Converting user aliases

On Linux and UNIX computers, a user alias in the sudoers file defines a set of users without creating a group. When you convert a user alias specification to be used in a zone, however, it becomes an Active Directory group. Assigning users to groups simplifies user management because if users change roles or leave the company, you can simply remove their group membership, without deleting their accounts, and effectively, they no longer have access to the roles assigned to members of the group.

You can create a new Active Directory group from the user alias you imported or map the imported alias to an existing Active Directory group.

To create a new Active Directory group from a user alias

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.
  3. Expand Authorization and Sudoers, then select User Alias.
  4. Select the alias name, right-click, then select Create AD Group.
  5. Verify the container location, or click Browse to select a different container, then click Next.
  6. Verify the group name, which defaults to the alias name, optionally, add a prefix or suffix, and select the scope for the group, then click Next.
  7. Review the group and group membership information displayed, then click Next.

    If there are any warnings or errors displayed, you must fix the errors before continuing. If only warning are displayed, you can continue to create the group. For example, if the user alias has members that don’t have a corresponding Active Directory account, you can continue creating the group.

  8. Review information about the new Active Directory group, then click Finish to create the group.

To map a user alias to an existing group

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.
  3. Expand Authorization and Sudoers, then select User Alias.
  4. Select the alias name, right-click, and select Map to AD Group.
  5. Select Remove original AD group membership or cancel the selection depending on whether you want to keep the current members of the group when adding the users from the alias definition.

    If you select this option, the wizard removes the existing members of the group when adding the new members. If you do not select this option, the wizard adds the new members to the existing members.

  6. Click Browse, then enter search criteria to identify the group and click Find Now.
  7. Select the name of the group and click OK.

    The wizard imports the users defined by the alias into the specified Active Directory group. It also issues a warning message that it can’t import users who are defined by the alias but who are not defined in Active Directory.