As discussed in previous chapters, you should associate Centrify role definitions with Active Directory security groups so that you can manage them using the processes and procedures you have for managing Active Directory group membership. If you are using the recommended deployment structure and naming conventions, you would create a new Active Directory group in the ou=User Roles, ou=Centrify organizational unit using the format ZoneName_Role_RoleName. For example, you would create an Active Directory group named sanfrancisco_role_rootequivalent. You can then assign the new role definition to that group.
To assign the role definition to an Active Directory group:
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name where you want to assign the role definition.
- Expand Authorization.
- Select Role Assignments, right-click, then click Assign Role.
- Select the role definition you created for root-level access, such as root_equivalent, then click OK.
Click Add AD Account to search for and select the Active Directory security group you created for the role.
- Select Group as the object to find.
- Optionally, type all or part of the group name.
- Click Find Now.
Select the group you created for the role in the results, then click OK.
- Click OK to complete the assignment.
- Add members to the Active Directory security group for the role definition using Active Directory Users and Computers, an internal script, or another tool.
Test the role assignment by checking whether the user you added to the Active Directory group can execute privileged commands using dzdo in place of sudo.
Details about commands that are executed with dzdo are logged to the secure syslog facility on the computer where they were executed.