Managing group profiles

Managing group profiles

This chapter describes how to give Active Directory groups access to Centrify-managed computers in Centrify zones and how to manage group profiles and properties using the Access Manager console.

The following topics are covered:

 Creating group profiles for Active Directory groups  Managing Active Directory group membership  Adding groups from another trusted forest

 Modifying zone-specific settings for a group profile  Modifying a group object’s properties

 Customizing additional settings for groups  Assigning groups to roles

 Running reports for groups

This chapter focuses on adding and managing UNIX profiles and performing related tasks. For information about planning user and group migration and access controls, see the

Planning and Deployment Guide.

Creating group profiles for Active Directory groups

You can create a Centrify group profile for any existing domain local, global, or universal security groups you have defined in the Active Directory forest. A group profile consists of zone-specific settings but the same profile information can be used across multiple zones. Creating a profile for an Active Directory group allows you to use Windows role-based access control and group-based filters to manage user access to managed computers. Associating a group profile with an Active Directory group also enables you to take advantage of nested group membership and group policies applied to a domain or organizational unit (OU) that contains Active Directory groups.

A complete profile for a group consists of the GID and UNIX group name attributes that are defined for a group in the /etc/group file.

Although associating Active Directory security groups with zone-based group profiles can be convenient in many organizations, you are not required to link group profiles to Active Directory groups. In addition, creating a profile for an Active Directory group does not create profiles for any members of the group. User accounts must be explicitly given their own profiles.

Creating group profiles for Active Directory groups

Note _{This section provides a simplified view of managing Active Directory groups in Access}

Manager. In a complex environment, adding groups to a zone requires careful planning to create the zone structure, determine which UNIX groups (and users) to migrate to Active Directory, and which accounts to create for them in Active Directory. The Planning and Deployment Guide walks you through the complete process of creating a zone structure, importing users and groups, and creating Active Directory identities for them.

You can create the profiles using the Access Manager console, Active Directory Users and Computers, ADEdit, or programmatically using the Centrify Windows API.

To create a UNIX profile for a group using Access Manager: 1 Open the Access Manager console.

2 In the console tree, click Zones and select the zone name to which you want to add the Active Directory group.

3 Expand UNIX Data and select Groups, right-click, then click Create UNIX Group.

4 Type a search string to locate the Active Directory group for which you want to create a profile, then click Find Now.

For example, type “fin” to display the Finance Users and Finance Admins groups. 5 Select one or more groups in the results, then click OK.

6 Review the zone profile settings for the group and make any changes, then click OK. You must supply a value for at least one of the fields, but you can leave a field blank and unchecked to give the group a partial profile for this zone. You can complete the profile by providing a value for this field in a child zone of the current zone. For example, if you use the same group name but different numeric identifiers on a set of computers, you can inherit the group name from a parent zone and set the different numeric identifiers in the child zones.

If you selected more than one group, review the profile settings for the each group and modify the default settings, if necessary, then click OK.

If you are adding groups with similar names, you might need to modify the UNIX group name to distinguish the groups. For example, if you are adding both the Finance Admins and Finance Users groups to the same zone, you can change the default UNIX group name to finadmin and finuser to make it easier to tell the groups apart. Keep in mind that in

some operating environments group names cannot be more than 8 characters and special characters may not be supported.

For more information about defining group membership for UNIX users or adding users to their primary group in Active Directory, see “Adding Active Directory users to zones” on page 109. For more information about the differences in group handling between Active Directory and the UNIX environment or planning access control using group filters, see the

Managing Active Directory group membership

Managing Active Directory group membership

One of the key benefits of using Centrify software to manage UNIX users through Active Directory is that you can take advantage of existing Active Directory structures and tools that you are using to manage your Windows environment. For example, you can use Active Directory groups for provisioning and controlling access to zones:

 The Zone Provisioning Agent (see “Provisioning user and group profiles automatically” on page 50) can be configured to automate the provisioning of users through Active Directory groups. Users who are added or removed from an AD group managed by the Zone Provisioning Agent, are automatically added or removed from a zone. See the

Planning and Deployment Guide for detailed information about setting up zones to use the Zone Provisioning Agent.

 Use group membership to control access to computers within a zone. You can assign

roles to Active Directory groups to control access to a zone for all members in the group. See “Assigning users and groups to a role” on page 160. Note that the role assignment itself is not sufficient to grant access to members of a group. Each Active Directory user in the group must have a user profile defined in the zone as well. Membership in a group does not necessarily mean a user has a zone profile, unless the group is linked to a zone through the Zone Provisioning Agent for automatic update; see

“Provisioning user and group profiles automatically” on page 50.

Identifying a primary group

In most UNIX environments, a user’s primary group identifier (GID) is a “private” group that exists solely for that user. The user is not included as a “member” of the private primary group. You can follow this convention by using a UNIX-only “private” group that is not linked to an Active Directory group or managed in Active Directory or assign users any Active Directory group with a group profile as a primary group.

Because users are not added as members of their private primary group, the primary group identifier (GID) setting does not affect the user’s actual Active Directory group

membership, eliminating the need to manage primary groups for UNIX users through Active Directory.

You set the primary group identifier in a user’s profile when adding the user to a zone; see

“Adding Active Directory users to zones” on page 109.

The Planning and Deployment Guide discusses in detail best practices for identifying users’ primary groups depending on the environment.

Using Zone Provisioning Agent to provision zones

The Zone Provisioning Agent is a separate tool that enables automated provisioning of user and group accounts into Centrify zones. You configure the Zone Provisioning Agent to

Marking a group profile as required

monitor specific Active Directory groups that are linked to a zone. When you add or remove users or groups from the monitored groups, the Zone Provisioning Agent adds or removes corresponding users or groups in the zone. You can configure the business rules for adding and removing groups and how the attributes associated with a user profile or a group profile are generated.

See “Provisioning user and group profiles automatically” on page 50 for more information The Zone Provisioning Agent is also explained in detail in the Planning and Deployment Guide.

Marking a group profile as required

On most UNIX systems, a user can only be a member of a limited number of groups at once. Because of this limitation, it is useful to be able to change a user’s effective group membership to add and remove groups when necessary. You can use the adsetgroups

command to dynamically manage the set of Active Directory groups that are available to a UNIX account. You also have the option to specify that membership in a specific group is required in a zone. If you specify that a group is required, users who are members of the group cannot remove the required group profile from their currently active set of groups. To mark a group as required:

1 Open the Access Manager console.

2 In the console tree, click Zones and expand the zone name for which you want to add a required group. For example, expand the “default” zone.

3 Expand Groups, then select the group name you want to make required.

4 Right-click, then select Zone Profile to display the Centrify Profile for the group.

5 Check the Users are required to be members of this group option.

6 Click Permissions to set specific permissions for this group, if needed, then click OK. For more information about using the adsetgroups command, see “Using adsetgroups” on page 343 or the adsetgroups man page.

Adding groups from another trusted forest

In most cases, when you create a profile for a group in a zone, the Active Directory group already exists in the local Active Directory forest. You can, however, also add profiles for remote groups to a zone without adding them to the local forest. If you have established a two-way external or forest trust relationship with a remote Active Directory forest, you can add groups from that remote forest to Centrify zones. You add remote groups to the zone in the same way you add profiles for local Active Directory groups except that you must select the remote forest or domain before searching for the group.

Modifying zone-specific settings for a group profile

To add groups from another trusted forest to a zone: 1 Open the Access Manager console.

2 In the console tree, click Zones and select the zone name to which you want to add the Active Directory group. For example, select the “default” zone.

If the zone is not already open, right-click, then click Open Zone. For example, select and open the “default” zone.

3 Select Groups, right-click, then click Create UNIX Group.

4 In the Find Users dialog box, click Browse, then select the trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev forest, you can

select the remote forest, then click OK to add groups from the w2k3r2.dev forest to a

current zone in the local forest.

5 Type a search string to locate the group in the selected forest or domain, then click Find Now.

6 Select one or more groups in the results, then click OK.

7 Review the UNIX profile settings for the group and make any changes necessary, then click OK.

Modifying zone-specific settings for a group profile

You can modify the zone-specific settings in a UNIX profile for an Active Directory group using the Access Manager console, ADEdit command-line utility, Active Directory Users and Computers, or programmatically using the Centrify Windows API.

To modify the zone-specific settings for a group profile: 1 Open the Access Manager console.

2 In the console tree, click Zones and if necessary, expand Child Zones to select the zone that contains the group profile you want to modify. Then expand UNIX Data > Groups, select the group name, and right-click and select Zone Profile.

3 Edit the UNIX profile as needed, then click OK. For example, click Permissions to set any special permissions on the selected group.

Overriding a group profile definition

When you add a group and create a zone profile in a zone, the profile is inherited by any child zones. It generally does not make sense to change the profile for a group in a child zone as there are only two profile fields, but if you wish you can override either of the

Modifying a group object’s properties

profile fields to create a new identity for the group in a child zone or for a computer account, by adding the group to a child zone or a computer account.

Modifying a group object’s properties

You can modify the group profile or group object properties for an Active Directory group using the Access Manager console, the ADEdit command-line utility, Active Directory Users and Computers, or programmatically using the Centrify Windows API.

To modify a group object’s AD properties: 1 Open the Access Manager console.

2 In the console tree, click Zones and if necessary, expand Child Zones to select the zone that contains the group profile you want to modify. Then expand UNIX Data > Groups, select the group name, and right-click and select Zone Profile.

3 Select a group name, right-click, then click AD Properties.

4 Click the Centrify Profile tab. Edit the UNIX profile and any other properties, as needed, then click OK. For example, click Add to add a group profile for the Active Directory group to another zone, or click Members to add members to the group.

Customizing additional settings for groups

You can configure many aspects of the environment for individual groups by enabling and applying Centrify group policies. For example, you can set group policies to bypass Active Directory authentication for specific groups or to allow users in some groups to be

approved from prevalidation. For more information about working with group policies, see the Group Policy Guide.

If you are not deploying Centrify group policies, you can also customize access controls for users and groups with the settings in any computer’s local Centrify configuration file. For more information about setting the parameters in the Centrify configuration file, see the

Configuration Parameter Reference Guide.

Assigning groups to roles

You can centrally manage the operations users can perform on managed computers through the creation of roles that define specific rights. You can then assign groups to different roles to control which operations the members of the group are allowed to perform, the computers where they are allowed to perform those operations, and when they should be allowed or denied permission to perform those operations.

Running reports for groups

For more information about defining rights and roles and assigning groups and users to roles, see Chapter 10, Authorizing users.

For details on assigning groups to roles, see “Assigning users and groups to a role” on page 160.

Note _{You can assign Active Directory groups to roles without defining a user profile for the}

users contained in the group. However, the Active Directory user must have a complete user profile in the zone for rights and roles to be enforced. The profile may be defined explicitly in the zone in which the role is assigned, or inherited from a parent zone.

Select a zone and right-click and select Show Effective UNIX User Rights to see users who have a role assigned for the zone and a complete profile. Select Show Omitted Users

to include users who have a role but an incomplete profile (shown in red) or a complete profile but no role.

Running reports for groups

To view information about group accounts and profiles, you can run one or more default reports or create your own custom reports. The default Groups Report lists group profile information for each group in each zone, including the following:

 Active Directory group name.  UNIX group name.

 Numeric group identifier (GID).  Whether the group is an orphan.

For more information about generating and working with reports, see “Generating predefined and custom reports” on page 188.