Defining the business rules for new users in the parent zone

In addition to the business rules for group profiles, you configure similar rules for new UNIX user profiles. When you use hierarchical zones, you typically want to configure these business rules for the parent zone so that the profile can be inherited in all child zones. Remember that the profile, by itself, does not provide any access to the computers in the child zones, and that you can override any inherited attributes in any zone or on individual computers.

Note:   The business rules you define only affect new UNIX user and group profiles. The imported legacy data remains unchanged, and the Zone Provisioning Agent will not modify any attributes on the existing user and group profiles.

To configure the business rules for user profiles in the parent zone:

  1. Start Access Manager.
  2. In the console tree, expand the Zones node.
  3. Select the top-level parent zone, right-click, then click Properties.
  4. Click the Provisioning tab.

    If you are defining business rules for a parent hierarchical zone and want to establish a “source zone” for profile attributes, click Advanced. You can then select the Source zone for any or all user and group profile attributes. If you select Source zone for any attribute on the Advanced Provisioning page, you can click Browse to search for and select the zone to use as the source zone. In most cases, selecting a source zone is not necessary if you using hierarchical zones, but this option can be useful if you are migrating from classic to hierarchical zones.

  5. Click Enable auto-provisioning for user profiles.
  6. Click the Find icon to search for and select the “users” zone provisioning group as the Source Group.

    If you followed the recommended naming convention, search for and select parentZoneName_Zone_Users. For example, if the parent zone name is arcadeGlobal, select arcadeGlobal_Zone_Users.

    This is the same group to which you added the Active Directory users associated with imported user profiles as described in Add existing users to the provisioning group for the parent zone.

  7. Select a method for assigning a new UID to new UNIX user profiles:

    • Generate from user SID generates new UIDs that are guaranteed to be unique in the forest based on the Active Directory security identifier (SID) of the user. Selecting this option ensures users defined in the parent zone have a unique UID across all zones in the Active Directory forest.
    • RFC 2307 attribute uses the uidNumber attribute from the RFC 2307 schema to define UID values for the Active Directory users that you add to the zone. This option requires you to add the RFC 2307 attribute to Active Directory user principals. Otherwise, you should not use this option.
    • Use auto-incremented UID uses the next available UID in the parent zone. In most cases, you should avoid using this option because it can create UID conflicts with users in other zones.
    • Use custom ID enables you to use the employeeId, employeeNumber, or uidNumber attribute as the UID for new users. You should only select the employeeId or employeeNumber attribute if your organization already populates the employeeId or employeeNumber attribute with a unique value for each user account.
    • Generate using Apple scheme generates user UIDs based on the Apple algorithm for generating numeric identifiers from the Active Directory user’s objectGuid. This option is only supported for hierarchical zones.
  8. Select a method for assigning a new UNIX user login name to new UNIX user profiles:

    • SamAccountName attribute generates the user login name for new UNIX users based on the sAMAccountName attribute.
    • CN attribute uses common name attribute for user names. You should only select this option if you verify the common name does not contain spaces or special characters. Otherwise, you should not use this option.
    • RFC 2307 attribute uses the uid attribute from the RFC 2307 schema to define user names for the Active Directory users that you add to the zone. This option requires you to add the RFC 2307 attribute to Active Directory user principals. Otherwise, you should not use this option.
    • Zone default value uses the setting from the User Defaults tab for the zone. In most cases, the default is a variable that uses the sAMAccountName attribute.
  9. Select a method for assigning a new shell and home directory to new UNIX user profiles.

    • RFC 2307 attribute uses the loginShell attribute for the shell and the unixHomeDirectory attribute for home directory from RFC 2307 schema for the default shell and home directory
    • Zone default value uses the values you define on the User Defaults tab, which can include runtime variables for the shell and home directory.

    Runtime variables are populated with platform-specific values when a user tries to log on to a UNIX computer. For example, if a user logs on to a Linux computer with a profile that uses the runtime variable for the home directory, the home directory is
    /home/username. If the user logs on to a Solaris computer, the runtime variable becomes /export/home/username.

  10. Select a method for assigning a primary group to new UNIX user profiles.

    • RFC 2307 attribute uses the gidNumber attribute from the RFC 2307 schema for primary group values. This option requires you to add the RFC 2307 attribute to Active Directory user principals. Otherwise, you should not use this option.
    • Zone default value uses the values you define on the User Defaults tab. This setting enables you to use a specific group profile as the primary group for all UNIX users. If you don’t change the default value for the primary group on the User Defaults tab, the default primary group is a private group.
    • Private group uses the user’s UID as the primary GID.
    • Active Directory group membership uses the Active Directory group with the highest priority as the primary UNIX group. With this option, the Zone Provisioning Agent checks which groups a user belongs to and a prioritized list of groups you have defined. If you select this option, click the Configure icon to search for and select the Active Directory groups to include in the prioritized list. This option allows different users to have different primary GIDs in the same zone.
    • Generate using Apple scheme generates the user’s primary group identifier (GID) based on the Apple algorithm for generating numeric identifiers from the Active Directory objectGuid for the user’s primary group. Note that the user's primary group must configured for the zone. If the primary group is not configured for the zone, an error will be logged in the Windows Event Log when the user is provisioned. This option is only supported for hierarchical zones.
    • Generate from group SID generates new primary GIDs based on the user’s Active Directory primary group using the Centrify algorithm for generating GIDs.

    If you select the Active Directory group membership option and a user isn’t a member of any of the groups in the list of prioritized groups, the Zone Provisioning Agent will not create a UNIX user profile for the user, because it won’t be able to determine the primary group. As noted in Add security groups to the parent zone, the most common approach is to have all users assigned the same primary GID in a zone.

  11. Click OK to save your changes.

    By default, the GECOS field in new UNIX user profiles is populated using the displayName attribute for the user.