Add the user to a role group
Users must also have a role assignment for the zone where you want to grant access. A role assignment is required before the UNIX user profile is usable.
Using Active Directory Users and Computers, scripts, or internal procedures, the basic work flow for a new user would be similar to this:
- A new Active Directory user requests access to UNIX computers.
-
You add the user principal name to the appropriate Active Directory group principal. If you want to allow the user to log on to computers in a child zone, you add the user to the Login role group childZoneName_Role_Login.
If the user should be recognized but not allowed to log on, you would add the Active Directory user to the childZoneName_Role_Listed. After you have created custom roles, you would search for and select groups based on the specific rights a user needs.
-
Run the Zone Provisioning Agent update command in preview mode to verify your changes. For example:
zoneupdate /p zoneName
-
Check the results of the zoneupdate preview, then run the command without the preview option to execute the business rules for provisioning. For example:
zoneupdate zoneName