Creating a UNIX administrator role
Now that you have verified an Active Directory user can access the Linux or UNIX computer you are using for the evaluation, you will see to how to create users that have elevated privileges and how you can limit the use of those privileges to specific computers.
To illustrate this scenario, you will create a UNIX administrator role that grants root privileges for the computers in a zone without requiring users to know the root password. Instead, users who are assigned the UNIX administrator role use their Active Directory credentials.
You can use the same steps to define roles with different and more granular rights. For example, you will follow similar steps to create an Apache administrator role that can only perform a limited set of tasks on computers in a child zone.
At the end of this section, you will have two accounts with UNIX Login privileges: one of which has only standard user privileges, the other account has full administrative privileges.
To create a new Active Directory user and group with administrative access
Open Active Directory Users and Computers and create a new User object.
- Fill in the First, Last, and the User logon name fields.
- Type and confirm a password and select the Password never expires option.
- Acknowledge the warning, click Next, then click Finish.
Open Active Directory Users and Computers and create a new Group object in the UNIX Groups organizational unit.
- For the Group name, enter EnterpriseUnixAdmins.
- Select Global as the scope for the group and Security for the type of group, then click OK.
Add the administrative user to the EnterpriseUnixAdmins group.
- Select the user you created in Step 1, right-click and select Add to a group.
- Select the EnterpriseUnixAdmins group, then click OK.
Provision a UNIX profile for the new user using Access Manager.
- Expand the Zones node and select the Headquarters, right-click, then select Add User.
- Select the user you created for UNIX administration.
- Select Define user UNIX profile only and deselect Assign roles.
- Accept the default values for all profile properties.
- Review your selections, click Next, then click Finish.