If you define user profiles for most of your users in the parent zone, you should not make them members the parentZone_Role_Login group. Instead, you can add users to the appropriate childZone_Role_Login groups. All of your existing UNIX users who can currently log on interactively to existing UNIX systems should be added to one or more childZone_Role_Login groups. For example, users who currently have access to all of the computers in the Engineering zone should be added to the Engineering_Role_Login Active Directory group. If those users also have a UNIX profile in the parent zone or the Engineering zone, they will be able to log on to all of the computers in the Engineering zone. If a user only needs access to a specific computer in the zone, you can use a machine‑level override to give the user access to that specific computer.
You can use the Access Manager console, Active Directory Users and Computers, ADEdit or custom scripts to add UNIX user profiles to the appropriate childZone_Role_Login groups. If possible, you should integrate this part of the migration with your existing provisioning process to ensure that future requests for UNIX role assignments use the processes that line of business personnel already understand.