Rights and roles are defined at the zone level and inherited down the zone hierarchy. If you define a right in the top-level zone, it is available in all child zones. If you define a right in a child zone, it can be used in that zone and any of its child zones. Similarly, you can define roles in the top-level parent or any child zone, depending on where you want to make the role available. In this example, the right to run all commands as the root user is defined in a top‑level parent zone.
The following instructions illustrate how to define a right for running all commands using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.
To define a right for running all commands as root:
- Open Access Manager.
Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.
For this example, select the top-level parent zone so that this command right is available in all child zones.
- Expand Authorization > UNIX Right Definitions.
- Select Commands, right-click, then click New Command.
On the General tab, type a name for this command right and, optionally, a description for this right, then define the right to run all commands like this:
- Click the Restricted Shell tab and deselect the Can be used in a restricted role option if you want to prevent this command from being used in a role that uses a restricted shell environment.
- Click the Run As tab to verify the command can be used with dzdo and is set to run as root by default.
Click OK to use the default environment variable settings and command attributes.
Alternatively, you can click the Environment and Attributes tabs if you want to view or set additional properties for this right definition.