Showing results for 
Search instead for 
Do you mean 
Participant I
Posts: 1
Registered: ‎11-30-2018
#1 of 2 459


Hi All,


We need to provide root access to technical users to perform application setup.

we would like to check any feasibility to to provide previlege access to user with DZDO and this access should be revoked after certain time.


Suppose if we provide root access to a technical user through DZDO, the previlege access should be expired after  7 days or 10 days.




Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#2 of 2 442

Re: dzdo

[ Edited ]




Welcome to Centrify.

Absolutely doable.  dzdo is an enhanced version sudo to leverage Centrify DirectAuthorize data in the zone in AD.

It was designed to support temporary access controls.  The concepts to understand are these:


In UNIX-like systems, Roles consist  of PAM acesss rights (how the user accesses the system) and commands (executed by using dzdo).  Roles can be time-bound (e.g. rights effective at a certain day/time).  Role assignments (the association of a role to a user or group principal) can be time-scoped.  See screenshots below:


Access Manager - time bound combos.png


Role assignments can happen manually, programmatically or based on AD group membership.


For more information:



Want to learn more about practical Centrify examples? Check out my blog at
Follow Centrify: