In classic Centrify zones, each zone is a separate tree stored in the directory. The root of the zone tree is an Active Directory container with the same name as the zone. The zone attributes described in the logical data model are stored in the attributes of this container object. Within the zone container, there are sub-containers for the Users, Groups, and Computers in the zone.
The following figure illustrates the basic structure used for classic zones.
Within each of the sub-containers, there are serviceConnectionPoint (SCP) objects. The serviceConnectionPoint (SCP) objects contain the Centrify attributes for each user, group, or computer defined for the zone. Each of user, group, or computer serviceConnectionPoint objects also has a link back to its parent object (shown as dotted lines in the figure above).
Note: Although Figure 1 illustrates the basic layout for a classic zone using a simple scenario, more complex configurations are possible. For example, in the illustrated scenario, the parent user and group objects are in the same organizational unit (OU), but this is not a requirement. Similarly, the zone tree does not need to be in the same domain as the user or computers objects.
The zone tree structure separates Centrify and UNIX‑specific attributes for each zone from every other zone and from the base Active Directory objects for the users and groups. This structure has the following important benefits:
- It enables a single Active Directory user to have many different UNIX profiles.
- It enables you to delegate administrative tasks to users and groups on a zone-by-zone basis.
The following figure illustrates how the zone tree structure enables a single Active Directory user to have many different UNIX profiles.
In a classic zone, the Centrify and UNIX‑specific attributes are separate from all of the other zones and from the base Active Directory objects for the users and groups. This enables delegated management of UNIX-related tasks, such as adding or removing UNIX profiles, within each zone.