In hierarchical Centrify zones, each zone is part of a tree of zones and Active Directory containers for users, groups, and computers.The effective profile for each user, group, or computer in a hierarchical zone is determined by attributes defined in the current zone, in parent zones, and in zone default values, with values lower in the hierarchy taking priority. In addition, individual computers can have computer-level overrides of users, groups, and role assignments. When you assign computer-level overrides for a specific computer, internally Centrify creates a computer-specific zone that contains the users, groups, and computer role assignments that are specific to only that one computer. Computer zones are not exposed as zones in Access Manager, but are treated as end nodes in the zone hierarchy.
The following figure illustrates the basic structure used for hierarchical Centrify zones. Attributes are inherited from higher-level to lower-level zones as indicated by the arrows in the figure.
In hierarchical zones, because User and Zone objects inherit from their parent zones, it is not necessary for every hierarchical level to have a full set of attributes. If a user profile is incomplete after inheriting all the ancestor’s attributes, missing mandatory attributes are filled from defaults. Missing UIDs are generated from an RID-based algorithm.
See Classic Centrify zones (2.x, 3.x, 4.x) for a general description of the way Centrify attributes are stored in Active Directory.