Creating child zones

The primary reason for creating child zones is to inherit profile attributes, role definitions, and role assignments from a parent zone. You can then use the child zone to override the specific profile attributes that might be different on a given set of Linux and UNIX computers than you have defined in the parent zone. Less often, you might want to use a child zone to override specific access rights, role definitions, or roles assignments that you have made in a parent zone. For example, if you have created a role definitions that allows a user to run a specific application with administrative privileges in a parent zone, you can use child zones to limit the scope of that right to specific subsets of computers.

What to do before creating child zones

Before you create child zones, you must have installed Access Manager, run the Setup Wizard to create the Zones container, and created at least one parent zone. You should also have a basic zone design that describes the zone hierarchy for the child zone. There are no other prerequisites for performing this task.

Rights required for this task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new child zones, your user account must be a domain user with the following permissions:

Select this target object To apply these permissions

Container for the parent zone, for example if the parent zone is berlin:

domain/MyOU/Zones/berlin

On the Object tab, select Allow to apply the following permission to this object and all child objects:

  • Create Container Objects
  • Create Organizational Unit Objects

Note Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.

Parent container for Computers in the zone

On the Object tab, select Allow to apply the following permission to this object only:

  • Create group objects
  • Write Description property

These permissions are only needed if you are supporting “agentless” authentication in the new zone.

Note:   If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.

Who should perform this task

A Windows administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.

How often you should perform this task

After you are fully deployed, you create new child zones infrequently to address changes to the scope of ownership and administrative tasks.

Steps for completing this task

The following instructions illustrate how to create a new child zone using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To create a new child zone using Access Manager:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name that will contain the new child zone.
  3. Right-click, then click Create Child Zone.
  4. Type the zone name and, optionally, a longer description of the zone.

    Because this is a child zone, you should use the default parent container and container type, then click Next.

  5. Review information about the child zone, then click Finish.