Delegated Administration

In many organizations, Unix and Linux systems in particular are being used heavily for enterprise applications rather than as workstation platforms. As the number of users of these applications grows, day-to-day administration becomes a primary concern. Day-to-day administration also becomes a concern in high-turnover scenarios - for example, in college and university settings with Mac computer labs where student accounts are constantly being added and removed from the user group authorized for lab access.

Ideally, the central IT department wants to be in charge of creating and managing user accounts and of setting companywide security policies for both users and computers. But it is more efficient for local administrators within various departments to be granted administrative privileges to perform daily tasks - for example, to use Active Directory management tools to add or remove entries from the user group authorized to access an application or to log in to a lab computer, or to add or remove a computer from the group of computers in a server farm or lab.

Background: Before DirectControl, a Lose-Lose Situation

Before Centrify DirectControl, organizations that integrated Unix, Linux and Mac systems with Active Directory could do so only by adding all computers into Active Directory as a single group. For example, all Solaris computers in a QA Lab had to be part of the same group with the HR department's Red Hat server hosting an employee benefits application. The inevitable result was that you could give someone day-to-day administrative control only on the entire set of computers. Thus, organizations were faced with a lose-lose scenario: Take away the privileges of current administrators, or live with the fact that the updates made by local administrators affect all Unix, Linux and Mac systems being managed through Active Directory.

Taking away an administrator's privileges can encounter heavy resistance from departments who, rightfully, believe that they know best how to manage their own systems and applications. It also saddles your central IT department with added workload as they become responsible for day-to-day tasks formerly performed by local administrators. But giving administrative privileges on all systems as a group is even worse—it is an obvious security risk in general, and in particular runs afoul of many government regulations (such as Sarbanes-Oxley) mandating that sensitive systems be administered only by those whose job functions require it. For many organizations, this lack of granularity in controlling access and administering access and group membership is a showstopper.

Unique Benefits of DirectControl's Zone-Based Delegated Administration

Centrify DirectControl's unique Zone technology provides the foundation for the industry's only truly enterprise-class solution for securely and efficiently enabling local administration of Unix, Linux and Mac systems and applications through Active Directory. (See Centrify's Unique Zone Technology for a detailed explanation of Zones and their benefits.) Zone-based delegated administration not only enables you to extend administrative duties on a Zone by Zone basis, but also enables you to specify what administrators can do within a Zone.

Each Centrify Zone can have its own set of administrators. An employee in your Engineering department can be an administrator of the Solaris computers in your QA Lab Zone, and changes they make have no effect on computers in other Zones.

Each administrator's privileges can be fine-tuned to fit their job function. As Figure 1 shows, for each administrator you can specify whether he or she can:

Read or Modify Zone Properties. Zone properties specify where home directories are created, how user IDs are generated, and other Zone details. You can prevent administrators from viewing Zone properties, permit them to view but not change Zone properties, or permit them to modify Zone properties.

Read or Modify Zone Membership. Zone membership controls two key properties: which Active Directory user accounts are included in user groups that can access specific Unix, Linux or Mac systems and applications; and which computers are a member a Zone. You can prevent administrators from viewing Zone membership, permit them to view but not change Zone membership, or permit them to add or remove users and computers from the Zone.

Delete a Zone. You can also permit administrators to delete their Zone.