Auth, Delegated Machine Credentials (DMC), and Application-to-Application Password Management (AAPM) are planned for a future phase. 

Removal of Local Accounts (GA) 

Removal of Local Accounts previewed with release 20.7. This is the official GA for this feature. Enabling Removal of Local Accounts ensures that all local accounts created by the Centrify CClient on Windows machines are cleaned up upon user logout. This feature can be used in tandem with local group mapping and Agent Auth for just-in-time elevation via a temporary account. 




New Features

• Login (agent_auth) and Zone role workflow can now be sent to an approver’s mobile device as well as to email. The notification pops up in the notifications page and allows admins to customize the approval type and time windows. If there are multiple approvers, all may get it on their devices but only the first approver can customize (CC-75795, CC-74557).
   
• A Centrify Vault plug-in is now available for Ansible on Centrify GitHub (CC-59624).

Changes in Hot Fix 3

• Old connectors that did not track the state of SSH or RDP configuration now consistently show them as enabled by default on the connector configuration page and network page (CC-77214).
   
• Resolved issues that were preventing or causing long delays for loading user activity in the Admin Portal (CC-77579).

Changes

• The connector zip package, and the exe inside it, have been renamed from Cloud-Management-Suite to Centrify-Connector-Installer (CC-76022).
   
• The default authenticated session length has been reduced from three weeks to 12 hours (CC-76503).
   
• A Windows-only cclient configuration parameter has been added to allow the default order for searches for user accounts when there is more than one directory configured. The parameter is CloudFirstUserLookup and when set to true will cause the cloud directory to be searched ahead of any other directories configured (CC-76837).
   
• For LDAP users only, suffix-less (short) user names are now supported in the Direct RDP connection string (CC-76809).
   
• Read-only administrator roles and rights have been updated to remove some read/write actions:
  - A new ReadOnlyResourceManagement right has been introduced which is a ReadOnlyPowerUser that cannot add sets or folders.
  - A ReadOnlyTechSupport role with ReadOnlySysAdmin and ReadOnlyResourceManagement rights. Users in this role can see all sets but not the members and not create any sets.
  - Users in the ReadOnlySysadmin role can create sets but not folders.
  (CC-74774).
   
• LDAP searches have been updated to allow for empty specific attribute mappings, and also for using multiple mappings for LDAP searches rather than just adding mapped object classes. All search parameters now use mapped attributes.
  
  For LDAP v1 (LDAP directory services added before mappable attributes were added): additional attribute fields have been added to user and group searches (displayname for groups and surname for users).
  
  For LDAP v2 (LDAP configuration has mappable attributes): the mappings list is now honored for searches – old “behind the scenes” fields are no longer used, only field that are mapped.
  
  Also for LDAP v2: some attribute mappings can be removed to reduce fields used in user and/or group searches.
  (CC-75900).

Notice of discontinuation

Supported Platforms

Centrify Connector

• Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

• Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

• Windows Server 2016, Server 2019

Centrify Clients for Linux

• Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
• CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0
• Fedora 30, 31
• Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
• Amazon Linux AMI 2017.09, 2018.03
• Amazon Linux 2 2017.09, 2018.03
   

• 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1

• Latest stable release 2345.3.0

• SUSE 12, 15

• Debian 9
• Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04

Centrify Client for Microsoft Windows

• Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

• Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

• Android 4.4 (API level 19) and later

Centrify app for iOS

• iOS 11 and above