In some cases, you may have a UNIX group that only exists on one computer in a zone or exists on more than one computer but has different attributes on different computers. You can use computer-level overrides to handle these cases. Computer-level overrides enable Zone Administrators to create and manage group profile attributes manually for individual computers.
To create a group profile for a specific computer:
- Use Active Directory Users and Computers to create an Active Directory group in the UNIX Groups organizational unit. If the group only applies to a specific computer, you may want to use the computer name as the prefix.
- Start Access Manager.
- Expand the console tree to display the individual computer object under the zone the computer will join.
- Expand UNIX Data, select Groups and right-click, then click Create UNIX Group.
Click the attributes to define, type the appropriate values, then click OK.
- Click GID to manually specify a GID for the group profile on the selected computer.
- Click UNIX group name to manually specify a group name for the profile on the selected computer.
Avoiding group collisions when using computer-level overrides
If you create group profile overrides on individual computers, you should make sure that the UNIX group name and GID are not being used by any other groups in the parent or child zone. If the group profile defined for the computer is the same as a group profile defined for a group in the parent or child zone, users who should only be able to access files on the local computer may be able to access files owned by the group defined for the parent or child zone. This can be a difficult problem to identify. For example, assume you have an Active Directory group named contract_admins, but you have used the UNIX group name admins and the same GID as a group in the parent zone. Any user who is a member of the contract_admins group in Active Directory is going to have the same GID as the parent zone’s admins group. If that happens, members of the contract_admins group will have access to the same files as the admins group in the parent zone.
The only way to identify when this problem occurs is by running the following command for a user in the contract_admins group: