Hierarchical zones enable you to establish parent-child zone relationships, allowing profile attributes, rights, role definitions, and role assignments to be inherited down the zone hierarchy. In most cases, you define information in a parent zone so that is available in one or more child zones, as needed. At any point in the zone hierarchy, you can choose to use or override information from a parent zone.
You should use hierarchical zones if your organization has any of the following requirements:
- You have existing user and group profiles that must be migrated with legacy identity attributes to maintain existing file ownership.
- You have user and group profiles that have conflicting identity attributes on different computers.
- You have users and groups that require different role-based access rights, privileges, and role assignments on different sets of computers.
If you are using hierarchical zones, you can use the local account management feature as described in Managing account profiles and identity attributes
You can configure multi-factor authentication for login access to Centrify-managed Linux and UNIX computers and for privileged command execution in hierarchical zones, classic zones, and Auto Zone. However, some of the steps differ depending on the type of zone where you want to use multi-factor authentication. For details about configuring multi‑factor authentication, see "Preparing to use multi-factor authentication" and the Multi-factor Authentication Quick Start Guide.