lost access to admin portal
09-15-2017 08:18 AM
A user has view permission to a system, and view/login permissions to an account on that system. Up until yesterday, he was able to log in to his user portal, switch to his Admin Portal, and log in to that system from there. But beginning at some point yesterday, he can no longer access his admin portal. In his user portal, when he clicks his user name, the menu no longer has the "Switch to Admin Portal" option. No permission changes were made for the account. Anyone have any thoughts on what could be causing this? Thank you in advance.
09-15-2017 08:27 AM
The user does not belong to a role that has the Privilege Service User, Privilege Service Power User or Privilege Service Administrator.
The quickest way to review rights is to look at the user > Roles, and focus on the rights on the right column. If the user does not have either PSU, PSPU or PSA, then they won't be able to switch to the Admin portal.
Identify the role he/she is supposed to be in, then look at the activity to see who may have made the change.
09-15-2017 08:45 AM
Thank you for the quick response.
This user was assigned permissions directly to the system and account, not through a role membership. And he was successfully logging in to the system/account from his admin portal. But starting at some point yesterday, when he clicks his name in his user portal, he no longer sees the "Switch to Admin Portal" option. I've double checked his permissions, and I've removed/readded the permissions, but the problem persists.
BTW, I know the best way to set up system/account permissions is through role memberships, and I'm doing that in general, but for this particular account I need to assign permissions directly to the system/account for some testing that I'm doing.
09-15-2017 10:13 AM
We may be misunderstanding ourselves here.
Permissions are individidual entitlements for CPS objects (e.g. an 'account' type has view, checkout, rotate, update and so on; a system has view, login, view session, etc)
Role entitlements allow you to perform actions in the Centrify Platform. E.g. a Privilege Service User, can go to the admin portal and see only CPS-related objects.
If you have permissions in objects, but don't have the role entitlement that allow you to access privilege service, you won't be able to access those systems/accounts/secrets, etc.
09-18-2017 03:49 AM
Robertson was correct. After checking your tenant config, the affected user didn't have the administrative right (granted in Roles tab) to access Centrify Admin Portal.
Granting only "View" or "Login" permission on a particular system or an account will not allow the user to access Centrify Admin Portal, let alone seeing the system or account.
We'll follow up with you further on this via the support ticket you opened with us.