Basic concepts of access rights and roles

To log on and use Centrify-managed computers, Active Directory users must have a complete UNIX profile and be assigned to at least one role that grants them access. Both the profile and the role assignment can be explicitly defined for the zone or for an individual computer, or inherited from a parent zone.

You can use Access Manager to centrally manage what users can do on computers that have the Centrify agent installed. For example, you can control who can log on or connect remotely for each computer in a zone through the definition of rights and the assignment of roles. A right represents a specific operation that a user is allowed to perform. A role is a collection of rights that can be defined in a parent or child zone and assigned to Active Directory users and groups.

The most basic rights are the predefined system rights that determine whether a user can log on locally with a password, log on remotely without a password, and run commands in a standard shell or in a restricted shell. The most common settings for these system rights are defined by default in the UNIX Login role so that you can grant users access to Centrify‑managed computers by simply assigning the predefined UNIX Login role and without defining any custom roles or creating any additional access rights.