Working with computer roles

In addition to the role definitions that confer specific rights when assigned to users and groups, Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service provides a mechanism for linking a specific group of computers to a group of users with a specific role assignment. These computer-based access rules, called computer roles, identify computers that share a specific attribute that you define and a set of users with common access rights.

For example, you can define a computer role that identifies a set of computers as Oracle database servers linked to a set of users who have been assigned the oracle_dba role. You can then add and remove users from the Active Directory role group linked to the oracle_dba role to grant or remove the rights associated with the oracle_dba role. In this example, the computer role identifies computers that host Oracle databases and the set of users assigned the database administrator role.

The same set of computers might include computers with AIX and Solaris operating systems. You could then create separate computer roles that link the AIX computers to a group of AIX administrators and the Solaris computers to a group of Solaris administrators.