Creating, modifying, and deleting group profiles for local groups

When you create a local group profile in Access Manager, it is saved in /etc/group on each computer in each zone where the profile is defined. You can create local profiles at the zone level (for example, under Zones > Zonename > UNIX Data) and at the computer level (for example, under Zones > Zonename > Computers > Computername > UNIX Data). Local group profiles that you create at the zone level are available for local and Active Directory users in the zone and child zones to join.

What to do before creating a new local group profile

You should perform the following tasks before creating local group profiles:

  • Ensure that local account management is enabled and configured through configuration parameters or group policies. See Enabling and configuring local account management for more information.
  • It is suggested that you review the existing group names in etc/group on the computers where the local group profile will be implemented so that you do not attempt to create a group profile with a name that is already used. Access Manager performs a name validation check against etc/group in the current zone when you create a new local group. If the group name already exists in etc/group somewhere in the current zone, you are prompted to provide a different name for the group that you are creating.

Rights required for this task

The rights required to create local group profiles are the same as the rights required to create Active Directory group profiles. See Rights required for this task for details about those rights.

Using partial profiles and child zones to fine tune group attributes

Access Manager allows you to create a partial profile by leaving any of the attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could define the Members attribute in a parent zone, and then override the parent zone attribute settings by defining the Members attribute differently in different child zones.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to create the group profile.

Groups can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone. If a group profile is still partial at the computer level, the profile is ignored by the agent, and it is not added to /etc/group on the local computer. Group profiles must contain the attributes listed in Creating group profiles to be complete.

Specifying profile states

The profile state lets you control whether a local group account is in place in etc/group and is enabled for use locally. When you create a local group account, you specify the initial profile state. You can change the profile state afterwards to control availability of the local group account. A local group account can have one of the following states:

  • Enable: If the local group profile is complete, it will be installed or updated in /etc/group at the next local account refresh interval.
  • Remove from /etc/group: The group profile will be removed from etc/group at the next local account refresh interval.

You can also choose not to define the profile state by deselecting the State check box in the Set Local Group Profile dialog. Deselecting the State check box results in one of the following scenarios:

  • If a local group profile with the same name exists in the parent zone, the state from the parent group profile is inherited.
  • If the parent zone does not contain a group profile with the same name, or if a parent group profile exists but does not define the state, the group profile that you are currently defining is considered incomplete.

Roles and local group account visibility

You use role assignments to control whether local users are visible in a zone. A predefined role definition, local listed, is available for use with local user and local group profiles. As with the listed predefined role, the local listed role does not grant any system rights, PAM rights, or command rights. It is a specialized role that can be used when a local user or local group profile must exist for computers in a zone, but no local user or local group access should be granted.

You can optionally define other roles in the zone to grant visibility to local users and local groups.

By default, all local groups having a complete profile are visible in a zone. You do not have to assign a role to a local group to make the local group visible. However, it is often useful to assign a role (such as local listed) to a local group so that all local users in the local group inherit the role assignment, and are visible in the zone.

See Creating, modifying, and deleting user profiles for local users for more information about how roles are used to control visibility of local user accounts.

How often Access Manager and local group accounts are synchronized

The /etc/group file on local computers is updated periodically based on the information that you define for local group profiles in Access Manager. The /etc/group update interval is controlled by the following group policy and configuration parameter:

  • Group Policy: Set refresh interval for access control cache, located in Computer Configuration > Centrify Settings > DirectControl Settings > Network and Cache Settings.
  • Configuration parameter: adclient.refresh.interval.dz, located in the /etc/centrifydc/centrifydc.conf configuration file.

The same group policy and parameter control how often the authorization store cache is updated. Local account information is updated immediately after authorization store information is refreshed in the authorization cache.

For more information, see the Group Policy Guide, the Configuration and Tuning Reference Guide, and Enabling and configuring local account management.

Steps for completing this task

  1. Open Access Manager.
  2. Expand Zones and any parent zones, child zones, or computers required to select the zone or computer to which you want to add the local group.

  3. Expand UNIX Data and select Local Groups.

    You can create a new local group in these ways:

    • By dragging and dropping an existing local group from another location. Expand zones or computers to the location of the original local group, and drag it to the location of the new local group. The local group is moved to the new location. To copy (instead of move) the original group, press <Ctrl> while you drag the group.
    • By cutting or copying an existing local group from another location, and then pasting it into the current location. Expand zones or computers to the zone where the original local group exists, right-click a local group and select Cut or Copy, return to the zone where you are creating the new local group, right-click, and select Paste.
    • By creating an entirely new local group. Perform Step 4 through Step 8 of this procedure.
  4. In Local Groups, right-click, then click Create UNIX Group.
  5. Type a name for the new local group and click OK.

  6. In the Set UNIX Group Profile dialog, select or deselect check boxes to specify which attributes to set. You must specify at least one attribute to be able to save the profile.

    • GID: Type a numeric group ID of your choice.

    • Members: Click Add to launch the Add Members dialog. In a comma-separated list, type the UNIX names of the users who will be in the group.

      Access Manager does not check the validity of the user names that you provide. You should ensure that all of the names that you provide are UNIX names that currently exist.

      Note that the group profile is considered complete even if this attribute has an empty value.

    • State: Specify whether the group account is added to, and enabled in, etc/group. Possible values are:

      Enable: The group profile will be installed or updated in /etc/group at the next local account refresh interval.

      Remove from /etc/group: The group profile will be removed from etc/group at the next local account refresh interval.

    Note:   To modify permissions for a local group, you must first create and save the local group as described in this procedure, and then modify permissions as described in Step 4 in the section To modify group profile attributes and permissions for a local group:.

    For the profile to be complete, it must contain settings for group name (specified in Step 5 of the procedure To create a group profile for a local group using Access Manager), GID, and state. You can save the profile now even if it is partial, although it will not be implemented in /etc/group until you update it in the current zone, or with settings in child zones, so that it is complete, and you set the state to Enable. For example, if you use the same group name but different numeric identifiers on two set of computers, you can inherit the group name from a parent zone and set the different numeric identifiers in the child zones.

    In the AIX Extended Attributes tab, you can view and set AIX attributes for the local group's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the group's zone profile.

  7. Review your local group profile settings and click OK.

    If the profile is complete, it is added to /etc/group at the next local account refresh interval.

  8. To optionally assign the local listed role to the local group, so that all local users in the local group are visible in the zone:
    1. At the level where you created the local group, right-click Role Assignments, and then select Assign Role.
    2. In the Select Role dialog, select local listed and click OK.
    3. In the Assign Role dialog, ensure that Accounts below is selected, and click Add Local Account.
    4. In the Add Local Account dialog, select Local UNIX Group in the Type field, type the local group name in the Account field, and click OK.
    5. In the Assign Role dialog Accounts below area, highlight the local group account and click OK. The local group is now listed as an assignee of the local listed role.
  1. In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to modify.

  2. In the Local Groups details pane, right-click the local group to modify and select Zone Profile.

    The Properties dialog for the profile is displayed.

  3. Modify attribute selections and settings as described in Step 6 in the procedure To create a group profile for a local group using Access Manager. Keep in mind the following considerations when you change attributes.

    If there is no parent profile for the same local group name:

    • You can edit profile fields to customize the value.
    • You can deselect profile fields to define a partial profile.

    If a parent profile for the same local group name already exists in a parent zone:

    • You can edit profile fields to customize the value.
    • You can deselect profile fields to inherit attribute values from the parent profile.
  4. To optionally modify group permissions (such as read, write, create or delete child object, and so on), click Permissions. Refer to the “Active Directory permissions required for administrative tasks” chapter in thePlanning and Deployment Guide for details about using the Permissions dialog to modify zone-level user and group permissions.

  5. Review your changes to the local group profile and click OK.

    Your changes are applied to the local group profile in /etc/group at the next local account refresh interval.

Note:   This procedure does not remove a local group profile from /etc/group. To remove a local group profile from /etc/group, perform the procedure described in To remove a group profile for a local group from /etc/group.

  1. In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to delete.
  2. In the Local Groups details pane, right-click the local group to modify and select Delete.

  3. At the warning prompt, select Yes.

    The local group is deleted from Access Manager. The group profile still exists in /etc/group, but it is ignored.

  1. In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to remove from /etc/group.

  2. Perform one of the following procedures:

    • Right-click a local group, select Change Profile State, then select Remove from /etc/group.
    • Right-click a local group, select Zone Profile, change the value of the State field to Remove from /etc/group, and click OK.

    At the next local account refresh interval, the local group’s profile is removed from /etc/group.

Delegating control of local group management tasks

You can use the Zone Delegation Wizard and Computer Delegation Wizard as described in the Planning and Deployment Guide to delegate control of local group management tasks.