Assigning roles to existing users and groups

You have now imported the existing user and group profiles for a target set of computers into Active Directory. This is one critical component of migration because users must have a valid UNIX profile, that is, a unique user name, UID, primary GID, home directory and shell, in a zone for them to be recognized as valid users. However, Centrify separates UNIX profile management from UNIX privilege management. Users cannot log on to UNIX computers until they are assigned a role that allows them to log on to those computers.

As discussed in Access controls and the assignment of rights and roles, a role is a collection of rights and there are two default roles: the listed role and the UNIX Login role. As part of deploying Centrify software with the least disruption to your environment, your existing users must be able to log on to the UNIX computers they currently use. That is the primary purpose of the UNIX Login role: to allow you to quickly give log on access to a set of users in one or more zones. The UNIX Login role in the parent zone is intended for enterprise administrators who need log on access to all computers. The UNIX Login role in the finance zone would be for those users who currently have interactive access to the limited number of computers in that zone and would expect to have that access after migration.

The listed role is intended for users who need a valid profile defined but do not need interactive log on access to the computers in a zone. For example, you assign the listed role to remote NFS users so that they have access to their files without the ability to log on and open a shell. You can also use the listed role to give users access to applications, such as ClearCase or Samba, that require a UNIX profile without the ability to log on locally or remotely. The listed role in the software-dev zone would be for those ClearCase users who need to be recognized on all computers in the zone so they can check files in and out.

The next step in the migration is to identify which users should be assigned to each role in each zone you have created.