Welcome to Centrify.
Absolutely doable. dzdo is an enhanced version sudo to leverage Centrify DirectAuthorize data in the zone in AD.
It was designed to support temporary access controls. The concepts to understand are these:
In UNIX-like systems, Roles consist of PAM acesss rights (how the user accesses the system) and commands (executed by using dzdo). Roles can be time-bound (e.g. rights effective at a certain day/time). Role assignments (the association of a role to a user or group principal) can be time-scoped. See screenshots below:
Role assignments can happen manually, programmatically or based on AD group membership.
For more information: https://community.centrify.com/t5/Centrify-Infrastructure-Services/FAQ-What-is-DirectAuthorize-dzdo-dzwin/td-p/21193
R.P