Creating User Profiles

You can create user profiles for Active Directory users and—in hierarchical zone environments—local users. A user profile consists of the attributes required by the name service switch (NSS) facility on Linux and UNIX computers. User attributes that must be defined for the user profile to be complete are the following:

A user name (the UNIX login name).
A unique numeric user identifier (UID).
The user's primary group profile numeric identifier (GID).
The default home directory for the user.
The default login shell for the user.
General information about the user account (GECOS). (This attribute is required for Active Directory user profiles, but not for local user profiles.)

A user must have a complete profile with all of these attributes defined to be recognized as a valid user in a zone or on a specific computer. You can optionally define other attributes that are not required for the user profile to be complete.

These are the same attributes you define locally for Linux and UNIX users in the /etc/passwd file.

For details about creating profiles for Active Directory users, see Creating user profiles for Active Directory users. For details about creating profiles for local Linux and UNIX groups, see Creating, modifying, and deleting user profiles for local users.

Creating User Profiles for Active Directory Users

You can create a user profile for any domain user you have defined in the Active Directory forest by adding the user to a zone, or by adding the user to a specific computer in a zone. Associating a user profile with an Active Directory user determines how the Active Directory user is identified on Linux and UNIX computers.

You can automate the provisioning of user profiles through the use of Active Directory groups. For information about configuring your environment for automated provisioning, see the *Planning and Deployment Guide*.

What to Do Before Creating a New Active Directory User Profile

Before you can create Active Directory user profiles, you must have created one or more Active Directory users, installed Access Manager, and run the Setup Wizard. You should also identify the computers where Active Directory users might require different profile attributes. For example, you might have some Active Directory users that require the default home directory attribute to be set the to /home for access to most computers, but require the attribute to be set to /Users when they log on to Mac OS X computers.

In most organizations, Active Directory users have one “dominant” profile with consistent attributes across multiple computers, but require “override” settings to some profile attributes on specific computers or groups of computers. Therefore, most user profiles are only added to parent zones and inherited in child zones.

Rights Required for This Task

You must have permission to add users to a zone. Zone administrators can grant this permission through the Zone Delegation Wizard. If the Active Directory administrator manually sets the permissions, your user account must be a domain user with the following permissions to create user profiles in a zone:

Select this target object	To apply these permissions
Parent container object for the user profile	On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects This permission is required for both standard zones and RFC 2307compliant zones. For standard zones, you need to apply additional permissions. Click the Properties tab and select serviceConnectionPoint objects from the object list, then select Allow to apply the following properties to this object: Read Name Read name Read displayName
User account object in Active Directory For example: domain/Users/user_name	Click the Properties tab and select Allow to apply the following properties to this object only: Read objectCategory Read objectClass Read objectGUID Read objectSid Read userAccountControl
Parent container object for the individual zone For example, if you are adding a user to the Finance zone: domain/UNIX/Zones/Finance	Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID Write Description

Who Should Perform This Task

A Windows domain administrator performs this task, depending on your organization's policies. In most organizations, this task is delegated to a specific user or group with administrative authority in the selected zone.

How Often You Should Perform This Task

In most cases, you create and remove user profiles frequently to address changes to your user population.

Steps for Completing This Task

The following instructions illustrate one way to create a new user profile using Access Manager. You can also add a user profile and assign a role to an Active Directory user with the Add User wizard. Examples of scripts that use ADEdit, Windows PowerShell, or the Windows API are available in other guides, the Delinea Software Developer's Kit, or in community forums on the Delinea website.

To create a user profile for an Active Directory user using Access Manager:

Open Access Manager.
Expand Zones and any parent or child zones required to select the zone name to which you want to add the Active Directory group.

In most cases, you should add user profiles to a parent zone.
Expand UNIX Data and select Users, right-click, then click Add User to Zone.
Type a search string to locate the user account, then click Find Now.

For example, type “qa” to display the qa-lab, qa-hk and qaVenice1x users.
Select one or more users in the results, then click OK.
Review the default zone profile settings for the user and make any changes if needed, then click OK.

You can deselect an attribute to change the default value or to create a partial user profile in the current zone. You can then complete the profile by providing a value for an attribute in a child zone of the current zone.For example, if you use the same login name but different numeric identifiers on two set of computers, you can inherit the login name from a parent zone and set the different numeric identifiers in the child zones.

In the AIX Extended Attributes tab, you can view and set AIX attributes for the user's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the user's zone profile.

If you selected more than one user, review the profile settings for the each user and modify the default settings, if necessary, then click OK.

Changing the Default Profile Attributes

When you add Active Directory users to a zone, Access Manager displays a default new user profile. You can accept or change the default values for any of the profile attributes, as needed. The default attribute values are automatically generated based on a few simple rules and, in most cases, you can accept them as-is. The following table describes how the default values are populated.

This attribute	Has the following default value
Login name	The Active Directory user logon name associated with the Active Directory account.
UID	A unique number automatically generated by an algorithm based on the security identifier (SID) for the Active Directory user.
Primary group	A unique numeric identifier that represents a private primary group and is the same as the user's default UID. Private groups are not stored or managed in Active Directory.
GECOS	A runtime variable that resolves to the Active Directory displayName attribute associated with the Active Directory account.
Home directory	A runtime variable that specifies the default home directory when resolved locally on a computer.
Shell	A runtime variable that specifies the default login shell when resolved locally on a computer. To set the user's shell to the default shell defined for this computer in this zone.

Defining Partial UNIX Profiles

Access Manager allows you to create a partial profile by leaving any of the attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could leave the Shell attribute blank in a parent zone, define it as /bin/bash in a child zone, but override it with /usr/bin/ksh in a grandchild zone that only contains AIX computers. You could also leave the Home directory attribute blank in a parent zone, then set it to /home in one child zone and to /Users on an individual Mac OS X computer that joins the child zone.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to add the user profile. Users must have a complete profile in a zone for any role assignments to be effective. Keep in mind, however, that users can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone to allow role assignments in the child zone.

Defining Valid Login Names

User profile login names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters or require that the first character of the user name be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at the end of the user name. In general, other special characters, such as ! and &, are not supported.

If the Windows logon name includes unsupported special characters, Access Manager replaces them with underscores for the UNIX login name. For example, Access Manager converts a Windows logon name with special characters, such as qa:user2 into a valid UNIX login name of qa_user2.

Identifying a Primary Group

In most UNIX environments, a user's primary group identifier (GID) is a “private” group that exists solely for that user. The user is not included as a “member” of the private primary group. You can follow this convention by using a UNIX-only “private” group that is not linked to an Active Directory group, which is the default when you create a new user profile.

If you keep the default private primary group, the primary group identifier (GID) setting in the user profile does not affect the user's actual Active Directory group membership in any way, and there's no need to manage primary groups for UNIX users through Active Directory.

In some cases, however, you might want to assign an Active Directory group that has a corresponding group profile as a user's primary group. If you specify an Active Directory group as a user's primary group, keep in mind that you must manage the membership of that group using Active Directory Users and Computers and that if you identify a group with a large number of members—such as Domain Users—it is likely to affect performance.

For more information about defining primary groups for users, see the Planning and Deployment Guide.

Creating, Modifying, and Deleting User Profiles for Local Users

When you create a local user profile in Access Manager, it is saved in /etc/passwd on each computer in each zone where the profile is defined. You can create local profiles at the zone level (for example, under Zones >Zonename> UNIX Data) and at the computer level (for example, under Zones >Zonename> Computers >Computername> UNIX Data).

After you create local user profiles, you perform a separate set of tasks to create and manage local user passwords. For detailed information about local user passwords, see Creating and managing local user passwords.

What to Do Before Creating a New Local User Profile

You should perform the following tasks before creating local user profiles:

Ensure that local account management is enabled and configured through configuration parameters or group policies. SeeEnabling and configuring local account management for more information.
It is suggested that you review the existing user names in etc/passwd on the computers where the local user profile will be implemented so that you do not attempt to create a user profile with a name that is already used.Access Manager performs a name validation check against etc/passwd in the current zone when you create a new local user. If the user name already exists in etc/passwd somewhere in the current zone, you are prompted to provide a different name for the user that you are creating.

Rights Required for This Task

The rights required to create local user profiles are the same as the rights required to create Active Directory user profiles.

Using Partial Profiles and Child Zones to Fine-Tune User Attributes

Access Manager allows you to create a partial profile by leaving some user attributes blank. Partial profiles can be useful for defining a common set of attributes that are used in multiple zones, then defining specific attributes that vary from one child zone to another or that require different settings on specific computers. For example, you could leave the Shell attribute blank in a parent zone, define it as /bin/bash in a child zone, but override it with /usr/bin/ksh in a grandchild zone that only contains AIX computers.

If you intend to leave an attribute blank, deselect the attribute check box. However, you must provide a value for at least one attribute to create the user profile.

Users can have an incomplete profile in a parent zone as long as any missing attributes are defined in a child zone. If a user profile is still partial at the computer level, the profile is ignored by the agent, and it is not added to /etc/passwd on the local computer. User profiles must contain the attributes listed in Creating user profiles to be complete.

Specifying Profile States

The profile state lets you control whether a local user account is in place in etc/passwd and is enabled for use locally. When you create a local user account, you specify the initial profile state. You can change the profile state afterward to control availability of the local user account. A local user account can have one of the following states:

Enable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. The user can log into the local computer, and is visible in Access Manager if a role with the visible right (such as local listed) is granted to the user. SeeRoles and local user account visibility for more information about how roles affect local user visibility.
Disable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. However, the user will not be able to log into the local computer. This state results in what is typically called a “locked account.” UNIX and Linux service accounts and system accounts are typically set up as locked accounts.
Remove from /etc/passwd: The user profile will be removed from etc/passwd at the next local account refresh interval.

You can also choose not to define the profile state by deselecting the State check box in the Set Local User Profile dialog. Deselecting the State check box results in one of the following scenarios:

If a local user profile with the same name exists in the parent zone, the state from the parent user profile is inherited.
If the parent zone does not contain a user profile with the same name, or if a parent user profile exists but does not define the state, the user profile that you are currently defining is considered incomplete.

Roles and Local User Account Visibility

You use role assignments to control whether local users are visible in a zone. A predefined role definition, local listed, is available for use with local user and local group profiles. As with the listed predefined role, the local listed role does not grant any system rights, PAM rights, or command rights. It is a specialized role that can be used when a local user profile must exist for computers in a zone, but no local user access should be granted.

You can optionally define other roles in the zone to grant visibility to local users.

As with role assignments for Active Directory users, local user role assignments can be made at the zone level, computer level, or computer role level. Use the following guidelines to establish where local users are visible in Access Manager:

To make a local user visible to all computers in a zone, assign the local listed role to the local user account (or to all local UNIX accounts) in the zone (for example, assign local listed to users located in Zones >Zonename> UNIX Data > Local Users).
To make a local user visible only to a specific computer, assign the local listed role to the local user account (or to all local UNIX accounts)located in the computer zone (for example, assign local listed to users located in Zones >Zonename> Computers >Computername> UNIX Data > Local Users).
To make a local user visible only to a group of computers, create a computer role and assign the local listed role to the local user account (or to all local UNIX accounts) in the computer role.

How Often Access Manager and Local User Accounts are Synchronized

The /etc/passwd file on local computers is updated periodically based on the information that you define for local user profiles in Access Manager. The /etc/passwd update interval is controlled by the following group policy and configuration parameter:

Group Policy:Set refresh interval for access control cache, located in Computer Configuration > Delinea Settings > DirectControl Settings > Network and Cache Settings.
Configuration parameter: adclient.refresh.interval.dz, located in the /etc/centrifydc/centrifydc.conf configuration file.

These are the same group policy and parameter that control how often the authorization store cache is updated. Local account information is updated immediately after authorization store information is refreshed in the authorization cache.

For more information, see Enabling and configuring local account management of this guide. For additional group policy and configuration parameter information, see the Group Policy Guide, and the Configuration and Tuning Reference Guide.

Steps for Completing This Task

To Create a User Profile for a Local User Using Access Manager, Method 1

This method begins from the Local Users node, and allows you to assign just one role, local listed, to the local user. To use the Add User to Zone wizard, which lets you assign other roles to the local user, see [To create a user profile for a local user using Access Manager, Method 2](#to-create-a-user-profile-for-a-local-user-using-access-manager-method-2).

Open Access Manager.
Expand Zones and any parent zones, child zones, or computers required to select the zone or computer to which you want to add the local user.
Expand UNIX Data and select Local Users.

You can create a new local user in these ways:
- By dragging and dropping an existing local user from another location. Expand zones or computers to the location of the original local user, and drag it to the location of the new local user. The local user is moved to the new location, and no longer exists in the original location. To copy the original user to the new location and also retain it in the original location, press <Ctrl> while you drag the user.
- By cutting or copying an existing local user from another location, and then pasting it into the current location. Expand zones or computers to the zone where the original local user exists, right-clicka local user and select Cut or Copy, return to the zone where you are creating the new local user, right-click, and select Paste.
- By creating an entirely new local user. Perform Step 4 through Step 8 of this procedure.
In Local Users, right-click, then click Add User to Zone.
Type a name for the new local user and click OK.
In the Set UNIX User Profile dialog, select or deselect check boxes to specify which attributes to set. You must specify at least one attribute to be able to save the profile.

If a parent profile for the same local user name already exists in a parent zone, some attribute fields will be filled in already with inherited values.You can edit profile fields to customize inherited values, and you can deselect other profile fields to inherit attribute values from the parent profile.
- UID: Type a numeric user ID of your choice.
- Primary group: From the drop-down list, select an existing group, or select <Not defined> to leave the PGID attribute undefined, or select <...> to see additional group choices or to create a new local group.
  
  To create a new local group after clicking <...>, click Add in the Select a Group dialog, and follow the procedure for creating a new local group starting with Step 5 in the sectionTo create a group profile for a local group using Access Manager.
- GECOS: Optionally type general information of your choice about the local user account. This attribute is not required for the profile to be complete.
- Home directory: Type the default local computer home directory for the local user.
- Shell: Select the default shell for the local user. Choices are /bin/bash, /bin/csh, /bin/ksh, /bin/sh, /bin/tcsh, %{shell}.
- State: Specify whether the local user account is added and enabled in /etc/passwd. Choices are as follows.
  - Enable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval.The user will be able to log into the local computer, and the user is visible in Access Manager.
  - Disable: If the user profile is complete, it will be installed or updated in /etc/passwd at the next local account refresh interval. However, the password field in /etc/passwd will be set to!!, and the user will not be able to log into the local computer.This state results in what is typically called a “locked account.”The user is still visible in the zone as long as the local listed role is assigned to the user.
  - Remove from /etc/passwd: The user profile will be removed from etc/passwd at the next local account refresh interval.
    
    For the profile to be complete, it must contain the attributes listed in Creating user profiles. You can save the profile even if it is partial, although it will not be implemented in /etc/passwduntil you update it in the current zone, or with settings in child zones, so that it is complete, and you set the state to enabled. For example, if you use the same user name but different numeric identifiers on two set of computers, you can inherit the user name from a parent zone and set the different numeric identifiers in the child zones.
    
    In the AIX Extended Attributes tab, you can view and set AIX attributes for the local user's zone profile. Click Add to add an attribute and a value, click Edit to change an attribute, or click Remove to remove an attribute from the user's zone profile.
```
Note: To modify permissions for a local user, you must first
create and save the local user as described in this procedure, and
then modify permissions as described in 
[To modify user profile attributes and permissions for a local user](#to-modify-user-profile-attributes-and-permissions-for-a-local-user).
```
By default, new local users are assigned the local listed role so that local users are visible in Access Manager. This assignment is specified in theAssign local listed role to make this user visible check box. To keep this default assignment, ensure that the check box remains selected.

To give the local user a different role assignment, deselect the check box. If you deselect the check box, you will need to manually assign a role with visible rights to the local user after completing this procedure.
Review your attribute selections and settings, and click OK. If the user profile is complete, it is added to /etc/passwd at the next local account refresh interval.

To Create a User Profile for a Local User Using Access Manager, Method 2

This method describes how to create a local user profile using the Add User to Zone wizard, which lets you assign roles other than just local listed to the local user.

Open Access Manager.
Expand Zones and any parent zones, child zones, or computers required to select the zone to which you want to add the local user.
Right-click the zone, and select Add User.

The Add User to Zone wizard launches.
In the Select User Type dialog, select Local UNIX user, and click Next.
In the Specify Local UNIX User dialog, type a name for the local user, and click Next.
In the Add User to Zone dialog, select the Define user UNIX profile and Assign roles check boxes. Click Next.
Fill in the local users profile attribute settings in the Define User UNIX Profile dialog as described in Step 6 in the sectionTo create a user profile for a local user using Access Manager, Method 1, and click Next.
In the Assign Roles dialog, the local listed role is included by default. To optionally add different roles as choices, click Add and select one or more roles to add to the list.
In The Assign Roles dialog, select one or more roles, and click Next.
In the Confirm Your Selections dialog, review your choices and click Next.
In the final wizard screen, click Finish.
Confirm that the new local user was created by expanding UNIX Data in the zone and clicking Local Users. The new local user should be listed in the user details pane.

To Modify User Profile Attributes and Permissions for a Local User:

In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to modify.
In the Local User details pane, right-click the local user to modify and select Zone Profile.

The Properties dialog for the profile is displayed.
Modify attribute selections and settings as described in Step 6 in the sectionTo create a user profile for a local user using Access Manager, Method 1. Keep in mind the following considerations when you change attributes.

If there is no parent profile for the same local user name:
- You can edit profile fields to customize the value.
- You can deselect profile fields to define a partial profile.
  
  If a parent profile for the same local user name already exists in a parent zone:
- You can edit profile fields to customize the value.
- You can deselect profile fields to inherit attribute values from the parent profile.
To optionally modify user permissions (such as read, write, create or delete child object, and so on), click Permissions. Refer to the “Active Directory permissions required for administrative tasks” chapter in the Planning and Deployment Guide for details about using the Permissions dialog to modify zone-level user and group permissions.
Review your changes to the local user profile and click OK

Your changes are applied to the local user profile in /etc/passwd at the next local account refresh interval.

To Disable a User Profile for a Local User:

This procedure does not remove a local user profile from /etc/passwd. To remove a local user profile from /etc/passwd, perform the procedure described in To remove a user profile for a local user from /etc/passwd.

In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to disable.
In the Local Users details pane, right-click the local user and select Change Profile State.
Select Disable.

The local user remains visible in Access Manager. At the next local account refresh interval, the local user's profile in /etc/passwd is modified so that the password field contains !!, and the user cannot log into the local computer.

To Delete a Local User From a Zone

In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to delete from the zone.
In the Local Users details pane, right-click the local user and select Delete.
In the confirmation dialog, select Yes to delete the user from the zone. To prevent the confirmation dialog from displaying in the future, selectDo not warn me again.
In the next confirmation dialog, select Yes.

The user is removed from zone, and is no longer controlled through Access Manager. However, the user profile remains in /etc/passwd on local computers.

To Remove a User Profile for a Local User From /etc/passwd

In Access Manager, expand UNIX Data for the zone or computer containing the local user that you want to remove.
In the Local Users details pane, right-click the local user and select Change Profile State.
Perform one of the following procedures:
- Right-click the local user, select Change Profile State, then select Remove from /etc/passwd.
- Right-click the local user, select Zone Profile, change the value of the State field to Remove from /etc/passwd, and click OK.

At the next local account refresh interval, the local user's profile is removed from /etc/passwd.

Delegating Control of Local User Management Tasks

You can use the Zone Delegation Wizard and Computer Delegation Wizard as described in the Planning and Deployment Guide to delegate control of local user management tasks.

Creating and Managing Local User Passwords

After you create local user profiles as described in the preceding sections, you still need to assign a password to each user. You can create local user passwords in one of these ways:

By creating a shell script to execute the password command on each local computer, giving each local user the password that you specify in the script. The shell script can be executed manually, or by enablingadclient.local.account.notification.cli to run the script automatically when local accounts are refreshed. This is the least secure way to assign passwords to local users, because the same password is assigned to each user when the script runs. After the script runs, you must change passwords locally so that each password is unique.

This guide does not include detailed instructions for implementing this method of creating local user passwords.
If your environment contains a third-party password management product, you can create a shell script that executes on each local computer, giving each local user a random password. The shell script can include a section that submits the passwords to the password management product for storage and maintenance. The shell script can be executed manually, or by enablingadclient.local.account.notification.cli to run the script automatically when local accounts are refreshed.

A sample shell script, handle_local_accts.sh, is provided in /usr/share/centrifydc/samples/localacctmgmt for you to use as a reference when you create your own shell script. Typically, the shell script that you create should perform the following tasks:
- Assign a random password to newly provisioned local users, and to local users whose accounts were recently unlocked (that is, re-enabled after having been disabled).
- Optionally create a home directory for each new local user.
- Provide the user account information, including the generated passwords, to a third-party password management solution.
  
  For syntax details about the notification CLI, execute the sample script with the -h option:
  
  handle_local_accts.sh -h
If your environment does not contain a third-party password management product and you want to create and maintain unique passwords for each local user, you can use Server Suite to manage local user passwords.

Using Server Suite to manage local user passwords involves these tasks:
- Register for Server Suite.
- Download the Delinea Agent for Linux software package.
- On each UNIX and Linux computer where you will assign passwords to local users, execute the enroll command to register the computer as a managed resource.
- Create a shell script that executes on each local computer, giving each local user a random password. The shell script should include commands to manage generated passwords. The agent package includes a sample shell script that you can use as a reference when you create your own shell script.
- Enable the adclient.local.account.notification.cli configuration parameter to run the shell script automatically when local accounts are refreshed.