For computer roles to be effective, you must create the access rights and role definitions for different sets of users. You can then assign the appropriate predefined or custom roles to different sets of users to grant or restrict their rights within the scope of the computer role. With proper role definitions and role assignments, you can manage access rights for computers completely through group membership. For example, after you have created the role definition for Oracle database administrators, you can add and remove group members to the group you created for Oracle administrators in Active Directory.
For information about creating access rights and role definitions, see the following:
- Defining rights to run privileged commands
- Defining a restricted shell command right
- Adding specific PAM access rights
- Combining secure shell rights
- Creating and assigning custom role definitions
After you have create the appropriate access rights and role definitions, you must assign those roles to the appropriate users and groups to complete the configuration of the computer role.
Steps for completing this task
The following instructions illustrate how to add role assignments to a computer role using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.
To associate user role assignments with a computer role using Access Manager
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name that contains the computer role to which you want to add role assignments.
- Expand Authorization and Computer Roles, then expand the computer role to which you want to add role assignments.
- Select Role Assignments, right-click, then select Assign Role.
- Select the role definition that you want to add to the computer role, then click OK.
Click Add AD Account to search for and select an Active Directory user or security group to assign to the role.
You can select User or Group as the object to find, type all or part of the user or group name, then click Find Now. For example, type “ora” to search for and select the “oracle_db_admins” Active Directory group then click OK.
- Click OK to complete the role assignment for the selected user or group in the selected computer role.
Repeat these steps for each role definition you want to assign to users and groups in this computer role. For example, if you have an Active Directory “oracle_db_users” group that should be allowed to log on and run shell commands on the computers in the “oracle_servers” computer role, you would select the predefined UNIX Login role in Step 5 and assign that role definition for the computers in the “oracle_servers” computer role to the “oracle_db_users” group in Step 6.