Planning to use computer roles

Because computer roles provide you with a great deal of flexibility for defining access rights, you might want to do some planning before you create new computer roles. For example, before you create a computer role you must know the criteria you want to use to group computers into one or more Active Directory security groups. You must also identify the users who will have a common set of access rights based on the computer grouping.

At a high-level, defining a computer role requires the following:

  • Identify a unique Active Directory security group for each computer role.

    You should identify an attribute the computers in a particular group share, such as computers in the web farm, that host specific applications, or serve a specific department. You can create the group and add computers to it in Access Manager when you create the computer role, or before creating the computer role using Active Directory Users and Computers.

  • Identify the sets of users that share common access rights and create Active Directory groups for them.

    You might want to define multiple sets of user-based roles. For example, a computer role for Oracle servers might require a “database users” group, a “database administrators” group, and a “backup operators” group.

  • Identify the access rights and role definitions for each set of user-based roles.

    You might want to create specific rights, role definitions, and role assignments for different sets of users, or use existing roles. For example, the “database users” group might only require the predefined UNIX Login role definition, while the “database administrators” group might require access to privileged commands, and the “backup operators” groups might be only be allowed to run a specific set of commands in a restricted shell.