Using Zone Role Workflow
Zone role workflow allows you to set up a workflow process so that access to computers in Server Suite zones can be requested, approved or rejected, and tracked.
With zone role workflow:
- Users can request assignment to a role that's defined for a specific computer in a Server Suite zone.
- After the user requests the zone role assignment, the approver can grant access either temporarily or permanently or reject the request to deny access.
- Once the approver grants access by approving the request, the service assigns the user to the zone role on that computer and updates Active Directory automatically. The user now has all the privileges defined in that zone role.
When you enable your deployment to use zone role workflow, you also specify the following:
- Which users can submit requests
- Which users can approve requests
- Which systems can have access requested and approved
- Which zone roles a user can request that are available on the specified systems
You can enable and configure zone role workflow at the domain level. After you enable and configure a workflow at the domain level, all systems in the domain use that zone role workflow by default. You can then override or disable the default workflow at the system level. The system-specific settings that you specify override the domain settings.
For example, you might enable and configure zone role workflow at the domain level to establish default settings for role availability, approvers, and requestors. Then, you can use system-specific settings to have individual systems opt out of the zone role workflow or to override role availability and approver settings for specific systems.
Users requesting zone role assignment must be domain users, and must be assigned at least one administrative right with access to the Privileged Access Service with permission to View objects in the Admin Portal.
Approvers do not need to be domain users. Approvers can be specified individually, or by group membership.
Zone Role Workflow Setup Overview
Here's an overview of how you set up your deployment to use zone role workflow.
How to set up zone role workflow (an overview):
-
Make sure your deployment meets the prerequisites.
For details, see Zone Role Workflow Requirements.
-
(Optional but recommended) Create roles for requestors and approvers.
For details, see Creating Roles for Requesters and Approvers.
-
Enable a default zone role workflow for the domain. Here you'll also assign the roles that you created in the previous step.
For details, see Enabling Zone Role Workflow.
-
Configure which users can request zone-based role assignments.
For details, see Configuring Users to Be Requestors.
-
Configure who can approve zone role workflow requests.
For details, see Configuring Users and Roles to be Approvers.
-
(Optional) Customize the email that is sent and for which kinds of zone role workflow actions.
For details, see Customizing the Notification Email for Zone Role Workflow Activity.
Zone Role Workflow Requirements
In order to configure your deployment for zone role workflow, ensure that your deployment meets the following requirements:
Infrastructure Requirements
Privileged Access Service for identity and privilege elevation must be installed and running on at least one computer in the domain, and the Privileged Access Service must be configured with at least one zone.
The computers you add to the Privileged Access Service for zone role workflow must be added using the fully-qualified DNS name, not the IP address, and must be serviced by a Cloud Connector, have a domain specified, and be enabled for domain operations. Computers that are discovered automatically will automatically be associated with a connector, have their domain set, and be enabled for domain operations.
If you add a computer manually, you must also manually specify a domain and enable domain operations for that computer. For details about specifying domains for systems and enabling domain operations, see Setting domain operations for a system.
Join Requirements
Computers participating in a zone role workflow must be joined to a zone.
- Linux and UNIX computers must have the Server Suite agent installed, and be joined to an Active Directory domain and a zone with the adjoin command.
- Windows computers must be joined to an Active Directory domain, have the Server Suite Agent installed, and the agent must be joined to a Server Suite zone.
To see whether a computer is joined to a zone:
-
Open the Admin Portal, click Resources, then click Systems.
-
Select a system to view its details, then click Advanced.
-
Check the Zone Joined Status field to verify it displays “Joined.”
If necessary, you can manually update the joined status for a computer. For more information about using the Advanced tab, see Setting system-specific advanced options.
The Privileged Access Service periodically updates the zone joined status of systems in the domain. Use the Domains > Advanced tab as described in Setting domain-specific advanced options to view and change the update interval.
Domain Requirements
You must have a domain administrative account with read and write permission in Active Directory for each domain that participates in a zone role workflow. For details about creating domain administrative accounts, see Setting domain administrative accounts. If you select an Active Directory account as the domain administrative account, the account must be given permission in Server Suite to create assignments for the computers in participating zones.
In addition, only domains that are discovered automatically by a Cloud Connector can be used in a zone role workflow by default because users requesting zone role assignments must be Active Directory users. If you add domains manually, you can manually assign the connectors to use for the domain.
To see whether a domain was discovered by a connector:
- Open the Admin Portal, click Resources, then click Domains to view the list of domains.
- Check the Discovered column to verify the domain has a value of “Auto” indicating that the domain was discovered automatically.
Creating Roles for Requesters and Approvers
This topic describes how to create one or more identity service roles for users who can request zone role assignment (requesters), and users or groups who can approve or reject zone role assignment requests (approvers).
This step is optional, but is typically done so that users and groups can easily be given request and approval permission by assigning them to the appropriate role.
To create roles for requesters and approvers:
-
Open the Admin Portal, click Access, then click Roles.
-
Click Add Role.
-
Provide a unique name for the role.
-
Click Members, then click Add.
-
Type a search string to search for and select users and groups for this role, then click Add.
-
Click Administrative Rights.
-
In the Add Rights dialog, select one or more of the following administrative rights so that the role has access to Privileged Access Service:
-
Privileged Access Service User
-
Privileged Access Service Power User
-
Privileged Access Service Administrator
For more information about these rights, see Admin Portal administrative rights.
-
-
Click Save to save the role.
Enabling Zone Role Workflow
The Privileged Access Service will query Active Directory to find the roles available for assignment. When you select the roles you want to make available to requestors, you can see whether the roles are available for UNIX computers, Windows computers, or both. You can also modify whether the roles are available to UNIX, Windows, or both.
Enabling Zone Role Workflow for a Domain and Configuring the Available Roles
When you enable a domain for zone role workflow, you also specify which zone-based roles can be requested.
To enable a default zone role workflow for all computers in a domain:
-
Open the Admin Portal, click Resources, then click Domains to view the list of domains.
-
Select a domain to view its details.
-
Click Zone Role Workflow.
-
Select Enable zone role requests for systems in this domain.
-
Under Assignable Zone Roles, click Add.
-
Select a role you want to make available to requestors from the list of roles available for the domain, then click Add.
To search for a role, start typing the name of the role. When you find the role you want to add, select it and click Add. You can add as many roles as you need by repeating Step 5 and Step 6.
-
Modify the role availability, if needed, then continue to .
Enabling Zone Role Workflow for a Specific Computer
To enable, configure, or override the workflow for a specific computer
-
Open the Admin Portal, click Resources, then click Systems to view the list of systems.
-
Select a system to view its details.
-
Click Zone Role Workflow.
-
Check Use Domain Administrator Account for Zone Role Workflow operations to enable zone role workflow for the system.
When setting up zone role workflows, you can only request zone roles for a system whose zone status is joined. The status of a system is periodically refreshed but you can also select Check Now for an on-demand refresh of the zone joined status (also see Setting domain-specific advanced options). The zone joined status can be one of the following:
- Joined—System is joined to a hierarchical zone.
- Not Joined—System is not joined to any hierarchical zone.
- Undetermined—he zone status was added using an IP address instead of a DNS (DNS is not specified).
-
In the Enable zone role requests for this system field, select one of the following choices:
-
Select -- to use the default zone role workflow settings defined for the domain.
-
Select Yes to define zone role workflow settings specific to this computer. The settings that you define here override the domain settings. Note that only users with the Edit permission for the system and the system domain, can enable zone role workflow for the system (see Setting domain-specific permissions and Setting system-specific permissions).
-
Select No to disable zone role workflow for this computer even if it is enabled at the domain level.
If you select -- or No, click Save to save your changes.
-
-
If you selected Yes, under Assignable Zone Roles, select one of the following choices:
- Select Use domain assignments to use the roles defined for the domain.
- Select Choose to override the roles defined for the domain.
-
If you are overriding the roles defined for the domain, click Add to search for and select a role you want to make available to requestors from the list of roles available for the domain.
-
Select one or more roles, then click Add.
You can add more roles by repeating Step 6 and Step 7.
-
Modify the role availability, if needed, then continue to Configuring Users to Be Requestors.
Configuring Users to Be Requestors
You must give requestors—whether they are individual users or members of a roles—the right to submit zone role requests. You can grant the permission to submit zone role requests on individual systems, on system sets, or globally for all systems.
Creating a system set is optional but simplifies zone role assignments. For information about creating system sets, see Adding system sets.
Assigning Requestors for Systems and Sets
The process of assigning who can request a zone-based role assignment involves adding the users to the system's permissions and making sure that the user accounts have the right permissions.
To assign users or groups as requestors for systems and system sets:
-
Open the Admin Portal, click Resources, then click Systems to view the list of systems.
-
Select an individual system or a system set.
- If you are viewing the details for an individual system, click Permissions.
- If you select a system set, right-click to select Modify, then click Member Permissions.
-
Click Add to search for and select the users, groups, and roles to which you want to grant permissions.
To find a user, group, or role to add, start typing the user, group, or role name. When you find the user, group, or role you want to add, select it and click Add.
-
On the Permissions page for the system, select the View and Request Zone Role permissions for each user, group, and role allowed to submit zone role access requests.
-
Click Save.
The users, groups, and roles that you specified now have permission to request zone-based role assignment on the individual system or system set that you selected.
Assigning Global Requestors
If desired, you can assign global system permissions to some users so that they have zone role workflow permissions on all systems by default.
To assign global zone role request permissions:
-
Open the Admin Portal, click Access, then click Global System Permissions.
-
Click Add to search for and select the users, groups, and roles to which you want to grant permissions.
To find a user, group, or role to add, start typing the user, group, or role name. When you find the user, group, or role you want to add, select it and click Add.
-
Select the View and Request Zone Role permissions for each user, group, and role allowed to submit zone role access requests.
-
Click Save.
The users and roles that you specified now have permission to request zone role assignment on all systems by default.
Configuring Users and Roles to be Approvers
To complete the zone role workflow, you need to specify which users, groups, and roles can approve or reject zone-based role assignment requests for all computers in a domain or for specific computers.
Configuring Approvers for the Domain
If desired, you can specify some users to be zone role workflow approvers for all systems in a domain.
To configure approvers for the domain:
-
Open the Admin Portal, click Resources, then click Domains to view the list of domains.
-
Select a domain to view its details.
-
Click Zone Role Workflow.
-
Under Approver List, click Add.
-
For the Approver Type, select either Requestor's Manager or Specified User or Role.
-
If you select Requestor's Manager, select the action to take if the requestor doesn’t have a manager, then click Add.
-
If you select Specified User or Role, click Add to search for and select users, roles, or both.
To find a user or role to add to the approver list, start typing the user or role name. When you find the user or role you want to add, select it and click Add. You can also select multiple approvers at once or repeat Step 4 and Step 5.
-
-
Click Save to save your changes to the approvers list, then continue to "Configuring users to be requestors".
Configuring Approvers for a Specific Computer
You can configure zone role workflow approvers for a specific computer, either as additional users or to override a domain-level approver setting.
To configure or override approvers for a specific computer:
-
Open the Admin Portal, click Resources, then click Systems to view the list of systems.
-
Select a system to view its details.
-
Click Zone Role Workflow.
-
Under Approver List, select one of the following choices:
- Select Use domain assignments to use the approver users and roles defined for the domain.
- Select Choose to override the approver users and roles defined for the domain.
-
If you are overriding the approver users and roles defined for the domain, Click Add.
-
For the Approver Type, select either Requestor's Manager or Specified User or Role.
-
If you select Requestor's Manager, select the action to take if the requestor doesn’t have a manager, then click Add.
-
If you select Specified User or Role, click Add to search for and select users, roles, or both.
To find a user or role to add to the approver list, start typing the user or role name. When you find the user or role you want to add, select it and click Add. You can also select multiple approvers at once or repeat Step 5 and Step 6.
-
-
Click Save to save your changes to the approvers list.
Customizing the Notification Email for Zone Role Workflow Activity
You can use or customize the default email notification templates that the service sends out when there is any zone role assignment request activity.
To customize zone role assignment notification email:
- Open the Admin Portal, click Setting, then General, then click Account Customization.
- Scroll to locate the Message Customization section.
-
Select any of the following message templates to customize the content for zone role access requests:
-
Zone Role Assignment Request
-
Zone Role Assignment Approved
-
Zone Role Assignment Denied
-
Zone Role Assignment Request Failed
For more information about customizing message templates, see How to customize email message contents.
-
Working with Zone Role Workflow
After you have configured your deployment for zone role workflow, you can use a workflow and its related features to request, view, and approve zone role assignment requests as described in the following topics:
- Requesting Assignment to a Zone Role
- Responding to Zone-based Role Assignment Requests
- Working with Zone Role Request Reports
- Confirming that Access is Denied After Expiration
- Viewing Zone Role Requests and History
Requesting Assignment to a Zone Role
If you need access to a zone-based role assignment, you can submit a request to be assigned to that role assignment.
To request assignment to a zone role:
-
Open the Admin Portal, click Resources, then click Systems to view the list of systems.
-
Select the check box of a system to request access to a role for that system.
-
Click Actions and select Request Zone Role from the menu.
-
Select a role from the list and click Request.
-
Type a reason for your request, optionally provide ticket information, and optionally specify or modify the requested start and end time for the role assignment.
-
Click Submit.
An email notification is sent to the user who will review and either approve or reject your request. You will receive email when the request is approved or rejected.
Depending on your environment, there could be a lag of up to an hour between the time you receive the email notification of approval and when your zone role assignment takes effect.
Responding to Zone-based Role Assignment Requests
If you are a user or member of a role that has been designated as an approver for zone-based role assignment requests, you can choose to approve or reject the zone-based role assignment requests that you receive.
Approving a Zone-based Role Assignment Request
If you are a zone role workflow approver, you will receive email notification whenever a request needing your approval is submitted. You can grant permanent access or temporary access that expires after a specified duration or time frame.
To approve a zone-based role assignment request:
-
Open an email message from Server Suite zone Role Assignment Management with the subject, “Zone role assignment request.”
-
Click the View Request link.
If you are not already signed in to the Privileged Access Service, sign in when prompted.
-
Review the request details and click Approve.
-
Choose a duration or time frame for access:
-
To grant permanent access, select Grant Permanent Permission.
-
To grant temporary access for a specified duration, select Grant Temporary Permission and specify the number of minutes, hours, or days before expiration.
-
To grant temporary access for a specified time frame, select Grant Windowed Permission and specify a start time and an end time.
The default values for windowed permission are provided by the requester in the original request. If multiple approvers are configured, only the first approver to respond can change those values.
-
-
Click Submit.
The requester is notified of approval by email.
Rejecting a Zone-based Role Assignment Request
If you are a zone role workflow approver, you will receive email notification whenever a request needing your approval is submitted. If you do not approve of the request you can reject it.
To reject a zone-based role assignment:
-
Open an email message from Server Suite zone Role Assignment Management with the subject, “Zone role assignment request.”
-
Click the View Request link.
If you are not already signed in to the Privileged Access Service, sign in when prompted.
-
Review the request details and click Reject. The Rejection dialog opens.
-
In the Rejection dialog, optionally provide a reason for the rejection.
-
Click Submit.
The requester is notified of rejection by email.
Working with Zone Role Request Reports
A built-in report, “Zone Role Requests,” is provided to give you detailed information about zone-based role assignment requests. You can view, copy, email, and export a report for zone role assignment requests.
To access a zone role assignment request report:
-
Open the Admin Portal, click Reports, then click Builtin Reports.
-
Click Zone Role Requests to view to view the report or select the check box for Zone Role Requests, then click Actions to perform other actions, such as email or export the report.
For more information about the actions that you can perform when working with reports, see Managing reports.
Confirming that Access is Denied After Expiration
After a zone-based role assignment expires, the role assignment is no longer valid on the computer where the role was assigned, and the requester can no longer use that role on that computer.
By default, expired zone-based role assignments are removed from Active Directory every six hours, so the expired role assignment might still be listed for up to six hours after it has expired, even though it cannot be used after expiration.
Use the Resources > Domains > Advanced page as described in Setting domain-specific advanced options to view and change the interval at which expired role assignments are removed from Active Directory.
Viewing Zone Role Requests and History
You can view the status and history of one or more zone-based role assignment requests.
To view request status and history:
-
Open the Admin Portal, click Access, then click Requests to view the list of requests.
-
Click on a request to view information about that request.
The Status field shows whether the request is pending, approved, or rejected.