Preparing to Create Zones

As discussed in How zones help you organize information, Delinea zones help you organize computers, users, groups, access rights and other information into logical groups similar to Active Directory organizational units or Network Information Service (NIS) domains. You have several options when choosing the type of zone to create, and the type of zone you select depends entirely on what your organization needs. The first decision to make is the type of zone to create:

Hierarchical, which is the default and supports inheritance and overrides.
Classic, which is backward-compatible to support older versions of the Delinea Agent.
SFU, which supports the Microsoft Services for UNIX schema and rarely used.
Auto Zone, which is a simplified “zone” for computers to join when you don’t need any control over profiles, access rights, or roles and role assignments.

With the exception of SFU zones, you can mix and match any combination of zone types in the same Active Directory forest, as needed. For example, you can create one or more classic zones to support legacy agents, an Auto Zone for a group of computers that don’t require the management of identity attributes or access rights, and hierarchical zones for the computers for which you want to actively manage access rights and privileges.

Creating Hierarchical Zones

Hierarchical zones enable you to establish parent-child zone relationships, allowing profile attributes, rights, role definitions, and role assignments to be inherited down the zone hierarchy. In most cases, you define information in a parent zone so that is available in one or more child zones, as needed. At any point in the zone hierarchy, you can choose to use or override information from a parent zone.

You should use hierarchical zones if your organization has any of the following requirements:

You have existing user and group profiles that must be migrated with legacy identity attributes to maintain existing file ownership.
You have user and group profiles that have conflicting identity attributes on different computers.
You have users and groups that require different role-based access rights, privileges, and role assignments on different sets of computers.

If you are using hierarchical zones, you can use the local account management feature as described in Managing account profiles and identity attributes

You can configure multi-factor authentication for login access to Delinea-managed Linux and UNIX computers and for privileged command execution in hierarchical zones, classic zones, and Auto Zone. However, some of the steps differ depending on the type of zone where you want to use multi-factor authentication. For details about configuring multifactor authentication, see "Preparing to use multi-factor authentication" and the Multi-factor Authentication Quick Start Guide.

Creating Classic Zones

Classic zones do not support inheritance or overrides and have other limitations in how they support role-based access rights. For example, in classic zones, authorization is disabled by default, and must be consciously enabled on a zone-by-zone basis before any role-based access rights or privileges can be configured or assigned.

You should only create new classic zones if your organization has any of the following requirements:

You must support older versions of the Delinea Agent for *NIX.
You have a user population with very few or no identity attribute conflicts.
You have little or no need to centrally manage access rights and privileges.

If you are using classic zones, you cannot use the local account management feature as described in Managing account profiles and identity attributes

You can configure multi-factor authentication for access to Delinea-managed Linux and UNIX computers and for privileged command execution in classic zones. However, the implementation is slightly different than in hierarchical zones, so some of the steps differ depending on the type of zone where you want to use multi-factor authentication. For details about configuring multifactor authentication, see "Preparing to use multi-factor authentication" and the Multi-factor Authentication Quick Start Guide.

Creating an Auto Zone

Most organizations that deploy the Delinea Agent on Linux or UNIX computers have an existing user population to migrate to Active Directory, and hierarchical zones make the most sense. However, multiple zones are not required for all situations. You can greatly reduce the time required and complexity of your deployment if a single zone suits your organization’s needs. This type of zone is created automatically when computers join the domain using the --workstation option.

An Auto Zone automatically enables all of the users and groups in an Active Directory forest to become valid users and groups on the Linux and UNIX computers that join the Auto Zone.Their profiles are generated automatically and there’s no need to manage account profiles, access rights, privileges, or delegated administrative tasks.

You should only use the Auto Zone option if your organization meets the following requirements:

You are not migrating an existing user population.
You want to automatically generate profiles for all or most Active Directory

users and groups without managing identity attributes.
You don’t want to configure and manage role-based access rights and

privileges or role assignments.

If you are using an Auto Zone, you cannot use the local account management feature as described in Managing account profiles and identity attributes

You can configure multi-factor authentication for both licensed and Express agents to control access to Delinea-managed Linux and UNIX computers. For licensed agents, you can also require multi-factor authentication to run privileged commands in an Auto Zone. However, the implementation is slightly different than in hierarchical zones, so some of the steps differ depending on the type of zone where you want to use multi-factor authentication. For details about configuring multi-factor authentication, see the Multi-factor Authentication Quick Start Guide.