One of the most important aspects of managing computers with Centrify software is the ability to organize computers, users, groups and other information about your organization into Centrify zones. A Centrify zone is a logical object created using Access Manager that is stored in Active Directory. You use zones to organize computers, rights, roles, security policies, and other information into logical groups. These logical groups can be based on any organizing principle you find useful. For example, you can use zones to describe natural administrative boundaries within your organization, such as different lines of business, functional departments, or geographic locations.
Zones provide the first level of refinement for access control, privilege management, and the delegation of administrative authority. For example, you can use zones to create logical groups of Windows computers to achieve these goals:
- Control who can log on to specific computers.
- Grant elevated rights or restrict what users can do on specific computers.
- Manage role definitions, including availability and auditing rules, and role assignments on specific computers.
- Delegate administrative tasks to implement “separation of duties” management policies.
You can also create zones in a hierarchical structure of parent and child zones to enable the inheritance of rights, roles, and role assignments from one zone to another or to restrict local or remote access to specific computers for specific users or groups.
Because zones enable you to grant specific rights to users in specific roles on specific computers, you can use zones as the first level of refinement for controlling who has access to which computers, where administrative privileges are granted, and time restrictions on when administrative privileges can be used.
You can also use zones to establish an appropriate separation of duties by delegating specific administrative tasks to specific users or groups on a zone-by-zone basis. With zones, administrators can be given the authority to manage a given set of computers and users without granting them permission to perform actions on computers in other zones or giving them access to other Active Directory objects.