Configure the business rules for automated provisioning of group profiles

You configure the business rules for automated provisioning of group profiles on a zone‑by‑zone basis. When you use hierarchical zones, you typically want to configure the business rules for the parent zone so that the profile can be inherited in all child zones. Remember that the profile, by itself, does not provide any access to the computers in the child zones, and that you can override any inherited attributes in any zone or on individual computers.

To configure the business rules for groups in the parent zone:

  1. Start Access Manager.
  2. In the console tree, expand the Zones node.
  3. Select the top-level parent zone, right-click, then click Properties.
  4. Click the Provisioning tab.

    If you are defining business rules for a parent hierarchical zone and want to establish a “source zone” for profile attributes, click Advanced. You can then select the Source zone for any or all user and group profile attributes. If you select Source zone for any attribute on the Advanced Provisioning page, you can click Browse to search for and select the zone to use as the source zone. In most cases, selecting a source zone is not necessary if you using hierarchical zones, but this option can be useful if you are migrating from classic to hierarchical zones.

  5. Click Enable auto-provisioning for group profiles.
  6. Click the Find icon to search for and select the “groups” zone provisioning group as the Source Group.

    If you followed the recommended naming convention, search for and select parentZoneName_Zone_Groups. For example, if the zone name is arcadeGlobal, select arcadeGlobal_Zone_Groups.

  7. Select a method for assigning a new GID to new UNIX group profiles:

    • Generate from group SID generates new GIDs that are guaranteed to be unique in the forest based on the Active Directory security identifier (SID) of the group. Selecting this option ensures groups defined in the parent zone have a unique GID across all zones in the Active Directory forest.
    • RFC 2307 attribute uses the gidNumber attribute from the RFC 2307 schema to define GID values for the Active Directory groups that you add to the parent zone. This option requires you to add the RFC 2307 attribute to Active Directory group principals.
    • Use auto-incremented GID selects the next available GID in the parent zone. In most cases, you should avoid using this option because it does not guarantee unique GIDs.
    • Generate using Apple scheme generates group GIDs based on the Apple algorithm for generating numeric identifiers from the Active Directory group’s objectGuid. This option is only supported for hierarchical zones.
  8. Select a method for assigning a new group name to new UNIX group profiles:

    • SamAccountName attribute generates the group name for UNIX group profile based on the sAMAccountName value.
    • CN attribute uses the common name attribute to define group names for the Active Directory groups you add to the zone. You should only select this option if you verify the common name does not contain spaces or special characters. Otherwise, you should not use this option.
    • RFC 2307 attribute uses the cn attribute from the RFC 2307 schema to define group names for the Active Directory groups you add to the zone.
    • Zone default value uses the Group name setting from the Group Defaults tab to define group names for the Active Directory groups you add to the zone. In most cases, the default is a variable that uses the sAMAccountName attribute.

    By default, all UNIX group names are lowercase and invalid characters are replaced with underscores.

  9. Click OK to save your changes.