How computer roles provide flexibility

Centrify-managed computers can only be joined to one zone at any time. This limitation makes it difficult to manage granular access rights at the zone level alone. Computer roles enable you to group computers that share a common function or attribute and associate the group of computers with a specific set of role assignments to users or groups. Individual computers can be members of any number of computer roles with different sets of users who have different access rights based on their role assignments.

Computer roles can have multiple role assignments

A computer role associates a group of computers with a set of role assignments. For example, you might have several computers that host Oracle database instances. Using a computer role, you can associate the group of computers that host an Oracle database with one role assignment that grants some users full administrative access. That same computer role can associate the same group of computers with a second role assignment that grants some users access to specific commands that must be run using the oracle account. That same computer role can also associate the same group of computers with a third role assignment that grants application users permission to log on using a secure shell session. As long as the set of computers remains the same, you can use the same computer role to grant different sets of users different access rights.

Managing access using multiple computer roles

Computer roles enable you to manage access rights using multiple filters. For example, you might have several computers that host Oracle database instances. Some of the computers that host an Oracle database might also belong to specific departments, such as the finance or engineering organizations. Some of the computers that host an Oracle database might run Red Hat Enterprise Linux while others have a Solaris operating system. You can use computer roles to grant different sets of access rights based on the criteria you want to use to group the computers. In this example, you might have one computer role for Oracle database servers and their database administrators, another computer role for users in the finance and engineering departments, and another computer role for IT staff who specialize in managing either Linux or Solaris computers.

Computer roles enable you to define access rights using any grouping criteria that makes sense for your organization. In this case, you might have one computer role linked with the Active Directory security group for all Oracle servers, a second computer role linked with the security group that only has computers that belong to the finance or engineering organization, and a third computer role linked with the security group for Linux or Solaris computers. If the set of computers grouped together changes, you should use a new computer role to grant different sets of users different access rights.