Creating, modifying, and deleting user profiles for local users

When you create a local user profile in Access Manager, it is saved in /etc/passwd on each computer in each zone where the profile is defined. You can create local profiles at the zone level (for example, under Zones > Zonename > UNIX Data) and at the computer level (for example, under Zones > Zonename > Computers > Computername > UNIX Data).

After you create local user profiles, you perform a separate set of tasks to create and manage local user passwords. For detailed information about local user passwords, see Creating and managing local user passwords.

What to do before creating a new local user profile

You should perform the following tasks before creating local user profiles:

  • Ensure that local account management is enabled and configured through configuration parameters or group policies. See Enabling and configuring local account management for more information.
  • It is suggested that you review the existing user names in etc/passwd on the computers where the local user profile will be implemented so that you do not attempt to create a user profile with a name that is already used. Access Manager performs a name validation check against etc/passwd in the current zone when you create a new local user. If the user name already exists in etc/passwd somewhere in the current zone, you are prompted to provide a different name for the user that you are creating.

Rights required for this task

The rights required to create local user profiles are the same as the rights required to create Active Directory user profiles. See Rights required for this task for details about those rights.

Using partial profiles and child zones to fine tune user attributes

Access Manager allows you to create a partial profile by leaving some user attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could leave the Shell attribute blank in a parent zone, define it as /bin/bash in a child zone, but override it with /usr/bin/ksh in a grandchild zone that only contains AIX computers.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to create the user profile.

Users can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone. If a user profile is still partial at the computer level, the profile is ignored by the agent, and it is not added to /etc/passwd on the local computer. User profiles must contain the attributes listed in Creating user profiles to be complete.

Specifying profile states

The profile state lets you control whether a local user account is in place in etc/passwd and is enabled for use locally. When you create a local user account, you specify the initial profile state. You can change the profile state afterwards to control availability of the local user account. A local user account can have one of the following states:

  • Enable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. The user can log into the local computer, and is visible in Access Manager if a role with the visible right (such as local listed) is granted to the user. See Roles and local user account visibility for more information about how roles affect local user visibility.
  • Disable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. However, the user will not be able to log into the local computer. This state results in what is typically called a “locked account.” UNIX and Linux service accounts and system accounts are typically set up as locked accounts.
  • Remove from /etc/passwd: The user profile will be removed from etc/passwd at the next local account refresh interval.

You can also choose not to define the profile state by deselecting the State check box in the Set Local User Profile dialog. Deselecting the State check box results in one of the following scenarios:

  • If a local user profile with the same name exists in the parent zone, the state from the parent user profile is inherited.
  • If the parent zone does not contain a user profile with the same name, or if a parent user profile exists but does not define the state, the user profile that you are currently defining is considered incomplete.

Roles and local user account visibility

You use role assignments to control whether local users are visible in a zone. A predefined role definition, local listed, is available for use with local user and local group profiles. As with the listed predefined role, the local listed role does not grant any system rights, PAM rights, or command rights. It is a specialized role that can be used when a local user profile must exist for computers in a zone, but no local user access should be granted.

You can optionally define other roles in the zone to grant visibility to local users.

As with role assignments for Active Directory users, local user role assignments can be made at the zone level, computer level, or computer role level. Use the following guidelines to establish where local users are visible in Access Manager:

  • To make a local user visible to all computers in a zone, assign the local listed role to the local user account (or to all local UNIX accounts) in the zone (for example, assign local listed to users located in Zones > Zonename > UNIX Data > Local Users).
  • To make a local user visible only to a specific computer, assign the local listed role to the local user account (or to all local UNIX accounts) located in the computer zone (for example, assign local listed to users located in Zones > Zonename > Computers > Computername > UNIX Data > Local Users).
  • To make a local user visible only to a group of computers, create a computer role and assign the local listed role to the local user account (or to all local UNIX accounts) in the computer role.

How often Access Manager and local user accounts are synchronized

The /etc/passwd file on local computers is updated periodically based on the information that you define for local user profiles in Access Manager. The /etc/passwd update interval is controlled by the following group policy and configuration parameter:

  • Group Policy: Set refresh interval for access control cache, located in Computer Configuration > Centrify Settings > DirectControl Settings > Network and Cache Settings.
  • Configuration parameter: adclient.refresh.interval.dz, located in the /etc/centrifydc/centrifydc.conf configuration file.

These are the same group policy and parameter that control how often the authorization store cache is updated. Local account information is updated immediately after authorization store information is refreshed in the authorization cache.

For more information, see Enabling and configuring local account management of this guide. For additional group policy and configuration parameter information, see the Group Policy Guide, and the Configuration and Tuning Reference Guide.

Steps for completing this task

Note:   This method begins from the Local Users node, and allows you to assign just one role, local listed, to the local user. To use the Add User to Zone wizard, which lets you assign other roles to the local user, see To create a user profile for a local user using Access Manager, Method 2.

  1. Open Access Manager.
  2. Expand Zones and any parent zones, child zones, or computers required to select the zone or computer to which you want to add the local user.

  3. Expand UNIX Data and select Local Users.

    You can create a new local user in these ways:

    • By dragging and dropping an existing local user from another location. Expand zones or computers to the location of the original local user, and drag it to the location of the new local user. The local user is moved to the new location, and no longer exists in the original location. To copy the original user to the new location and also retain it in the original location, press <Ctrl> while you drag the user.
    • By cutting or copying an existing local user from another location, and then pasting it into the current location. Expand zones or computers to the zone where the original local user exists, right-click a local user and select Cut or Copy, return to the zone where you are creating the new local user, right-click, and select Paste.
    • By creating an entirely new local user. Perform Step 4 through Step 8 of this procedure.
  4. In Local Users, right-click, then click Add User to Zone.
  5. Type a name for the new local user and click OK.

  6. In the Set UNIX User Profile dialog, select or deselect check boxes to specify which attributes to set. You must specify at least one attribute to be able to save the profile.

    If a parent profile for the same local user name already exists in a parent zone, some attribute fields will be filled in already with inherited values. You can edit profile fields to customize inherited values, and you can deselect other profile fields to inherit attribute values from the parent profile.

    • UID: Type a numeric user ID of your choice.

    • Primary group: From the drop-down list, select an existing group, or select <Not defined> to leave the PGID attribute undefined, or select <...> to see additional group choices or to create a new local group.

      To create a new local group after clicking <...>, click Add in the Select a Group dialog, and follow the procedure for creating a new local group starting with Step 5 in the section To create a group profile for a local group using Access Manager.

    • GECOS: Optionally type general information of your choice about the local user account. This attribute is not required for the profile to be complete.
    • Home directory: Type the default local computer home directory for the local user.
    • Shell: Select the default shell for the local user. Choices are /bin/bash, /bin/csh, /bin/ksh, /bin/sh, /bin/tcsh, %{shell}.
    • State: Specify whether the local user account is added and enabled in /etc/passwd. Choices are as follows.
      • Enable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. The user will be able to log into the local computer, and the user is visible in Access Manager.
      • Disable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. However, the password field in /etc/passwd will be set to !!, and the user will not be able to log into the local computer. This state results in what is typically called a “locked account.” The user is still visible in the zone as long as the local listed role is assigned to the user.
      • Remove from /etc/passwd: The user profile will be removed from etc/passwd at the next local account refresh interval.

      For the profile to be complete, it must contain the attributes listed in Creating user profiles. You can save the profile even if it is partial, although it will not be implemented in /etc/passwd until you update it in the current zone, or with settings in child zones, so that it is complete, and you set the state to enabled. For example, if you use the same user name but different numeric identifiers on two set of computers, you can inherit the user name from a parent zone and set the different numeric identifiers in the child zones.

      In the AIX Extended Attributes tab, you can view and set AIX attributes for the local user's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the user's zone profile.

      Note:   To modify permissions for a local user, you must first create and save the local user as described in this procedure, and then modify permissions as described in To modify user profile attributes and permissions for a local user:.

  7. By default, new local users are assigned the local listed role so that local users are visible in Access Manager. This assignment is specified in the Assign local listed role to make this user visible check box. To keep this default assignment, ensure that the check box remains selected.

    To give the local user a different role assignment, deselect the check box. If you deselect the check box, you will need to manually assign a role with visible rights to the local user after completing this procedure.

  8. Review your attribute selections and settings, and click OK. If the user profile is complete, it is added to /etc/passwd at the next local account refresh interval.

Note:   This method describes how to create a local user profile using the Add User to Zone wizard, which lets you assign roles other than just local listed to the local user.

  1. Open Access Manager.
  2. Expand Zones and any parent zones, child zones, or computers required to select the zone to which you want to add the local user.

  3. Right-click the zone, and select Add User.

    The Add User to Zone wizard launches.

  4. In the Select User Type dialog, select Local UNIX user, and click Next.
  5. In the Specify Local UNIX User dialog, type a name for the local user, and click Next.
  6. In the Add User to Zone dialog, select the Define user UNIX profile and Assign roles check boxes. Click Next.
  7. Fill in the local users profile attribute settings in the Define User UNIX Profile dialog as described in Step 6 in the section To create a user profile for a local user using Access Manager, Method 1, and click Next.
  8. In the Assign Roles dialog, the local listed role is included by default. To optionally add different roles as choices, click Add and select one or more roles to add to the list.
  9. In The Assign Roles dialog, select one or more roles, and click Next.
  10. In the Confirm Your Selections dialog, review your choices and click Next.
  11. In the final wizard screen, click Finish.
  12. Confirm that the new local user was created by expanding UNIX Data in the zone and clicking Local Users. The new local user should be listed in the user details pane.
  1. In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to modify.

  2. In the Local User details pane, right-click the local user to modify and select Zone Profile.

    The Properties dialog for the profile is displayed.

  3. Modify attribute selections and settings as described in Step 6 in the section To create a user profile for a local user using Access Manager, Method 1. Keep in mind the following considerations when you change attributes.

    If there is no parent profile for the same local user name:

    • You can edit profile fields to customize the value.
    • You can deselect profile fields to define a partial profile.

    If a parent profile for the same local user name already exists in a parent zone:

    • You can edit profile fields to customize the value.
    • You can deselect profile fields to inherit attribute values from the parent profile.
  4. To optionally modify user permissions (such as read, write, create or delete child object, and so on), click Permissions. Refer to the “Active Directory permissions required for administrative tasks” chapter in the Planning and Deployment Guide for details about using the Permissions dialog to modify zone-level user and group permissions.

  5. Review your changes to the local user profile and click OK.

    Your changes are applied to the local user profile in /etc/passwd at the next local account refresh interval.

Note:   This procedure does not remove a local user profile from /etc/passwd. To remove a local user profile from /etc/passwd, perform the procedure described in “To remove a user profile for a local user from /etc/passwd.”

  1. In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to disable.
  2. In the Local Users details pane, right-click the local user and select Change Profile State.

  3. Select Disable.

    The local user remains visible in Access Manager. At the next local account refresh interval, the local user’s profile in /etc/passwd is modified so that the password field contains !!, and the user cannot log into the local computer.

Note:   This procedure does not remove a local user profile from /etc/passwd. To remove a local user profile from /etc/passwd, perform the procedure described in “To remove a user profile for a local user from /etc/passwd before you delete the local user from the zone.

  1. In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to delete from the zone.
  2. In the Local Users details pane, right-click the local user and select Delete.
  3. In the confirmation dialog, select Yes to delete the user from the zone. To prevent the confirmation dialog from displaying in the future, select Do not warn me again.

  4. In the next confirmation dialog, select Yes.

    The user is removed from zone, and is no longer controlled through Access Manager. However, the user profile remains in /etc/passwd on local computers.

  1. In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to remove.
  2. In the Local Users details pane, right-click the local user and select Change Profile State.

  3. Perform one of the following procedures:

    • Right-click the local user, select Change Profile State, then select Remove from /etc/passwd.
    • Right-click the local user, select Zone Profile, change the value of the State field to Remove from /etc/passwd, and click OK.

At the next local account refresh interval, the local user’s profile is removed from /etc/passwd.

Delegating control of local user management tasks

You can use the Zone Delegation Wizard and Computer Delegation Wizard as described in the Planning and Deployment Guide to delegate control of local user management tasks.