Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify Privilege Service Deployment Checklist

11 April,19 at 11:50 AM

Your Centrify Privilege Service (CPS) deployment could go a lot smoother with this checklist. This checklist is a high overview of the necesarry tasks to prepare, deploy, configure, and validate a CPS environment.





Have a Centrify tenant with the Privilege Service enabled

Have at least two Centrify Directory Service accounts in System Administrator Role

Have a customized login suffix and tenant URL configured

Define user security policies for login authentication to the Centrify Portals (password or MFA)

If using MFA with mobile device phone numbers, check that these attributes exist and are provisioned in Active Directory

If using MFA with email, check that email attribute exists and has been provisioned

If using RADIUS for MFA, configure RADIUS

If using OATH for MFA, configure OATH

Identify hosts for Centrify Connectors

Check firewall rules from Centrify Connectors to the Centrify Cloud Service

Check firewall rules from Centrify Connectors to the CPS systems

Identify subnets to be associated with each Connector

If using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP

If using Discovery, identity Active Directory account with permissions to read the machines that will be discovered. Should have local administrator permissions.

If you will be managing services for scheduled tasks or other service accounts, identify service accounts to manage

If you will be managing database accounts, identify the databases (SQL Server or Oracle) to be managed

If you will be managing database accounts, verify that the firewall allows connection from the Connector to the database server or instance

If using auditing, have a working CSS DirectAudit Installation

If using auditing, check firewall rules from Centrify Connectors to the DirectAudit Installation

If using workflow, identify approvers for access requests


For more details, see the following links:


Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 1

Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 2




Install Centrify Connectors on hosts in client environment
Define Administrative Roles for CPS
Add users or groups as members of the CPS roles
In Admin Portal Settings > Infrastructure, specify Global permissions for systems and accounts
In global security settings: specify the frequency of password rotation, how long passwords can be checked out, etc…

If using auditing, enable auditing for CPS




If using auto Discovery, create a Discovery profile Specify an Active Directory account with permissions to read the machines that will be discovered - this account will also need to have local administrator permissions on the systems that will be discovered

Filter Discovery based on Organizational Unit or Active Directory Group - do not proceed without setting a filter

Add passwords to any service accounts that were found and that CPS will be managing




If bulk importing, download and complete the bulk import spreadsheet

Import spreadsheet into CPS using the bulk import wizard

If local accounts were not specified in the bulk import spreadsheet, manually add credentials for those accounts


Configuration system-level permissions, account-level permissions, and domain-level permissions


Create static sets of systems and accounts to grant member permissions

Define who can view accounts (must have view for all operations)

Define who can delete accounts

Define who can edit accounts

Define who can grant permissions to others to use accounts

Define who can checkout accounts

Define who can login remotely as accounts

Define who can update account passwords



Configure of service/application password management

Create administrative service account that can rotate passwords for service accounts, and also start and stop the service or task

Create identical account to service account to be managed (including permissions)

If it's a service account, define restrictions for when the service can be restarted

If it's a scheduled task, both service accounts must have log on as a batch job permissions

Add identical account, administrative service account, and original service account into managed domain accounts in CPS

Create multiplexed account in CPS, comprised of the two service accounts (identical account and original account)

Create service to managed service and managed passwords


Configure permissions for which CPS users can view the service account, force rotate the passwords, etc.


Configuration of database accounts


Add the database accounts - will need the server, port, and account passwords

Configure permissions for which CPS users can view the database account, force rotate the passwords, etc.




Test checkout of passwords

Test rotation of passwords

Test login of a Windows system

Test login of a UNIX system

Test login of network device system

If using auditing, verify audit data exists in the Audit Analyzer


Policy configuration

If using policy on login, configure login policy

If using policy on checkout, configure password checkout policy

Test deployed policies


Workflow configuration

Configure view system access for potential requestors 

Configure workflow rules to request access to specific accounts on target systems

Use the approvers as previously defined in preparation for workflow

Test workflow - both approval and denial scenarios

If using email approvals, verify email approval notifications are received




If using PuTTY or local RDP client, CPS users must install the local client remote access kit and enable for themselves