How permissions are set

Access Manager requires specific rights for administrators to work with objects such as UNIX users, groups, and computers within Active Directory. As part of your deployment planning process, you should review the rights required to set up and manage Centrify‑specific objects and be familiar with how to manually assign rights for managing Centrify objects, if needed.

Built-in Windows groups, such as Domain Admins and Domain Users, have default permissions, which might be customized for your organization. In general, the administrators for the forest root domain have broad authority to set permissions for all other users and groups, including the administrators of other domains. Therefore, whether you can modify the permissions for specific users and groups within your Active Directory environment will depend on the policies of your organization.

If you have the appropriate authority, there are several ways you can access, verify, and modify the permissions assigned to specific users and groups.

For example, you can view and modify permissions in the following ways:

  • Use ADSI Edit to directly modify any Active Directory attributes.
  • Use Active Directory Users and Computers to set basic or advanced permissions on any Active Directory object through the Security tab.

    To display the Security tab, select View > Advanced Features. To access some permissions, however, your user account must have Create all child objects or Write all properties permissions.

  • Run the Zone Delegation Wizard to set the appropriate permissions for specific users or groups to perform specific tasks within a zone.
  • Click Permissions when viewing Zone Properties in Access Manager to set basic or advanced permissions on any zone object.
  • Click Permissions when viewing the Centrify Profile for a user in Access Manager to set basic or advanced permissions on any user object.

The following steps illustrate how you can set permissions from Active Directory Users and Computers:

  1. Open the console and connect to the Active Directory domain.
  2. Select an Active Directory object, such as a user or computer, right‑click, then click Properties.

  3. Click the Security tab, then click Advanced.

  4. Select the user or group to which you want to assign rights, then click Edit.

    If the user or group to which you want to assign permissions isn’t listed, click Add to find the account.

  5. In the Permission Entry dialog box, click the Object or Properties tab, as needed.

    Selecting Object or Properties and where the permission should be applied varies depending on the task you are allowing a user or group to perform.

  6. Select the specific rights you want to assign by scrolling to find the permission, then clicking the Allow check box.

  7. When you are finished setting the appropriate permissions, click OK.

    For more specific information about how to set permissions on Active Directory objects and properties and how to view, modify, and remove permissions, see your Active Directory documentation.