Making group membership a requirement

On most Linux and UNIX computers, users can only be members of a limited number of groups at once. Because of this limitation, it is useful to be able to change a user’s effective group membership to add and remove groups when necessary. You can use the adsetgroups command to dynamically manage the set of Active Directory groups that are available to a user account. You also have the option to specify that membership in a specific group is required in a zone. If you specify that a group is required, users who are members of the group cannot remove the required group profile from their currently active set of groups.

To make membership in a specific group profile required:

  1. Open Access Manager.
  2. Expand Zones and any parent or child zones required to select the zone name for which you want to add a required group.
  3. Expand Groups, then select the group name you want to make required.
  4. Right-click, then select Zone Profile to display the Centrify UNIX Profile for the group.
  5. Select the Users are required to be members of this group option.
  6. Click Permissions to set specific permissions for this group, if needed, then click OK.

For more information about using the adsetgroups command, see the adsetgroups man page.