Creating child zones and service administrator role

In many cases, you don’t want a service administrator to have root privileges. For example, there’s no reason to give database or web service administrators root-level privileges if their role only requires limited access to a few privileged operations.

To illustrate how to grant more limited privileges to an administrator, you will now create a role that gives an Apache server administrator permission a few specific tasks, such as edit the Apache configuration file and start and stop the Apache service. In this scenario, you will also create child zones to further limit the Apache administrator’s authority to just the computers in the child zones.

To create child zones:

  1. Open Access Manager.
  2. Expand Zones, right-click your parent zone name, then select Create Child Zone.
  3. Type a Zone name (Nevada) and a brief description (Western field office), then click Next.
  4. Click Finish.
  5. Repeat Step 1 through Step 4 giving the second child zone a different name (Delaware) and description (Eastern web farm office).
  6. Expand Child Zones and each new zone you created to view the nodes of the child zones.

To create a new Active Directory user and group for Apache administrators

  1. Open Active Directory Users and Computers and create a new User object.

    1. Fill in the First, Last, and the User logon name fields.
    2. Type and confirm a password and select the Password never expires option.
    3. Acknowledge the warning, click Next, then click Finish.
  2. Open Active Directory Users and Computers and create a new Group object in the UNIX Groups organizational unit.

    1. For the Group name, enter ApacheAdmins.
    2. Select Global as the scope for the group and Security for the type of group, then click OK.
  3. Add the web administrator to the ApacheAdmins group.

    1. Select the user you created in Step 1, right-click and select Add to a group.
    2. Select the ApacheAdmins group, then click OK.
  4. Provision a UNIX profile for the new user using Access Manager.

    1. Expand the Zones node and select the Headquarters, right-click, then select Add User.
    2. Select the user you created for web administration.
    3. Select Define user UNIX profile only and deselect Assign roles.
    4. Accept the default values for all profile properties.
    5. Review your selections, click Next, then click Finish.