Controlling access through hierarchical zones

Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service for Windows only supports hierarchical zones. Hierarchical zones enable you to establish parent-child zone relationships, allowing rights, role definitions, and role assignments to be inherited down the zone hierarchy. One of the first decisions you need to make is how you can use the zone hierarchy most effectively.

With hierarchical zones, you define rights and roles in a parent zone so that those definitions are available in one or more child zones, as needed. Child zones can also inherit user and group role assignments. At any point in the zone hierarchy, you can choose to use or override information from a parent zone.

There are no predefined limits to the number of zones that can be used in a zone hierarchy or the number of levels deep zones can be nested in the hierarchy you define. For practical purposes, keep the hierarchy similar to the following:

  • One or more top-level parent zones that includes all users and groups.
  • One to three levels of intermediate child zones based on natural access control or administrative boundaries.

There are many different approaches you can take to defining the scope of a zone, including organizing by platform, department, manager, application, geographical location, or how a computer is used. The factors that are most likely to affect the zone design, however, will involve managing access rights and roles and delegating administrative tasks to the appropriate users and groups.