Creating Group Profiles
You can create group profiles for Active Directory groups and—in hierarchical zone environments—local groups. A group profile consists of two attributes and a list of group members. The attributes that must be defined for the group profile to be complete are the following:
-
A unique numeric identifier (GID).
-
A group name.
A group must have a complete profile with all of these attributes defined to be recognized as a valid group in a zone or on a specific computer. These are the same attributes you define locally for Linux and UNIX groups in the /etc/group file.
For details about creating profiles for Active Directory groups, see Creating group profiles for Active Directory groups. For details about creating profiles for local Linux and UNIX groups, see Creating, modifying, and deleting group profiles for local groups.
Creating Group Profiles for Active Directory Groups
You can create a group profile for any domain local, global, or universal security groups you have defined in the Active Directory forest. Associating a group profile with an Active Directory group also enables you to take advantage of any nested group membership you have defined and any group policies you have applied to a domain or organizational unit.
Although associating a group profile with an Active Directory group can be convenient, there is no predetermined requirement to create group profiles for Active Directory groups. Creating a group profile does not create profiles for any members of the group. User accounts must be explicitly given their own profiles.
You can automate the provisioning of account profiles through the use of Active Directory groups. For information about configuring your environment for automated provisioning, see the *Planning and Deployment Guide*.
What to Do Before Creating a New Active Directory Group Profile
Before you can create Active Directory group profiles, you must have created one or more Active Directory security groups, installed Access Manager, and run the Setup Wizard. You should also identify the specific Active Directory groups for which a group profile is required. In most organizations, only a limited number of Active Directory groups require a zone profile. There are no other prerequisites for performing this task.
Rights Required for This Task
You must have permission to add groups to a zone. Zone administrators can grant this permission through the Zone Delegation Wizard. If the Active Directory administrator manually sets the permissions, your user account must be a domain user with the following permissions to create group profiles in a zone:
| Select this target object | To apply these permissions |
|---|---|
| Parent container object for the group profile within the zone | On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass |
| Group account object in Active Directory For example: domain/Users/group_name | Click the Properties tab and select Allow to apply the following properties to this object only: Read groupType Read objectCategory Read objectClass Read objectGUID Read objectSid |
| Parent container object for the individual zone For example, if you are adding a group to the Finance zone: domain/UNIX/Zones/Finance | Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID Write Description |
Who Should Perform This Task
A Windows domain administrator performs this task, depending on your organization’s policies. In most organizations, this task is delegated to a specific user or group with administrative authority in the selected zone.
How Often You Should Perform This Task
In most cases, you only create new group profiles infrequently to address changes to your organization.
Steps for completing this task
If you choose to create group profiles for Active Directory groups, you can use Access Manager, Active Directory Users and Computers, the Access Module for Windows PowerShell, ADEdit, or the Delinea Windows API.
The following instructions illustrate how to create a new group profile using Access Manager. Examples of scripts that use ADEdit, Windows PowerShell, or the Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.
To create a group profile for an Active Directory group using Access Manager:
Open Access Manager.
Expand Zones and any parent or child zones required to select the zone name to which you want to add the Active Directory group.
Expand UNIX Data and select Groups, right-click, then click Create UNIX Group.
Type a search string to locate the Active Directory group for which you want to create a profile, then click Find Now.
For example, type “fin” to display the Finance Users and Finance Admins groups.
Select one or more groups in the results, then click OK.
Review the default zone profile settings for the group and make changes if needed, then click OK.
You can deselect an attribute to change the default value or to create a partial group profile in the current zone. You can complete the profile by providing a value for an attribute in a child zone of the current zone. For example, if you use the same group name but different numeric identifiers on two set of computers, you can inherit the group name from a parent zone and set the different numeric identifiers in the child zones.
In the AIX Extended Attributes tab, you can view and set AIX attributes for the group's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the group's zone profile.
If you selected more than one group, review the profile settings for the each group and modify the default settings, if necessary, then click OK.
If you are adding groups with similar names, you might want to modify the default group name to distinguish the groups. For example, if you are adding both the Finance Admins and Finance Users groups to the same zone, you can change the default group name to fin admin and fin user to make it easier to tell the groups apart. Keep in mind that in some operating environments group names cannot be more than 8 characters and special characters might not be supported.
Creating, Modifying, and Deleting Group Profiles for Local Groups
When you create a local group profile in Access Manager, it is saved in /etc/group on each computer in each zone where the profile is defined. You can create local profiles at the zone level (for example, under Zones >Zonename> UNIX Data) and at the computer level (for example, under Zones >Zonename> Computers >Computername> UNIX Data). Local group profiles that you create at the zone level are available for local and Active Directory users in the zone and child zones to join.
What to Do Before Creating a New Local Group Profile
You should perform the following tasks before creating local group profiles:
Ensure that local account management is enabled and configured through configuration parameters or group policies. SeeEnabling and configuring local account management for more information.
It is suggested that you review the existing group names in etc/group on the computers where the local group profile will be implemented so that you do not attempt to create a group profile with a name that is already used.Access Manager performs a name validation check against etc/group in the current zone when you create a new local group. If the group name already exists in etc/group somewhere in the current zone, you are prompted to provide a different name for the group that you are creating.
Rights Required for This Task
The rights required to create local group profiles are the same as the rights required to create Active Directory group profiles. See Rights required for this task for details about those rights.
Using Partial Profiles and Child Zones to Fine-Tune Group Attributes
Access Manager allows you to create a partial profile by leaving any of the attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could define the Members attribute in a parent zone, and then override the parent zone attribute settings by defining the Members attribute differently in different child zones.
If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to create the group profile.
Groups can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone. If a group profile is still partial at the computer level, the profile is ignored by the agent, and it is not added to /etc/group on the local computer. Group profiles must contain the attributes listed in Creating group profiles to be complete.
Specifying profile states
The profile state lets you control whether a local group account is in place in etc/group and is enabled for use locally. When you create a local group account, you specify the initial profile state. You can change the profile state afterward to control availability of the local group account. A local group account can have one of the following states:
Enable: If the local group profile is complete, it will be installed or updated in /etc/group at the next local account refresh interval.
Remove from /etc/group: The group profile will be removed from etc/group at the next local account refresh interval.
You can also choose not to define the profile state by deselecting the State check box in the Set Local Group Profile dialog. Deselecting the State check box results in one of the following scenarios:
If a local group profile with the same name exists in the parent zone, the state from the parent group profile is inherited.
If the parent zone does not contain a group profile with the same name, or if a parent group profile exists but does not define the state, the group profile that you are currently defining is considered incomplete.
Roles and Local Group Account Visibility
You use role assignments to control whether local users are visible in a zone. A predefined role definition, local listed, is available for use with local user and local group profiles. As with the listed predefined role, the local listed role does not grant any system rights, PAM rights, or command rights. It is a specialized role that can be used when a local user or local group profile must exist for computers in a zone, but no local user or local group access should be granted.
You can optionally define other roles in the zone to grant visibility to local users and local groups.
By default, all local groups having a complete profile are visible in a zone. You do not have to assign a role to a local group to make the local group visible. However, it is often useful to assign a role (such as local listed) to a local group so that all local users in the local group inherit the role assignment, and are visible in the zone.
See Creating, modifying, and deleting user profiles for local users for more information about how roles are used to control visibility of local user accounts.
How Often Access Manager and Local Group Accounts Are Synchronized
The /etc/group file on local computers is updated periodically based on the information that you define for local group profiles in Access Manager. The /etc/group update interval is controlled by the following group policy and configuration parameter:
Group Policy:Set refresh interval for access control cache, located in Computer Configuration > Delinea Settings > DirectControl Settings > Network and Cache Settings.
Configuration parameter: adclient.refresh.interval.dz, located in the /etc/centrifydc/centrifydc.conf configuration file.
The same group policy and parameter control how often the authorization store cache is updated. Local account information is updated immediately after authorization store information is refreshed in the authorization cache.
For more information, see the Group Policy Guide, the Configuration and Tuning Reference Guide, and Enabling and configuring local account management.
Steps for completing this task
To create a group profile for a local group using Access Manager
Open Access Manager.
Expand Zones and any parent zones, child zones, or computers required to select the zone or computer to which you want to add the local group.
Expand UNIX Data and select Local Groups.
You can create a new local group in these ways:
By dragging and dropping an existing local group from another location. Expand zones or computers to the location of the original local group, and drag it to the location of the new local group. The local group is moved to the new location. To copy (instead of move) the original group, press <Ctrl> while you drag the group.
By cutting or copying an existing local group from another location, and then pasting it into the current location. Expand zones or computers to the zone where the original local group exists, right-click local group and select Cut or Copy, return to the zone where you are creating the new local group, right-click, and select Paste.
By creating an entirely new local group. Perform Step 4 through Step 8 of this procedure.
In Local Groups, right-click, then click Create UNIX Group.
Type a name for the new local group and click OK.
In the Set UNIX Group Profile dialog, select or deselect check boxes to specify which attributes to set. You must specify at least one attribute to be able to save the profile.
GID: Type a numeric group ID of your choice.
Members: Click Add to launch the Add Members dialog. In a comma-separated list, type the UNIX names of the users who will be in the group.
Access Manager does not check the validity of the user names that you provide. You should ensure that all of the names that you provide are UNIX names that currently exist.
Note that the group profile is considered complete even if this attribute has an empty value.
State: Specify whether the group account is added to, and enabled in, etc/group. Possible values are:
Enable: The group profile will be installed or updated in /etc/group at the next local account refresh interval.
Remove from /etc/group: The group profile will be removed from etc/group at the next local account refresh interval.
To modify permissions for a local group, you must first create and save the local group as described in this procedure, and then modify permissions.
For the profile to be complete, it must contain settings for group name, GID, and state. You can save the profile now even if it is partial, although it will not be implemented in /etc/group until you update it in the current zone, or with settings in child zones, so that it is complete, and you set the state toEnable. For example, if you use the same group name but different numeric identifiers on two set of computers, you can inherit the group name from a parent zone and set the different numeric identifiers in the child zones.
In the AIX Extended Attributes tab, you can view and set AIX attributes for the local group's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or clickRemove to remove an attribute from the group's zone profile.
Review your local group profile settings and click OK.
If the profile is complete, it is added to /etc/group at the next local account refresh interval.
To optionally assign the local listed role to the local group, so that all local users in the local group are visible in the zone:
At the level where you created the local group, right-click Role Assignments, and then select Assign Role.
In the Select Role dialog, select local listed and click OK.
In the Assign Role dialog, ensure that Accounts below is selected, and click Add Local Account.
In the Add Local Account dialog, select Local UNIX Group in the Type field, type the local group name in the Account field, and click OK.
In the Assign Role dialog Accounts below area, highlight the local group account and click OK. The local group is now listed as an assignee of the local listed role.
To modify group profile attributes and permissions for a local group:
In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to modify.
In the Local Groups details pane, right-click the local group to modify and select Zone Profile.
The Properties dialog for the profile is displayed.
Modify attribute selections and settings as described in Step 6 in the procedure To create a group profile for a local group using Access Manager. Keep in mind the following considerations when you change attributes.
If there is no parent profile for the same local group name:
You can edit profile fields to customize the value.
You can deselect profile fields to define a partial profile.
If a parent profile for the same local group name already exists in a parent zone:
You can edit profile fields to customize the value.
You can deselect profile fields to inherit attribute values from the parent profile.
To optionally modify group permissions (such as read, write, create or delete child object, and so on), click Permissions. Refer to the “ActiveDirectory permissions required for administrative tasks” chapter in the Planning and Deployment Guide for details about using the Permissions dialog to modify zone-level user and group permissions.
Review your changes to the local group profile and click OK.
Your changes are applied to the local group profile in /etc/group at the next local account refresh interval.
To Delete a Group Profile for a Local Group from a Zone or Computer:
This procedure does not remove a local group profile from /etc/group. To remove a local group profile from /etc/group, perform the procedure described in [To remove a group profile for a local group from /etc/group](#to-remove-a-group-profile-for-a-local-group-from-etcgroup).
In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to delete.
In the Local Groups details pane, right-click the local group to modify and select Delete.
At the warning prompt, select Yes.
The local group is deleted from Access Manager. The group profile still exists in /etc/group, but it is ignored.
To Remove a Group Profile for a Local Group from /etc/group
In Access Manager, expand UNIX Data for the zone or computer containing the local group that you want to remove from /etc/group.
Perform one of the following procedures:
Right-click a local group, select Change Profile State, then select Remove from /etc/group.
Right-click a local group, select Zone Profile, change the value of the State field to Remove from /etc/group, and click OK.
At the next local account refresh interval, the local group’s profile is removed from /etc/group.
Delegating Control of Local Group Management Tasks
You can use the Zone Delegation Wizard and Computer Delegation Wizard as described in the Planning and Deployment Guide to delegate control of local group management tasks.
