There are no predefined limits to the number of zones that can be used in a zone hierarchy or the number of levels deep zones can be nested in the hierarchy you define. For practical purposes, however, Centrify recommends using a hierarchy similar to the following:
- One or more top-level parent zones that include basic profile information for all users and groups that access the UNIX, Linux, and Mac OS X computers.
- One to three levels of intermediate child zones based on natural access control or administrative boundaries.
At each level in the hierarchy, profile information and access controls are inherited from the zone above and either applied or overridden by the child zone settings. At the lowest level of the hierarchy, you can override profile attributes or role assignments on any individual computers using machine override settings, if needed.
In addition, hierarchical zones support computer-based access rules, called computer roles, that enable you to selectively map a set of users with a particular role assignment access to a particular set of computers.