Creating, modifying, and deleting group profiles for local groups

When you create a local group profile in Access Manager, it is saved in /etc/group on each computer in each zone where the profile is defined. You can create local profiles at the zone level (for example, under Zones > Zonename > UNIX Data) and at the computer level (for example, under Zones > Zonename > Computers > Computername > UNIX Data). Local group profiles that you create at the zone level are available for local and Active Directory users in the zone and child zones to join.

What to do before creating a new local group profile

You should perform the following tasks before creating local group profiles:

  • Ensure that local account management is enabled and configured through configuration parameters or group policies. See Enabling and configuring local account management for more information.
  • It is suggested that you review the existing group names in etc/group on the computers where the local group profile will be implemented so that you do not attempt to create a group profile with a name that is already used. Access Manager performs a name validation check against etc/group in the current zone when you create a new local group. If the group name already exists in etc/group somewhere in the current zone, you are prompted to provide a different name for the group that you are creating.

Rights required for this task

The rights required to create local group profiles are the same as the rights required to create Active Directory group profiles. See Rights required for this task for details about those rights.

Using partial profiles and child zones to fine tune group attributes

Access Manager allows you to create a partial profile by leaving any of the attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could define the Members attribute in a parent zone, and then override the parent zone attribute settings by defining the Members attribute differently in different child zones.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to create the group profile.

Groups can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone. If a group profile is still partial at the computer level, the profile is ignored by the agent, and it is not added to /etc/group on the local computer. Group profiles must contain the attributes listed in Creating group profiles to be complete.

Specifying profile states

The profile state lets you control whether a local group account is in place in etc/group and is enabled for use locally. When you create a local group account, you specify the initial profile state. You can change the profile state afterwards to control availability of the local group account. A local group account can have one of the following states:

  • Enable: If the local group profile is complete, it will be installed or updated in /etc/group at the next local account refresh interval.
  • Remove from /etc/group: The group profile will be removed from etc/group at the next local account refresh interval.

You can also choose not to define the profile state by deselecting the State check box in the Set Local Group Profile dialog. Deselecting the State check box results in one of the following scenarios:

  • If a local group profile with the same name exists in the parent zone, the state from the parent group profile is inherited.
  • If the parent zone does not contain a group profile with the same name, or if a parent group profile exists but does not define the state, the group profile that you are currently defining is considered incomplete.

Roles and local group account visibility

You use role assignments to control whether local users are visible in a zone. A predefined role definition, local listed, is available for use with local user and local group profiles. As with the listed predefined role, the local listed role does not grant any system rights, PAM rights, or command rights. It is a specialized role that can be used when a local user or local group profile must exist for computers in a zone, but no local user or local group access should be granted.

You can optionally define other roles in the zone to grant visibility to local users and local groups.

By default, all local groups having a complete profile are visible in a zone. You do not have to assign a role to a local group to make the local group visible. However, it is often useful to assign a role (such as local listed) to a local group so that all local users in the local group inherit the role assignment, and are visible in the zone.

See Creating, modifying, and deleting user profiles for local users for more information about how roles are used to control visibility of local user accounts.

How often Access Manager and local group accounts are synchronized

The /etc/group file on local computers is updated periodically based on the information that you define for local group profiles in Access Manager. The /etc/group update interval is controlled by the following group policy and configuration parameter:

  • Group Policy: Set refresh interval for access control cache, located in Computer Configuration > Centrify Settings > DirectControl Settings > Network and Cache Settings.
  • Configuration parameter: adclient.refresh.interval.dz, located in the /etc/centrifydc/centrifydc.conf configuration file.

The same group policy and parameter control how often the authorization store cache is updated. Local account information is updated immediately after authorization store information is refreshed in the authorization cache.

For more information, see the Group Policy Guide, the Configuration and Tuning Reference Guide, and Enabling and configuring local account management.

Steps for completing this task

Delegating control of local group management tasks

You can use the Zone Delegation Wizard and Computer Delegation Wizard as described in the Planning and Deployment Guide to delegate control of local group management tasks.