Host alias definitions are popular in centralized sudoers files because they allow you to assign privileges to groups of computers rather than managing privileges on an individual computer and file basis. They convert naturally to computer roles, which also assign privileges to groups of computers.
When you convert a host alias to a computer role, the wizard creates a new computer role, creates an Active Directory group that contains the computers defined in the host alias, and adds these computers to the new computer role. Because the computer role group is an Active Directory group, the computers can span multiple zones and include computers that are joined to different zones. To complete the computer role definition, you must add the appropriate user role assignments, which specify what specific users and groups in different role definitions are allowed to do on the computers included in the computer role group.
To create a computer role from a host alias
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.
- Expand Authorization and Sudoers, then select Host Alias.
- Select the alias name, right-click, then select Create Computer Role.
- Click Next to accept the location for the group of computers, or change the location, then click Next.
- Verify or change the group name, optionally, add a prefix or suffix, and select the scope for the group, then click Next.
- Review the group and group membership information displayed, then click Next.
Review information about the new Active Directory group for computers, then click Finish to create the group and the new computer role.
If the computer accounts exist in Active Directory, the computers defined in the host alias are automatically added to the new Active Directory computer group and to the “Members” node of the new computer role.
- Expand Authorization, Computer Roles, and the computer role name.
- Select Role Assignments, right-click, and click Assign Role.
- Select the role and click OK.
- Click Add AD Account.
- Select User or Group, enter search criteria, then click Find Now to search for and elect the user or group, then click OK.
- Select the appropriate user or group from the result, then click OK to complete the user role assignment.