Managing access rights and roles using zones

Zones enable you to grant specific rights to users in specific roles on specific computers. By assigning roles, you can control the scope of resources any particular group of users can access and what those users can do. For example, all of the computers in the finance department could be grouped into a single zone called “finance” and the members of that zone could be restricted to finance employees and senior managers, each with specific rights, such as permission to log on locally, access a database, update certain files, or generate reports.

Rights represent specific operations users are allowed to perform. A role is a collection of rights that can be defined in a parent or child zone and inherited. For example, a role defined in a parent zone can be used in a child zone, in a computer role, or at the computer level.

System and predefined rights

There are specialized login rights, called system rights. The system rights for Windows computers are:

  • Console login is allowed: Specifies that users are allowed to log on locally using their Active Directory account credentials.
  • Remote login is allowed: Specifies that users are allowed to log on remotely using their Active Directory account credentials.
  • PowerShell remote access is allowed: Specifies that users are allowed to log on remotely to PowerShell.

There are additional predefined rights that allow access to specific applications. For example, there are predefined rights that allow users to run Performance Monitor or Server Manager without having an administrator’s password. You grant users permission to access computers by assigning them to a role that includes at least one login right. You can then give them access to specific applications or privileges using additional predefined or custom access rights.

Granting permission to log on

By default, zones always provide the Windows Login role to allow users to log on locally or remotely to computers in the zone. Users must have at least one role assignment that grants console or remote login access or they will not be allowed to access any of the computers in the zone.

Note:   The Windows Login role grants users the permission to log on whether they are authenticated by specifying a user name and password or by using a smart card and personal identification number (PIN).

Because the Windows Login role only allows users to log on, it is often assigned to users in a parent zone and inherited in child zones. However, the Window Login role does not override any native Windows security policies. For example, most domain users are not allowed to log on to domain controllers. Assigning users to the Windows Login role does not grant them permission to log on to the domain controllers. Similarly, if users are required to be members of a specific Windows security group, such as Server Operators or Remote Desktop Users, to log on to specific computers, the native Windows security policies take precedence.

There are additional predefined roles that grant specific rights, such as the Rescue ‑ always permit login role that grants users the “rescue” right to log on if audit and monitoring service is required but not available. In general, at least one user should be assigned this role to ensure an administrator can log on if the audit and monitoring service service fails or a computer becomes unstable.