Viewing and modifying a computer role

You can view information about computer roles by expanding Authorization and Computer Roles for a zone. However, computer roles are also closely linked to the Active Directory groups that define their scope and role assignments, so there are several different ways you might view or modify information about a computer role. For example, you might use Access Manager, Active Directory Users and Computers, or ADEdit commands, depending on what you are trying to do.

In Access Manager, you can expand a computer role, then select Role Assignments to see the users, groups, and role definitions that have been assigned on the computers that are members of the computer role. You can also expand a computer role, then select Members to see the computers to which the role assignments apply. To see the Active Directory group assigned to the computer role in Access Manager, select the computer role, right-click, then select Properties.

If you are using Active Directory Users and Computers, you can view the properties for the Active Directory group associated with the computer role and click the Members tab to see the computers assigned to the computer role.

If you want to add a computer to an existing computer role, you can simply add that computer to the Active Directory group associated with the computer role without making any changes in Access Manager. Similarly, if users join or leave your organization, you can simply add or remove those user accounts in the appropriate Active Directory groups that are associated with the computer role. For example, if you define the oracle_servers computer role to associate a specific set of computers with a role assignment that grants administrative rights to users in the Active Directory security group oracle_db_admins, you could simply add the user account for Frank.Smith to the Active Directory security group oracle_db_admins to give that user administrative access on the computers that are members of the oracle_servers computer role. You do not need to make any changes in Access Manager.

To modify the rights and role assignments for a computer role, you must use Access Manager or ADEdit commands.