Verifying effective users on each zone
Now that you have imported profiles and assigned existing users to the appropriate roles, you can verify who has access to the computers in each zone before you proceed with joining a domain. Checking the Effective Users in each zone enables you to verify the users who have been assigned the UNIX Login and listed roles before any users are affected by the changes.
You should have a checklist of the users who require interactive access on the computers in the target set and which user profiles you suspect only need to be recognized without the ability to log on. You can then using the Effective Users option to see the role assignments for the pre-created computer objects in the target set of computers. By comparing the list of users to the role assignments, you should be confident that you are ready to complete the migration by joining UNIX computers to the Active Directory domain.
Performing this step before joining the domain helps to ensure the transition to Active Directory does not interfere with end-users daily work or the delivery of business services. Therefore, verifying UNIX Login and listed access before joining computers to the domain is a key part of a successful migration.
To access the Effective Users for a zone:
- Start Access Manager.
- In the console tree, expand Zones and the top-level parent zone.
- Select a zone, right-click, then click Show Effective UNIX User Rights.
- Review the list of UNIX user profiles for the zone in the UNIX users section.
Select a user name to display additional information about each user:
- Zone Profile displays details about inherited profile attributes. For existing users being migrated, the profile attributes are typically explicitly defined. If a profile is defined higher up in the zone hierarchy, the Inheritance tab indicates where the profile attributes are defined.
- Role Assignments lists the role assignments for the selected user in the zone. For the initial migration, users must be assigned the UNIX Login or listed role.
- PAM Access lists the specific PAM application access rights associated with the roles a user is assigned. For example, the default UNIX Login role has the login-all PAM access right, which enables PAM authentication for all computers in the zone.
- Commands lists the specific UNIX command rights associated with the roles a user is assigned. For example, you can define a role that allows users to run specific privileged commands as root. You can click the Commands tab to see the specific privileged commands defined for the role.
- SSH Rights lists the specific secure shell (ssh) command rights associated with the roles a user is assigned.
- Click Close when you have finished checking role assignments for the users in target computer of computers.
You can also select Show Effective UNIX User Rights for individual UNIX computers and generate Hierarchical Zone reports that describe the effective rights for computers and users.