Permissions Required for Administrative Tasks

This chapter describes the permissions required to perform administrative tasks that affect Centrify-specific objects in Active Directory. You can set these permissions manually for individual users and groups who manage Centrify zones in Active Directory. However, setting permissions manually can be time-consuming and error-prone. In most cases, you should use the Zone Delegation Wizard to authorize users to perform specific tasks.

At a minimum, all Access Manager actions require users to have generic Read permission. This permission is typically granted to all Authenticated Users by default.

Because Authenticated Users have read access, they can run reports in the Report Center. No additional rights need to be granted to enable users to run reports.

How Permissions Are Set

Access Manager requires specific rights for administrators to work with objects such as UNIX users, groups, and computers within Active Directory. As part of your deployment planning process, you should review the rights required to set up and manage Centrifyspecific objects and be familiar with how to manually assign rights for managing Centrify objects, if needed.

Built-in Windows groups, such as Domain Admins and Domain Users, have default permissions, which might be customized for your organization. In general, the administrators for the forest root domain have broad authority to set permissions for all other users and groups, including the administrators of other domains. Therefore, whether you can modify the permissions for specific users and groups within your Active Directory environment will depend on the policies of your organization.

If you have the appropriate authority, there are several ways you can access, verify, and modify the permissions assigned to specific users and groups.

For example, you can view and modify permissions in the following ways:

  • Use ADSI Edit to directly modify any Active Directory attributes.

  • Use Active Directory Users and Computers to set basic or advanced permissions on any Active Directory object through the Security tab.

    To display the Security tab, select View > Advanced Features. To access some permissions, however, your user account must have Create all child objects or Write all properties permissions.

  • Run the Zone Delegation Wizard to set the appropriate permissions for specific users or groups to perform specific tasks within a zone.

  • Click Permissions when viewing Zone Properties in Access Manager to set basic or advanced permissions on any zone object.

  • Click Permissions when viewing the Centrify Profile for a user in Access Manager to set basic or advanced permissions on any user object.

The following steps illustrate how you can set permissions from Active Directory Users and Computers:

  1. Open the console and connect to the Active Directory domain.

  2. Select an Active Directory object, such as a user or computer, rightclick, then click Properties.

  3. Click the Security tab, then click Advanced.

    Active Directory security permissions

  4. Select the user or group to which you want to assign rights, then click Edit.

    Edit Active Directory permissions

    If the user or group to which you want to assign permissions isn’t listed, click Add to find the account.

  5. In the Permission Entry dialog box, click the Object or Properties tab, as needed.

    Selecting Object or Properties and where the permission should be applied varies depending on the task you are allowing a user or group to perform.

  6. Select the specific rights you want to assign by scrolling to find the permission, then clicking the Allow check box.

    Active Directory Allow permissions

  7. When you are finished setting the appropriate permissions, click OK.

    For more specific information about how to set permissions on Active Directory objects and properties and how to view, modify, and remove permissions, see your Active Directory documentation.

Permissions Required to Use the Setup Wizard

In most cases, you run the Setup Wizard to guide you through the configuration of Active Directory for Centrify. The Setup Wizard updates Active Directory with Centrify-specific objects and properties, including zone and license containers that are required for proper operation.

To successfully perform initialization tasks, the user account that runs the Setup Wizard must have specific rights. Because some of these rights might be reserved for administrative accounts, some users might be prevented from performing certain steps in the Setup Wizard.

To allow other user accounts to run the Setup Wizard, you can manually create the appropriate container objects, then assign to those objects only the specific permissions needed to correctly complete the configuration of Centrify-specific objects. Users can then use the Setup Wizard to select the appropriate container objects and perform all of the necessary steps without being members of an administrative group.

Licenses Container Permission Requirements

The following table describes the minimum rights that must be applied to the Centrify specific container objects or other users to successfully complete the configuration of Centrify software.

This target object Requires these permissions Applied to
Licenses container Read all properties Create classStore Objects Modify permissions This object only
Write Description property Write displayName property This object and all child objects
The Setup Wizard requires you to create or select at least one parent container for license keys. By default, this container object is: domain/Program Data/Centrify/Licenses You can create additional License containers, if needed, through the Manage Licenses dialog box. By default, all Authenticated Users have read and list contents permission for the Licenses container and all of its child objects. You can change these permissions if you want to restrict access to Access Manager.
Zones container or any container used as a destination for a new zone Read all properties Create classStore Objects Create container objects This object only
Write displayName property This object and all child objects
The Setup Wizard requires you to create or select a parent container object for creating new zones. By default, this container object is: domain/Program Data/Centrify/Zones You can use other containers for zones, if needed. For example, if you have created a separate high-level organizational unit called UNIX as the parent container: domain/UNIX/Zones
ZoneName/Computers container Create group objects Write Description property This object only
These permissions are only needed if you are supporting “agentless” authentication in a zone.
Computers container For example, the generic Computers container: domain.com/Computers Write operatingSystem property Write operatingSystemVersion property Write operatingSystemHotfix property Write operatingSystemServicePack property SELF on Computer objects
These permission are granted to each computer’s SELF account when you select the Grant computer accounts in the Computers container permission to update their own account information option in the Setup Wizard.

Licenses Container Permissions

The following table describes the minimum rights that must be applied to the Centrify Licenses container that stores the license keys for your installation.

This target object Requires these permissions Applied to
Licenses container Read all properties Create classStore Objects Modify permissions This object only
Write Description property Write displayName property This object and all child objects

The Setup Wizard requires you to create or select a parent container for license keys. The default location for the parent container for license keys depends on the organizational structure you deploy. For example, if you use the recommended organizational structure, the default location for licenses would be domain/Centrify/Licenses.

You must have at least one parent container for license keys in the forest. You might want to create more than one license container objects to give you more granular control over who has access to which licenses.

By default, all Authenticated Users have Read and List Contents permission for the Licenses container and all of its child objects. These permissions are required to use Access Manager. You can change who has these permissions if you want to prevent users from using Access Manager.

Zones Container Permissions

The following table describes the minimum rights that must be applied to the Centrify Zones container.

This target object Requires these permissions Applied to
Zones container or any container used as a destination for a new zone Read all properties Create classStore Objects Create container objects This object only
Write displayName property This object and all child objects
Change the default zone container Delete Previous zone container

The Setup Wizard requires you to create or select a parent Zones container object for new zones. The default location for the parent container for new zones depends on the organizational structure you deploy. For example, if you use the recommended organizational structure, the default location for new zones would be domain/Centrify/Zones. You can use other containers for zones or create multiple parent containers for zones to separate administrative duties for different groups.

Computers Container Permissions

The following table describes the minimum rights that must be applied to the generic Computers container (domain/Computers).

This target object Requires these permissions Applied to
Computers container Write operatingSystem property Write operatingSystemVersion property Write operatingSystemHotfix property Write operatingSystemServicePack property SELF on Computer objects

These permission are granted to each computer’s SELF account when you select the Grant computer accounts in the Computers container permission to update their own account information option in the Setup Wizard.

Computers Container Within a Zone Permissions

The following table describes the minimum rights that must be applied to the Computers container in a named zone if you are supporting “agentless” authentication in that zone.

This target object Requires these permissions Applied to
ZoneName/Computers container Create group objects Write Description property This object only

Creating Parent Containers Manually

Some organizations prefer to create and manage Active Directory objects manually to ensure tight control over the objects and their related attributes. For example, you might want to manually create separate Zones or Licenses parent containers for different business units or geographic locations so that you can manually set different sets of permissions and related properties on those containers. Creating objects manually also enables you to have precise control over who has access to the objects.

You can create the container objects anywhere in the forest’s directory structure, but you must have at least one parent Zones container object and at least one parent Licenses container object.

Optional Administrative Tasks

By default, Centrify does not require you to be an enterprise administrator or domain administrator of the forest root domain to install or configure Centrify-specific properties. However, some optional configuration tasks do require you to be an enterprise administrator or a domain administrator of the forest root domain.

These optional tasks involve:

  • Creating display specifiers for Centrify profiles to enable access to the Centrify Profile properties page in Active Directory Users and Computers.
  • Registering the administrative notification handler to ensure data consistency if users delete Centrify objects using Active Directory Users and Computers.
  • Setting permissions for zones objects to enable maximum control over the placement of and rights associated with Centrify-related objects within Active Directory.

In most cases, if you want to perform any of these tasks, you must use an account that is an enterprise administrator or a domain administrator of the forest root domain.

Creating Display Specifiers for Centrify Profiles

To display the Centrify Profile properties in Active Directory Users and Computers, you must be an enterprise administrator or a domain administrator for the forest root domain because adding the Centrify Profile to Active Directory Users and Computers requires you to add display specifiers to Active Directory.

A display specifier is an Active Directory object that allows you to add components to the Active Directory Users and Computers (ADUC) Microsoft management console (MMC) snap-in.

If you want to make the Centrify Profile available in Active Directory Users and Computers, an enterprise administrator can manually define the display specifiers (under domain/Configuration/DisplaySpecifiers/LanguageID/) for computer, group, and user properties by modifying the adminPropertyPages attribute with the appropriate GUID. For example, if the Active Directory domain is ajax.org and the language you support is US-English (CN=409), you would define the display specifiers in:

ajax.org/Configuration/DisplaySpecifiers/409

Adding the display specifiers for Centrify properties is an optional step you can perform manually using ADSI Edit or by running the displayspecifier.vbs script. If you manage all Centrify objects through Access Manager, you do not need to perform this task.

To use the displayspecifier.vbs script to set up the display specifiers:

  1. Log on using an enterprise administrator account or a domain administrator for the forest root domain.

  2. Open a Command Prompt window and change to the Centrify installation directory. For example:

    cd C:\Program Files\Centrify\Access Manager

  3. Run the displayspecifier.vbs script.

    If you want to manually add the display specifiers to display property pages in Active Directory Users and Computers, you must create the following entries using ADSI Edit, where n is the next number in the index of values for the attribute:

For this target object Set this attribute To
computer-Display displaySpecifier adminPropertyPages n,{DB5E4BE1-A0F0-4e6c-AD8A-B46475D727CB}
group-Display displaySpecifier adminPropertyPages n,{0CDC9AD0-E870-483f-8D16-17EAB3B7F881}
user-Display displaySpecifier adminPropertyPages n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}
inetOrgPerson-Display adminPropertyPages n,{543DBFE3-317D-4493-8D00-84591E4EDCDE}

For example, if the Active Directory domain is ajax.org and the language you support is US-English (CN=409), you would add these entries to the objects in:

ajax.org/Configuration/DisplaySpecifiers/409

In most cases, you only need to set up the display specifiers once for the Active Directory forest. If you support multiple languages, you can manually add the display specifiers to each language you support. For example, if your organization supports US-English (CN=409), Standard French (CN=40C), and Japanese (CN=411), you would add the display specifiers to these three containers. Once you have updated Active Directory by running the displayspecifier.vbs script or by manually adding the display specifiers, you can access the Centrify Profile properties using Active Directory Users and Computers.

Registering the Administrative Notification Handler

The administrative notification handler provides services to ensure data integrity in the Active Directory forest. You can register the notification handler automatically through the Setup Wizard the first time you start Access Manager, but this requires an account that is an enterprise administrator or a domain administrator in the forest root domain.

Registering the administrative notification handler is optional, but doing so helps to ensure that no orphan UNIX data is left in the directory if a user, group, or computer is deleted using Active Directory Users and Computers. When registered, the notification handler automatically deletes any service connection point (SCP) dependencies on a directory object if the directory object is deleted. Without this service, deleting a directory object such as a computer or user account in Active Directory might leave an orphan service connection point for the object in the directory.

If you don’t want to perform this step in the Setup Wizard, you can manually configure the administrative notification handler using ADSI Edit or you can choose not to register the administrative notification handler for Centrify. If you choose not to register the administrative notification handler, however, you should periodically run the Analyze command to check for orphan data in the Active Directory forest.

To manually set up the administrative notification handler for Centrify, add the following entry using ADSI Edit under domain/Configuration/DisplaySpecifiers/LanguageID/ where n is the next number in the index of values for the attribute:

For this target object Set this attribute To
DS-UI-Default-Settings dSUIAdminNotification n,{D0D2C2AE-C143-4C81-A61C-BE95C3C5EEDF}

For example, if the Active Directory domain is ajax.org and the language you support is US-English (CN=409), you would add this entry to the object in:

ajax.org/Configuration/DisplaySpecifiers/409

Granting Permissions For Administrative Tasks

The easiest way to grant permissions to perform administrative tasks is to use the Zone Delegation Wizard. The Zone Delegation Wizard enables you to delegate specific administrative tasks to specific users and groups. For each task you delegate to a specific user or group, you are providing that user or group with a specific set of permissions for working with objects in Active Directory.

The user who creates a zone has full control on the zone’s serviceConnectionPoint. That user has exclusive permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone because creating NIS maps requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries.

The following table summarizes the permissions that can be assigned through your selections in the Zone Delegation Wizard. In addition to the permissions listed, however, the basic Read permission is required to perform any action. The Read permission is granted to Authenticated Users by default.

Selecting this task Grants these rights
All Permissions to perform all of the actions listed in the Zone Delegation Wizard and described below. This option allows a designated user or group to perform all of the other actions. Only the user who creates a zone can grant this permission to other users and groups for the zone.
Change zone properties List contents on the ZoneName object container. Read all properties on the ZoneName object container. Write name on the ZoneName object container. Write Name on the ZoneName object container. Write Description property on the ZoneName object container.
Add users List contents on the ZoneName/Users object container. Read all properties on the ZoneName/Users object container. Create serviceConnectionPoint objects on the ZoneName/Users object container.
Add groups List contents on the ZoneName/Groups object container. Read all properties on the ZoneName/Groups object container. Create serviceConnectionPoint objects on the ZoneName/Groups object container.
Add local users List contents on the ZoneName/Local Users object container. Read all properties on the ZoneName/Local Users object container. Add local users to the zone.
Add local groups List contents on the ZoneName/Local Groups object container. Read all properties on the ZoneName/Local Groups object container. Add local groups to the zone.
Join computers to the zone List contents on the ZoneName/Computers object container. Read all properties on the ZoneName/Computers object container. Create serviceConnectionPoint objects on the ZoneName/Computers object container. Note Joining the domain requires additional permissions on the Active Directory computer object, but the join command performs the necessary operations without requiring the additional permissions to be granted to the user or group you are designating as a trustee.
Remove zones List contents on the ZoneName object container. Read all properties on the ZoneName object container. Allow Delete on the ZoneName object container. Allow Delete Subtree on the ZoneName object container.
Remove users List contents on the ZoneName/Users object container. Read all properties on the ZoneName/Users object container. Delete serviceConnectionPoint objects on the ZoneName/Users object container.
Remove groups List contents on the ZoneName/Groups object container. Read all properties on the ZoneName/Groups object container. Delete serviceConnectionPoint objects on the ZoneName/Groups object container.
Remove local users List contents on the ZoneName/Local Users object container. Read all properties on the ZoneName/Local Users object container. Remove local users from the zone.
Remove local groups List contents on the ZoneName/Local Groups object container. Read all properties on the ZoneName/Local Groups object container. Remove local groups from the zone.
Remove computers from the zone List contents on the ZoneName/Computers object container. Read all properties on the ZoneName/Computers object container. Delete serviceConnectionPoint objects on the ZoneName/Computers object container.
Modify user profiles List contents on the ZoneName/Users object container. Read all properties on the ZoneName/Users object container. Write cn on the serviceConnectionPoint object. Write name on the serviceConnectionPoint object. Write Name on the serviceConnectionPoint object. Write keywords on the serviceConnectionPoint object. For RFC 2307-compliant zones, modifying the user’s UNIX profile also requires the following rights on the serviceConnectionPoint object of the UNIX user object: Write uid. Write uidNumber. Write loginShell. Write gidNumber. Write gecos. Write unixHomeDirectory. The additional rights for RFC 2307-compliant zones are applied to the posixAccount object associated with the serviceConnectionPoint for the UNIX user object.
Modify group profiles List contents on the ZoneName/Groups object container. Read all properties on the object containers. Write name on the serviceConnectionPoint object. Write Name on the serviceConnectionPoint object. Write keywords on the serviceConnectionPoint object. For RFC 2307-compliant zones, modifying the group’s UNIX profile also requires the following rights applied to the posixGroup object associated with the serviceConnectionPoint object of the UNIX group object: Write gidNumber.
Modify local user profiles List contents on the ZoneName/Local Users object container. Read all properties on the ZoneName/Local Users object container. Modify local users in the zone. Parameters that can be modified are: User name (the UNIX login name). The user identifier (UID). The user’s primary group profile numeric identifier (GID). The default home directory for the user. The default login shell for the user. General information about the user account (GECOS). State.
Modify local group profiles List contents on the ZoneName/Local Groups object container. Read all properties on the object containers. Modify local groups in the zone. Parameters that can be modified are: Group name. Group members. Group identifier (GID). State.
Modify computer profiles List contents on the ZoneName/Computers container object. Read all properties on the ZoneName/Computers container object. Write description on the ZoneName/Computers container object if the zone is a hierarchical zone. Write keywords on the serviceConnectionPoint object. Write displayName on the serviceConnectionPoint object. Write cn on the serviceConnectionPoint object. Write name on the serviceConnectionPoint object.
Allow computers to respond to NIS client requests List contents on the ZoneName/Computers/zone_nis_servers group object. Read all properties on the ZoneName/Computers/zone_nis_servers group object. Write member property of group object on the ZoneName/Computers/zone_nis_servers group object.
Import users and groups to zone List contents on the ZoneName/Users and ZoneName/Groups container object. Read all properties on the ZoneName/Groups container object. Create serviceConnectionPoint on the ZoneName/Users and ZoneName/Groups container objects. Write cn on the serviceConnectionPoint object. Write name on the serviceConnectionPoint object. Write managedby on the serviceConnectionPoint object. Write displayName on the serviceConnectionPoint object. Write keywords on the serviceConnectionPoint object. For RFC 2307-compliant zones, importing users also requires the following rights on the serviceConnectionPoint object of the UNIX user object ZoneName/Users: - Write uid. - Write uidNumber. - Write loginShell. - Write gidNumber. - Write unixHomeDirectory. - Write gecos. For RFC 2307-compliant zones, importing groups also requires the following right on the serviceConnectionPoint object of the UNIX group object under ZoneName/Groups: - Write gidNumber.
Manage roles and rights List contents on the AzTask container and all child objects. Read all properties on the AzTask container and all child objects. Create msDS-AzTask objects Delete msDS-AzTask objects Write msDS-AzApplicationData on the msDs-AzTask object. Write cn on the msDs-AzTask object. Write name on the msDs-AzTask object. Write description on the msDs-AzTask object. Write msDs-OperationsForAzTask on the msDs-AzTask object. List contents on the AzOperation container and all child objects. Read all properties on the AzOperation container and all child objects. Create msDS-AzOperation objects Delete msDS-AzOperation objects Write msDs-AzApplicationData on the msDs-AzOperation object. Write cn on the msDs-AzOperation object. Write name on the msDs-AzOperation object. Write description on the msDs-AzOperation object. List contents on the msDS-AzAdminManager object. Read all properties on msDS-AzAdminManager object. Write msDs-AzApplicationData on msDS-AzAdminManager object.
Manage role assignments List contents on the msDS-AzAdminManager object and all child objects. Read all properties on the msDS-AzAdminManager object and all child objects. Create msDS-AzRole objects. Delete msDS-AzRole objects. Write msDS-AzApplicationData on the msDS-AzRole object. Write msDS-TasksForAzRole on the msDS-AzRole object. Write msDS-MembersForAzRole on the msDS-AzRole object. Write displayName on the msDS-AzRole object. Write msDS-AzApplicationData on the msDS-AzAdminManager object.
Modify computer roles List contents on the ZoneName object and all child objects. Read all properties on the ZoneName object and all child objects. Write msDS-AzApplicationData Write msDS-AzScopeName Write description
Add or remove NIS map entries List contents on the ZoneName/NISMaps object container. Read all properties on the ZoneName/NISMaps object container. Create classStore Objects on the ZoneName/NISMaps object container. Write name on the ZoneName/NISMaps object container. Write Name on the ZoneName/NISMaps object container.
Modify NIS map entries List contents on the ZoneName/NISMaps object container. Read all properties on the ZoneName/NISMaps object container. Write adminDescription on the classStore object. Write Description on the classStore object. Write wWWHomePage on the classStore object.
Remove NIS maps List contents on the ZoneName/NISMaps object container. Read all properties on the ZoneName/NISMaps object container. Allow Delete on the MapName object. Allow Delete Subtree on the MapName object.

In some cases, the permissions granted through the Zone Delegation Wizard are a subset of the complete permissions required to perform some tasks. For information about the complete permissions required to perform a specific task, see the section that describes the permissions for performing that task. For example, for information about setting permissions for NIS maps, see Setting permissions for NIS maps.

Setting permissions for zones

The user who creates a zone has full control over zone properties and administrative tasks. Only the zone owner can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. In most cases, the users who are allowed to create zones have domain administrator privileges and sufficient permissions to perform all administrative tasks and to delegate administrative tasks to other users.

If you manually set permissions to allow domain users to create zones, however, you should also manually set the permissions to allow those users to manage rights and roles or notify zone administrators that they should run the Zone Delegation Wizard and assign those tasks to their own account or to appropriate users and groups. At least one administrator must have permission to add an authorization store, define rights and roles, and manage role assignments in each zone. All users must have at least one valid role assignment to access a zone.

Creating a Zone

To create new zones, your user account must be set with the following permissions:

Select this target object To apply these permissions
Parent container for new zones you created or selected in the Setup Wizard. For example: domain/UNIX/Zones On the Object tab, select Allow to apply the following permission to this object and all child objects: Create Container Objects Create Organizational Unit Objects Note Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.
Parent container for Computers in the zone On the Object tab, select Allow to apply the following permission to this object only: Create group objects Click the Properties tab and select Allow to apply the following properties to this object only: Write Description property These permissions are only needed if you are supporting “agentless” authentication in the new zone.

Opening Zones

To open an existing zone, your user account must be set with the following permissions:

Select this target object To apply these permissions
Parent container for new zones For example: domain/UNIX/Zones On the Object tab, select Allow to apply the following permission to this object: List contents
Container for the individual zone For example, a ZoneName container object, such as: domain/UNIX/Zones/arcade Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributes Read allowedAttributesEffective Read canonicalName Read Description Read displayName Read name Read objectClass
Parent container for Users in the zone Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass
Parent container for Groups in the zone Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass

Modifying Zone Properties

To modify zone properties for a zone, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for an individual zone For example, a ZoneName container object: domain/UNIX/Zones/arcade Click the Properties tab and select Allow to apply the following properties to this object only: Read Name Read name Read Description Read displayName Write Description Note You can grant these permission to specific users or groups by selecting the Change zone properties task in the Zone Delegation Wizard. These permissions also enable you to change the parent zone for a selected zone object.

Renaming a Zone

To rename a zone, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for an individual zone For example, a ZoneName container object, such as: domain/UNIX/Zones/arcade Click the Properties tab and select Allow to apply the following properties to this object only: Write name property Write Name property Note You can grant this permission to specific users or groups by selecting the Change zone properties task in the Zone Delegation Wizard.

Deleting a Zone

To delete a zone from Active Directory, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for an individual zone For example, a ZoneName container object, such as: domain/UNIX/Zones/arcade On the Object tab, select Allow to apply the following properties to this object only: Delete Delete Subtree Click the Properties tab and select Allow to apply the following properties to this object only: Read Name Read name Read displayName Note You can grant this permission to specific users or groups by selecting the Delete zone task in the Zone Delegation Wizard.

Managing Roles and Rights in a Zone

To manage rights and roles in a zone, including creating and deleting role definitions and updating time constraints, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for the authorization store For example: domain/UNIX/Zones/arcade/Authorization On the Object tab, select Allow to apply the following properties to this object and all child objects: List contents Read all properties Click the Properties tab and select Allow to apply the following properties to the msDS-AzAdminManager object: Write msDS-AzApplicationData
AzTaskObjectContainer On the Object tab, select Allow to apply the following properties to this object and all child objects: List contents Read all properties Create msDS-AzTask objects Delete msDS-AzTask objects Click the Properties tab and select Allow to apply the following properties to msDS-AzTask objects: Write msDS-AzApplicationData Write cn Write name Write description Write msDs-OperationsForAzTask
AzOpObjectContainer On the Object tab, select Allow to apply the following properties to this object and all child objects: List contents Read all properties Create msDS-AzOperation objects Delete msDS-AzOperation objects Click the Properties tab and select Allow to apply the following properties to msDS-AzOperation objects: Write msDS-AzApplicationData Write cn Write name Write description

Managing Role Assignments in a Zone

To manage role assignments in a zone, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for the authorization store For example: domain/UNIX/Zones/arcade/Authorization On the Object tab, select Allow to apply the following properties to this object only: List contents Read all properties Create all child objects Delete all child objects Click the Properties tab and select Allow to apply the following properties to this object only: Write msDS-AzApplicationData Click the Properties tab and select Allow to apply the following properties to msDS-AzRole objects: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole
Computers container in the zone On the Object tab, select Allow to apply the following properties to this object only: Create Container Right This permission is required to allow a delegated user to make the first role assignment after a computer is joined to Active Directory.
AzRoleObjectContainer On the Object tab, select Allow to apply the following properties to the msDS-AzApplication object and all child objects: List contents Read all properties Create msDS-AzRole objects Delete msDS-AzRole objects Click the Properties tab and select Allow to apply the following properties to msDS-AzRole objects: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole Click the Properties tab and select Allow to apply the following properties to msDS-AzAdminManager objects: Write msDS-AzApplicationData
AzOpObjectContainer On the Object tab, select Allow to apply the following properties to this object only: Read all properties Create msDS-AzOperation objects Delete msDS-AzOperation objects Create msDS-AzRole objects Delete msDS-AzRole objects Click the Properties tab and select Allow to apply the following properties to msDS-AzRole objects: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole Click the Properties tab and select Allow to apply the following properties to msDS-AzOperation objects: Read name Read Name Write msDS-AzApplicationData Write name Write description

Changing Computer Role Properties in a Zone

To manage computer role properties in a zone, your user account must be set with the following permissions:

Select this target object To apply these permissions
Container for the authorization store For example: domain/UNIX/Zones/arcade/Authorization/guid The guid object is a globally unique identifier (GUID) for the Authorization object. For example: CN=cab186af-61a0-4d54-a0dd... On the Object tab, select Allow to apply the following properties to this object only: Read all properties Click the Properties tab and select Allow to apply the following properties to msDS-AzScope objects: Read name Read Name Write msDS-AzApplicationData Write msDS-AzScopeName Write description

Setting Permissions to Join or Leave the Domain

To join a UNIX computer to an Active Directory domain without predefining a computer account, your Active Directory user account must be set with the following permissions:

Select this target object To apply these permissions
Parent container object for computer accounts For example: domain/UNIX/Servers On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects Note You can grant this permission to specific users or groups by selecting the Join computers task in the Zone Delegation Wizard.

To join a UNIX computer to an Active Directory domain and place the computer account in a specific organizational unit (OU), the Active Directory account used to join the domain must be set with the following permissions:

Select this target object To apply these permissions
Parent container object for the computer accounts On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects Create Computer Objects

To join a UNIX computer to an Active Directory domain when you are using a predefined computer account, your Active Directory user account must be set with the following permissions:

Select this target object To apply these permissions
Parent container object for the computer account On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects
Computer account object in Active Directory For example, if the computer account is AJAX in the default Active Directory Computers container: domain/Computers/AJAX On the Object tab, select Allow to apply the following permission to this object only: Full Control This permission is required for enabling or disabling a computer account.

To remove a UNIX computer from an Active Directory domain, your Active Directory user account must be set with the following permissions:

Select this target object To apply these permissions
Parent container object for the computer account On the Object tab, select Allow to apply the following permission to this object only: Delete serviceConnectionPoint Objects If you are deleting a computer account, you also need the Delete Computer Objects permission.

This setting only gives the user or group permission to leave an Active Directory domain. If you want to grant permission for a user or group to delete a computer account, you also need the Delete Computer Objects permission.

Setting Permissions for Zone Computers

Although joining or leaving a domain is the primary task for working with computer accounts in Active Directory, there are also specific permissions required to list computers or modify computer properties. The objects and permissions can also vary depending on the type of zone the computer account is associated with and the task to be performed. In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard.

In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard instead of assigning the permissions manually.

Joining a Computer to a Zone

To join a computer to a zone, your user account must have the following permission:

Select this target object To apply these permissions
Parent container object for the computer account in the zone For example, in a classic zone, the ZoneName/Computers container object: domain/UNIX/Zones/acme/Computers Click the Object tab and select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/UNIX/Servers/AJAX Click the Object tab and select Allow for the Full Control permission for the user with permission to join the domain. The adjoin command grants the computer’s SELF account the following permissions: Write operatingSystem Write operatingSystemVersion Write operatingSystemHotfix Write operatingSystemServicePack Write servicePrincipalName Write userAccountControl Write dnsHostName

Listing Computer Accounts

To list computers, your user account must have the following permission:

Select this target object To apply these permissions
Parent container object for the computer account in Active Directory For example: domain/UNIX/Servers On the Object tab, select Allow to apply the following permission to this object for each of the computers to be included in the list: List contents
Parent container object for the computer account in the zone For example, in a classic zone, the ZoneName/Computers container object: domain/UNIX/Zones/acme/Computers Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass
The serviceConnectionPoint object for the computer account For example, if the computer account name is AJAX, select: domain/UNIX/Servers/AJAX then select: serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object for each of the computers to be included in the list: Read displayName Read keywords Read managedBy Read Name Read objectClass
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/UNIX/Servers/AJAX Click the Properties tab and select Allow to apply the following properties to this object for each of the computers to be included in the list: Read objectClass Read Operating System Read Operating System Version Read userAccountControl

Modifying Computer Properties

To modify any computer account properties for a UNIX computer, your user account must have the following permission:

Select this target object To apply these permissions
Parent container object for the computer account in Active Directory For example: domain/UNIX/Servers On the Object tab, select Allow to apply the following permission to this object only: List contents
The serviceConnectionPoint object for the computer account For example, if the computer account name is AJAX, select: domain/UNIX/Servers/AJAX then select: serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributes Read allowedAttributesEffective Read displayName Read keywords Read managedBy Read Name Read objectClass Write keywords
Computer account object in Active Directory For example, if the computer account is AJAX in the default Active Directory Computers container: domain/UNIX/Servers/AJAX Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID Read objectSid Read objectClass Read Operating System Read Operating System Version Read userAccountControl

Responding to NIS Requests

If you are supporting “agentless” authentication or want to allow a computer to service NIS client requests in a zone, the computer must be a member of the zone_nis_servers group in the zone. Setting or unsetting the Allow this computer to respond to NIS client requests property requires the following permissions:

Select this target object To apply these permissions
The zone_nis_servers group object For example, select: domain/UNIX/Zones/acme/Computers/zone_nis_servers Click the Properties tab and select Allow to apply the following properties to this object only: List contents Read all properties Write member property If the zone_nis_servers group does not already exist in the current zone, setting the Allow this computer to respond to NIS client requests property also requires the following permission on the ZoneName/Computers object: Create group objects

Changing the Computer Zone

If you need to change the zone for a computer account, your user account must have the following additional permissions:

Select this target object To apply these permissions
All parent container objects for the original and new zones Click the Properties tab and select Allow to apply the following properties to this object only: Read name Read Name
The serviceConnectionPoint object for the computer account Click the Properties tab and select Allow to apply the following properties to this object only: Write name Write Name Note The Name property is the common name (cn) of the serviceConnectionPoint object.
Original parent container for the computer account in the current zone For example, if you are moving a computer from the Finance zone to the Corporate zone, the target object would be: domain/UNIX/Zones/Finance/Computers On the Object tab, select Allow to apply the following permission to this object only: Delete serviceConnectionPoint Objects Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID
New parent container for the computer account in the new zone For example, if you are moving a computer from the Finance zone to the Corporate zone, and you use the default Computers container, the target object would be: domain/UNIX/Zones/Corporate/Computers On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID

You can set the permissions for modifying computer accounts by clicking the Security tab when you are viewing a computer’s properties.

Preparing a Computer Object

To prepare a computer account in a zone before joining, the following permissions apply to the user or group you want to designate as the trustee for joining the domain.

Select this target object To apply these permissions
The serviceConnectionPoint object for the computer account Click the Object tab and select Allow to apply the following permission to this object only: Read all properties Write keywords property Write displayName property
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/Computers/AJAX Click the Object tab and select Allow to apply the following permission to this object only: Read Permission Reset Password Write userAccountControl Validated write to DNS host name Validated write to service principal name Write to service principal name Write msDS-SupportedEncryptionTypes Write Account Restrictions Write Description Write displayName Write computer name (Pre-Windows 2000) Delete Delete Subtree All Extended Rights

The adjoin command resets the computer account and grants the computer’s SELF account the following permissions:

  • Write operatingSystem
  • Write operatingSystemVersion
  • Write operatingSystemHotfix
  • Write operatingSystemServicePack
  • Write altSecurityIdentities

Creating The Computer Object Manually

If you use Active Directory Users and Computers to prepare the computer object instead of the Prepare Computer wizard, the following permissions must be granted on the computer for the trustee:

Select this target object To apply these permissions
The serviceConnectionPoint object for the computer account Click the Object tab and select Allow to apply the following permission to this object only: Read all properties Write keywords property Write displayName property
Computer account object in Active Directory For example, if the computer account name is AJAX: domain/Computers/AJAX Click the Object tab and select Allow to apply the following permission to this object only: Read Permission Reset Password Write userAccountControl Validated write to DNS Host Name Validated write to service principal name Write Account Restrictions Write Description Write displayName Write computer name (Pre-Windows 2000) Write operatingSystem Write operatingSystemVersion Write operatingSystemHotfix Write operatingSystemServicePack Write altSecurityIdentities Write msDS-SupportedEncryptionTypes Delete Delete Subtree All Extended Rights

Modifying Computer Roles

If you use computer role assignments to control access to a computer, the following permissions are required to modify computer roles:

Select this target object To apply these permissions
msDS-AzScope This object is listed under a globally unique identifier (GUID) for the Authorization object. For example: CN=cab186af-61a0-4d54-a0dd... Click the Properties tab and select Allow to apply the following properties to this object only: Read description Read msDS-AzScopeName Read msDS-AzApplicationData Write description Write msDS-AzScopeName Write msDS-AzApplicationData

Deleting Computer Roles

If you use computer role assignments to control access to a computer, the following permissions are required to delete computer roles:

Select this target object To apply these permissions
msDS-AzScope This object is listed under a globally unique identifier (GUID) for the Authorization object. Click the Properties tab and select Allow to apply the following properties to this object only: Read Name Read name Read displayName Allow Delete Allow Delete Tree

Setting Permissions For Zone Users

The specific objects and permissions required to work with user accounts depend on the type of zone the user account is associated with and the task to be performed.

In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard instead of assigning the permissions manually.

Adding Users To Standard Zones

In a standard Centrify zone when the functional level of the forest is Windows Server 2003 or later, adding a user account with an Active Directory security group as the primary group to a zone requires the following permissions:

Select this target object To apply these permissions
Parent container object for the user profile For example, if you use classic zones, the default Users container in the Finance zone: domain/UNIX/Zones/Finance/Users On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint Objects This permission is required for both standard zones and RFC 2307compliant zones. For standard zones, you need to apply additional permissions. Click the Properties tab and select serviceConnectionPoint objects from the object list, then select Allow to apply the following properties to this object: Read Name Read name Read displayName
User account object in Active Directory For example: domain/Users/user_name Click the Properties tab and select Allow to apply the following properties to this object only: Read objectCategory Read objectClass Read objectGUID Read objectSid Read userAccountControl
Parent container object for the individual zone For example, if you are adding a user to the Finance zone: domain/UNIX/Zones/Finance Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID Write Description

Modifying Users In Standard Zones

In a standard zone, modifying user account properties for a user with a standard Active Directory security group as the primary group requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account For example, if you are using classic zones and the UNIX user name is chris: domain/UNIX/Zones/Finance/Users/chris then select serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributesEffective Read objectGUID Write keywords If you are changing the UNIX user name for the user, you need the following additional permissions applied to this object: Read name Write name Write Name property Note The Name property is the common name (cn) of the serviceConnectionPoint object.

You can set the permissions for modifying user accounts by clicking Permissions when you are viewing the Centrify Profile for a user.

Modifying Users In Rfc 2307-compliant Zones

In a standard RFC 2307-compliant zone, modifying user account properties for a user with an Active Directory security group as the primary group requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account For example, if you are using classic zones and the UNIX user name is chris: domain/UNIX/Zones/Finance/Users/chris then select serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributesEffective Write keywords Write uid Write uidNumber Write gidNumber Write loginShell Write unixHomeDirectory If you don’t see some of these attributes listed for serviceConnectionPoint objects, change the object selected to posixAccount objects, then click Allow for the additional properties. The GECOS field in a user’s UNIX profile is derived from the displayName attribute or the Name property (cn).

You can grant the required permissions to specific users or groups for any zone by selecting the Modify users task in the Zone Delegation Wizard.

Listing Users In Standard Zones

In a standard zone, listing user account information requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account Click the Properties tab and select Allow to apply the following properties to this object for each user included in the list: Read displayName Read managedBy Read objectClass Read Name to display the UNIX name Read keywords to display the other UNIX attributes

Listing Users in RFC 2307-Compliant Zones

In a standard RFC 2307-compliant zone, listing user account information requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account Click the Properties tab and select Allow to apply the following properties to this object for each user included in the list: Read displayName Read keywords Read managedBy Read objectClass Read uid to display the UNIX name Read uidNumber to display the UNIX UID Read gidNumber to display the GID of the user’s primary group Read logonShell to display the default shell for the user Read unixHomeDirectory to display the user’s home directory Read Public Information to display the userPrincipalName for the user

Removing Users from Zones

Removing a user account from a standard zone or RFC 2307-compliant zone requires the following permission:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account On the Object tab, select Allow to apply the following permission to this object only: Delete

Setting Permissions for Zone Groups

The specific objects and permissions required to work with group accounts can vary depending on the type of zone the group is associated with and the task to be performed.

In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard instead of assigning the permissions manually.

Adding Security Groups to Zones

Adding an Active Directory group to a zone requires the following permissions:

Select this target object To apply these permissions
Parent container object for the group For example, if you are using classic zones, the ZoneName/Groups container: domain/UNIX/Zones/acme/Groups On the Object tab, select Allow to apply the following permission to this object only: Create serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass Note You can grant the required permissions to specific users or groups by selecting the Add or remove groups task in the Zone Delegation Wizard.
Group account object in Active Directory For example: domain/UNIX/UNIX groups/group_name Click the Properties tab and select Allow to apply the following properties to this object only: Read groupType Read objectCategory Read objectClass Read objectGUID Read objectSid
Parent container object for the individual zone For example, if you are adding a group to the Finance zone: domain/UNIX/Zones/Finance Click the Properties tab and select Allow to apply the following properties to this object only: Read objectGUID Write Description

Modifying Groups in Standard Zones

In a standard zone, modifying a group profile in a zone requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the group account For example, if the UNIX group name is web-qa in the HKLab zone: domain/UNIX/Zones/HKLab/Groups/web-qa then select serviceConnectionPoint objects Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributesEffective Read objectGUID Read Name If you are changing the UNIX group name for a group, you need the following additional permissions applied to this object: Read name Write name Write Name Note The Name property is the common name (cn) of the serviceConnectionPoint object.

Modifying Groups in RFC 2307-Compliant Zones

In a standard RFC 2307-compliant zone, modifying a UNIX-enabled group in a zone requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the group account Click the Properties tab and select Allow to apply the following properties to this object only: Read allowedAttributesEffective Read objectGUID Read Name If you are changing the UNIX group identifier for a group, you need the following additional permissions applied to this object: Read gidNumber Write gidNumber Note If you don’t see this attribute listed for the serviceConnectionPoint object, change the object selected to posixGroup objects. If you are changing the UNIX name for a group, you need the following additional permissions applied to this object: Read name Write name Write Name Note The Name property is the common name (cn) of the serviceConnectionPoint object.

Listing Groups in Zones

In a standard zone, listing group account information requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the group account Click the Properties tab and select Allow to apply the following properties to this object for each group included in the list: Read displayName Read managedBy Read objectClass Read Name to display the UNIX group name Read keywords to display the UNIX GID

Listing Groups in RFC 2307-Compliant Zones

In a standard RFC 2307-compliant zone, listing group account information requires the following permissions:

Select this target object To apply these permissions
The serviceConnectionPoint object for the user account Click the Properties tab and select Allow to apply the following properties to this object for each user included in the list: Read displayName Read keywords Read managedBy Read objectClass Read objectGUID Read Name to display the group name Read gidNumber to display the group GID

Removing Groups from Zones

Removing an Active Directory group from a standard zone or RFC 2307-compliant zone requires the following permission:

Select this target object To apply these permissions
The serviceConnectionPoint object for the group account On the Object tab, select Allow to apply the following permission to this object only: Delete

Setting Permissions for License Keys

Starting Access Manager requires the following permissions on the container object for licenses:

Select this target object To apply these permissions
The domain root object For example, if the root domain of the forest is arcade.com: DC=arcade,DC=com Click the Properties tab and select Allow to apply the following properties to this object only: Read objectClass
Parent container for the Licenses container object For example: domain/Centrify UNIX On the Object tab, select Allow to apply the following permission to this object only: List contents
Parent container for license keys For example, the Licenses container object you created or selected in the Setup Wizard: domain/Centrify UNIX/Licenses On the Object tab, select Allow to apply the following permission to this object only: List contents

To add and remove license keys, your user account must have the following permissions:

For this target object You need these permissions
Parent container for license keys For example, the Licenses container object you created or selected in the Setup Wizard: domain/Centrify UNIX/Licenses Click the Properties tab and select Allow to apply the following properties to this object and all child objects: Write Description

Setting Permissions for NIS Maps

You can delegate administrative permissions for all NIS maps in a zone or for any specific NIS map within a zone by selecting either the NIS Maps parent container object or the specific NIS map object you want to work with. If you select the NIS Maps parent container object, the permissions you set apply to all NIS maps you add to the zone. If you select the individual NIS map object, the permissions you set only apply to that individual NIS map.

To set permissions on NIS maps or NIS map entries

  1. Open the ADSI Edit MMC snap-in and connect to the Active Directory domain.

    For NIS maps, you must use the Zone Delegation Wizard or ADSI Edit to set Active Directory permissions.

  2. In the console tree, navigate to the zone folder.

    For example, if you deployed using the recommended organizational structure, expand the domain, Centrify, Zones, and select a specific zone name.

  3. Select CN=NisMaps to set permissions for all NIS maps in a zone, right-click, then select Properties.

    If setting permissions for an individual map, expand CN=NisMaps, then select the map object—such as CN=auto_master—right-click and select Properties.

  4. Click the Security tab, then click Advanced.

  5. Click Add to search for the user or group to which you want to give administrative privileges, select the user or group in the results, then click OK.

  6. Scroll to locate the appropriate permissions for the object and its properties to allow the selected user or group to perform the administrative task, click Allow, then click OK.

In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard instead of assigning the permissions manually.

Adding NIS Maps to a Zone

To add NIS maps to the NIS Maps parent container in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps For example, if you are using classic zones: domain/UNIX/Zones/ZoneName/NISMaps On the Object tab, select Allow to apply the following permissions to this object and all child objects: Create Container Objects

Deleting NIS Maps from a Zone

To delete NIS maps in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps On the Object tab, select Allow to apply the following permissions: Delete Container Objects applied to this object and all child objects. On the Object tab, set Apply onto to Container objects, then select Allow to apply the following permissions: Delete Subtree Note This permission is required if the map contains any entries.

Adding Map Entries to NIS Maps

To add entries to any NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps On the Object tab, set Apply onto to Container objects, then select Allow to apply the following permissions: Create classStore Objects

Modifying Map Entries in NIS Maps

To modify entries in any NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps Click the Properties tab, set Apply onto to classStore objects, then select Allow for the following properties: Write adminDescription Write Description Write wWWHomePage

Changing the Map Type for NIS Maps

To change the map type for any NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps Click the Properties tab, set Apply onto to This object and all child objects, then select Allow for the following properties: Write Description

Deleting Map Entries from NIS Maps

To delete entries from any NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Parent container for NIS Maps Click the Properties tab, set Apply onto to classStore objects, then select Allow for the following properties: Write name Write Name

Adding Entries to a Specific NIS Map

To add entries to a specific NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Individual NIS map On the Object tab, select Allow to apply the following permissions to this object and all child objects: Create classStore Objects

Modifying Entries in a specific NIS Map

To modify the entries in a specific NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Individual NIS map Click the Properties tab, set Apply onto to classStore objects, then select Allow for the following properties: Write adminDescription Write Description Write wWWHomePage

Changing the Map Type for a Specific NIS Map

To change the map type for a specific NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Individual NIS map Click the Properties tab, set the Apply onto to This object and all child objects, then select Allow for the following properties: Write Description

Deleting Map Entries from a Specific NIS Map

To delete entries from a specific NIS map in a zone, the user account must have the following permissions:

Select this target object To apply these permissions
Individual NIS map Click the Properties tab, set Apply onto to classStore objects, then select Allow for the following properties: Write name Write Name

Setting Permissions for Password Synchronization

If you want to use the Network Information Service, adnisd, and the Centrify Password Filter to support “agentless” authentication of NIS client requests, the computer that will service the requests must be a member of the zone_nis_servers group in the zone and must be able to access the Active Directory attribute that stores the password hash. The specific permissions required depend on the attribute being used to store the password hash.

Centrify Password Synchronization Service

If you are using the Centrify Password Filter synchronization service, the zone_nis_servers group requires the following permissions:

If this attribute is used These permissions are required
altSecurityIndentities Read altSecurityIndentities
msSFU30Password Read msSFU30Password
unixUserPassword Read unixUserPassword All Extended Rights

Microsoft Password Synchronization Service

If you are using the Microsoft password synchronization service and the Centrify Network Information Service, adnisd, to authenticate NIS client requests, you must set the following permissions at the domain level, on the Users container object, or on another container that applies to all users.

Select this target object To apply these permissions
Users container or a container that applies to all users Click the Object tab, set the Apply onto to User objects and select Allow to apply the following permission: All Extended Rights You can apply this permission to Domain Computers or to a specific group of computers that contains the computer where the adnisd service is running.

For information about installing and configuring a Microsoft password synchronization service, see the Microsoft documentation for that service or refer to documentation on the Microsoft Web site.

Setting Permissions for Rights and Roles

If you define specific rights and establish role-based access controls on a zone-by-zone or computer-by-computer basis, you might want to manually assign permissions for users who can configure rights and roles.

In most cases, you can grant the required permissions to specific users or groups by selecting the appropriate task in the Zone Delegation Wizard instead of assigning the permissions manually.

Creating the Authorization Store

All of the information about rights, roles, and role assignments is held in an authorization store for each zone in Active Directory. The name of authorization store object is CN=Authorization under the zone object’s DN. For example, the authorization store for the zone named EMEA_Territories in the Arcade.Net forest is:

cn=Authorization, cn=EMEA_Territories, cn=Zones, cn=UNIX, dc=Arcade, dc=Net

To create the authorization store for a zone, users must have the following permissions:

Select this target object To apply these permissions
Parent container for an individual zone For example, a ZoneName container object, such as: domain/Centrify/Zones/arcade On the Object tab, select Allow to apply the following permissions to this object and all child objects: List contents Read all properties Read Permissions Select Allow to apply the following permissions to this object only: Create msDS-AzAdminManager objects

Defining Rights And Roles in the Authorization Store

To configure rights, roles, and role assignments, users must have the following permissions for the authorization store:

Select this target object To apply these permissions
Authorization On the Object tab, select Allow to apply the following permissions to this object and all child objects: List contents Read all properties Write all properties
msDS-AzApplication This object is listed under a globally unique identifier (GUID) for the Authorization object. For example: CN=cab186af-61a0-4d54-a0dd... On the Object tab, select Allow to apply the following permissions to this object (listed as CN=GUID under the Authorization object) and all child objects: Create and delete msDS-AzOperation objects Create and delete msDS-AzTask objects Create and delete msDS-AzRole objects Create msDS-AzScope objects Note You must grant these permissions on the CN=GUID object if you are granting permissions manually with ADSI Edit. The proper permissions are set automatically for the users when you delegate administrative tasks for a zone.

Configuring Authorization In Classic Zones

Unlike hierarchical zones, authorization is an optional feature in classic zones. You must be an administrator or the user who created a classic zone to initialize the authorization store in Active Directory, identify the users who should be allowed to configure rights, roles, and role assignments, and enable or disable the enforcement of the rights and role assignments you have configured.

To update the list of users and groups who are allowed to configure DirectAuthorize rights and roles, you must have the Modify permissions right on the Authorization container under the classic zone container applied to this object and all child objects. If you have this permission, you can click Add to add Windows users and groups to the list of users and groups who can configure rights and roles. If you have the Modify permissions right, you can also select a user or group in the list and click Remove a user or group from the list.

Adding Roles

To add roles for users or groups, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzTaskObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object. On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzTask objects Click the Properties tab, then select Allow for the following properties: Read objectClass

Modifying Roles

To modify roles for users or groups, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzTaskObjectContainer/CN=roleName This object is listed under a globally unique identifier (GUID) for the Authorization object and a specific role name. Click the Properties tab, then select Allow for the following properties: Read Name Read name Read description Read msDS-AzApplicationData Write Name Write name Write description Write msDS-AzApplicationData

Deleting Roles

To delete roles for users or groups, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzTaskObjectContainer/CN=roleName This object is listed under a globally unique identifier (GUID) for the Authorization object and a specific role name. Click the Properties tab, then select Allow for the following properties: Read Name Read name Allow Delete

Adding Rights

To add the definition for a right in a zone, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-OpObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object. On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzOperation objects Click the Properties tab, then select Allow for the following properties: Read objectClass

Modifying Rights

To modify right definitions in a zone, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzTaskObjectContainer/CN=roleName This object is listed under a globally unique identifier (GUID) for the Authorization object and a specific role name. Click the Properties tab, then select Allow for the following properties: Read Name Read name Read description Read msDS-AzApplicationData Write Name Write name Write description Write msDS-AzApplicationData

Deleting Rights

To delete right definitions in a zone, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzOpObjectContainer/CN=pamrightName or msDS-AzOpObjectContainer/CN=pcrightName This object is listed under a globally unique identifier (GUID) for the Authorization object and a specific PAM access right name or privileged command name. Click the Properties tab, then select Allow for the following properties: Read Name Read name Allow Delete

Adding or Removing Rights from Roles

To add or remove rights from a role in a zone, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzTaskObjectContainer/CN=roleName This object is listed under a globally unique identifier (GUID) for the Authorization object and a specific role name. Click the Properties tab, then select Allow for the following properties: Read Name Read name Read msDS-OperationsForAzTask Write msDS-OperationsForAzTask

Adding Role Assignments

To add a role assignment, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzRoleObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object. On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzRole objects

Modifying Role Assignments

To modify role assignments, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzRoleObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object. On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzRole objects
msDS-AzRoleObjectContainer/CN=CRA_guid This object is listed under a globally unique identifier (GUID) for the Authorization object and a unique identifier for the role assignment. Click the Properties tab, then select Allow for the following properties to allow changes to the assigned user or groups: Read Name Read name Allow Delete Click the Properties tab, then select Allow for the following properties to allow changes to the available time for a role assignment: Read Name Read name Read msDS-AzApplicationData Write msDS-AzApplicationData

Deleting Role Assignments

To modify role assignments, users must have the following permissions:

Select this target object To apply these permissions
Authorization Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzRoleObjectContainer/CN=CRA_guid This object is listed under a globally unique identifier (GUID) for the Authorization object and a unique identifier for the role assignment. Click the Properties tab, then select Allow for the following properties: Read Name Read name Allow Delete

Setting Permissions for Zone Provisioning

The Zone Provisioning Agent requires permission to create UNIX profiles, that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy.