Creating a new computer role

A computer role is similar to a zone in that it defines a group of computers, a set of users, and specific access rights for a combination of computers and users. However, computer roles do not require a computer to be joined to the zone where the computer role is defined and a computer can be a member of multiple security groups and thus multiple computer roles.

Because computer role assignments define a relationship between a security group of computers, a set of rights in a role definition, and a security group of users, they control who can do what on specific computers. You can change the list of computers or the list of users dynamically simply by changing the security group membership.

What to do before creating a new computer role

Before you create computer roles, you must join a domain and zone. You should also decide on the criteria to use for grouping computers. Each computer might belong to several different security groups to used in different computer roles. Depending on your organization’s policies for creating security groups, you might want to prepare one or more Active Directory security groups for Centrify-managed computers.

Rights required for this task

To create computer roles, your user account must be a domain user with the following permissions:

Select this target object To apply these permissions

msDS-AzScope

This object is listed under a globally unique identifier (GUID) for the Authorization object. For example:

CN=cab186af-61a0-4d54-a0dd...

Click the Properties tab and select Allow to apply the following properties to this object only:

  • Read description
  • Read msDS-AzScopeName
  • Read msDS-AzApplicationData
  • Write description
  • Write msDS-AzScopeName
  • Write msDS-AzApplicationData

Who should perform this task

A UNIX zone administrator or a Windows domain administrator who is responsible for adding and maintaining security groups performs this task, depending on your organization’s policies.

How often you should perform this task

It is common to create new computer roles any time you identify new criteria for grouping computers and role assignments.

Steps for completing this task

The following instructions illustrate how to create a new computer role using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To create a new computer role using Access Manager

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name that will contain the new computer role.
  3. Expand Authorization to select Computer Roles, right-click, then click Create Computer Role.
  4. Type a name for the computer role and an optional description, then select either <Create group> to create a new Active Directory group for computers or <...> to search for an existing group of computers to use.

    For example, click Create group to create a new Active Directory security group named oracle_servers for the computers that host Oracle database instances. If creating a new group, you are prompted for the location, group name, and scope.

  5. After you have selected or created an Active Directory security group, click OK, then click OK to save the new computer role.

Note:   If you're using classic zones, you cannot add cross-forest groups to roles at this time. All groups added to roles should be defined in the local forest. However, users from a trusted forest may be added to groups in the local forest and then added to a role, or they may be directly added to a role. (Ref: IN-90001)