New Features for the Centrify Privileged Access Service:
Set Visibility
Today with Centrify Privileged Access Service (PAS), users must be given the "View" permission to gain visibility to a specific set or group of sets. Similarly, members of the System Administrator role must be assigned individual permissions on each set to gain visibility. This manual process increases administrative overhead, especially for large numbers of sets. This new feature solves this problem with a global setting that, when enabled, provides set visibility across all resources of all System Administrators.
Granular Admin Rights
The current Centrify Platform Administrative Rights are broad in scope and do not offer the ability to define and manage which users can add what resource types. In this first phase of the Granular Admin Rights capability, we have created new Administrative Rights for three resource actions that can be assigned to users. These rights can be combined with existing and more restrictive rights, such as the Centrify Privileged Access Service User (View access), to create a custom role that gives the user just enough privilege. New rights have been added to the Administrative Rights list for the following:
Adding Systems
Adding Databases
Adding SSH Keys
Centrify Remote Access Kit (RAK) for Centrify 'Use My Account' (UMA) Feature
The Centrify Remote Access Kit allows a user to perform remote operations using a preferred local client. With this new feature, any session launched using Centrify's UMA authentication from the Centrify Portal will honor the "User Preference" of launching a native remote client application for UMA-initiated sessions, rather than launching the default Web‑based client.
New Features for Centrify Clients for Linux and Windows:
Privilege Elevation for CClient - Phase I (preview)
This is the first phase of privilege elevation support for Centrify CClient. This phase will provide all or nothing elevation to root on Linux systems and local Administrator for Windows systems. From the Centrify Portal, customers can now centrally configure, enable, or disable privilege elevation for Active Directory, Centrify Directory, Google Cloud Directory, or federated users. Also in this phase, you can enable multi-factor authentication (MFA) at elevation for extra protection and validation of a user's identity. This phase is marked as a preview for release 21.1.
Vaulting Support for Windows Workstations
Centrify CClient now provides vaulting support for Windows workstations. Vault local administrator accounts and leverage the Centrify vault's client-based password reconciliation feature to reconcile out-of-sync passwords. Please note that this phase only supports the Windows 8 and Windows 10 platforms and local account reconciliation. Other Centrify CClient features such as Agent Auth, Delegated Machine Credentials (DMC), and Application-to-Application Password Management (AAPM) are planned for a future phase.
Removal of Local Accounts (GA)
Removal of Local Accounts previewed with release 20.7. This is the official GA for this feature. Enabling Removal of Local Accounts ensures that all local accounts created by the Centrify CClient on Windows machines are cleaned up upon user logout. This feature can be used in tandem with local group mapping and Agent Auth for just-in-time elevation via a temporary account.
New Features
Login (agent_auth) and Zone role workflow can now be sent to an approver’s mobile device as well as to email. The notification pops up in the notifications page and allows admins to customize the approval type and time windows. If there are multiple approvers, all may get it on their devices but only the first approver can customize (CC-75795, CC-74557).
A Centrify Vault plug-in is now available for Ansible on Centrify GitHub (CC-59624).
Changes in Hot Fix 3
Old connectors that did not track the state of SSH or RDP configuration now consistently show them as enabled by default on the connector configuration page and network page (CC-77214).
Resolved issues that were preventing or causing long delays for loading user activity in the Admin Portal (CC-77579).
Changes
The following list records issues resolved in this release and behavior changes.
The connector zip package, and the exe inside it, have been renamed from Cloud-Management-Suite to Centrify-Connector-Installer (CC-76022).
The default authenticated session length has been reduced from three weeks to 12 hours (CC-76503).
A Windows-only cclient configuration parameter has been added to allow the default order for searches for user accounts when there is more than one directory configured. The parameter is CloudFirstUserLookup and when set to true will cause the cloud directory to be searched ahead of any other directories configured (CC-76837).
For LDAP users only, suffix-less (short) user names are now supported in the Direct RDP connection string (CC-76809).
Read-only administrator roles and rights have been updated to remove some read/write actions: - A new ReadOnlyResourceManagement right has been introduced which is a ReadOnlyPowerUser that cannot add sets or folders. - A ReadOnlyTechSupport role with ReadOnlySysAdmin and ReadOnlyResourceManagement rights. Users in this role can see all sets but not the members and not create any sets. - Users in the ReadOnlySysadmin role can create sets but not folders. (CC-74774).
LDAP searches have been updated to allow for empty specific attribute mappings, and also for using multiple mappings for LDAP searches rather than just adding mapped object classes. All search parameters now use mapped attributes.
For LDAP v1 (LDAP directory services added before mappable attributes were added): additional attribute fields have been added to user and group searches (displayname for groups and surname for users).
For LDAP v2 (LDAP configuration has mappable attributes): the mappings list is now honored for searches – old “behind the scenes” fields are no longer used, only field that are mapped.
Also for LDAP v2: some attribute mappings can be removed to reduce fields used in user and/or group searches. (CC-75900).
Notice of discontinuation
With the 21.5 release we are planning to drop browser extension support for Microsoft Internet Explorer version 11, due to Microsoft end-of-life-ing the product and to improve the security posture of the cloud service.
Supported Platforms
Centrify Connector
Windows Server 2012r2, Server 2016, Server 2019
Self-hosted Centrify Privileged Access Service
Windows Server 2012r2, Server 2016, Server 2019
Hyper-scalable Centrify Privileged Access Service
Windows Server 2016, Server 2019
Centrify Clients for Linux
Client for Red Hat 6:
Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0
Fedora 30, 31
Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
Amazon Linux AMI 2017.09, 2018.03
Amazon Linux 2 2017.09, 2018.03
Client for Red Hat 7 (ARM architecture):
7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
Client for CoreOS
Latest stable release 2345.3.0
Client for SUSE 12
SUSE 12, 15
Client for Debian 9
Debian 9
Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04
Centrify Client for Microsoft Windows
Windows Server 2012r2, Server 2016, Server 2019
Windows PAS Remote Access Kit
Windows 10, Server 2012r2, Server 2016, Server 2019
Centrify app for Android
Android 4.4 (API level 19) and later
Centrify app for iOS
iOS 11 and above
(Tested systems and devices for Privileged Access Service are listed in the documentation)