Creating the authorization store

All of the information about rights, roles, and role assignments is held in an authorization store for each zone in Active Directory. The name of authorization store object is CN=Authorization under the zone object’s DN. For example, the authorization store for the zone named EMEA_Territories in the Arcade.Net forest is:

cn=Authorization, cn=EMEA_Territories, cn=Zones, cn=UNIX, dc=Arcade, dc=Net

To create the authorization store for a zone, users must have the following permissions:

Select this target object To apply these permissions

Parent container for an individual zone

For example, a ZoneName container object, such as:

domain/Centrify/Zones/arcade

On the Object tab, select Allow to apply the following permissions to this object and all child objects:

  • List contents
  • Read all properties
  • Read Permissions

Select Allow to apply the following permissions to this object only:

  • Create msDS-AzAdminManager objects