Whether you need to manage a few Mac workstations or tens of thousands of UNIX and Linux servers, Centrify's patented Zone technology enables you to quickly centralize management of these resources within Active Directory while not compromising on security or manageability. Centrify Zones provide:
A Centrify Zone is a collection of attributes and security policies that define the identities, access rights and privileges shared by a group of users. A small organization might need only a single Zone to manage their Mac users and desktops. A large organization may need a hierarchy of Zones to manage users who need access to thousands or tens of thousands of UNIX, Linux and Mac systems that are used as everything from end-user workstations to web application servers.
Zones provide a flexible means of managing a set of users and computers that all need to share a common set of policies and delegated rights. For example, you could create a Zone for Mac users and their computers, regardless of where they are located geographically or what department they work for. You could create a Zone for an engineering department whose users must all share access to a set of UNIX development systems, whether located in a data center or in the cloud. Or you could create a Zone for a branch office that has its own set of administrators tasked with managing all the UNIX, Linux and Mac systems in their location. A user can be in multiple Zones, enabling you to create identity management, access control, privilege management and delegation solutions that are as simple or as sophisticated as you need them to be for your particular environment.
At minimum, a Zone contains:
Although some organizations will have Zones that contain only users (in particular, a Global Zone, described later), most Zones also contain:
This approach enables you to manage your non-Windows environment by tying the rights a user has on a UNIX, Linux or Mac computer with a single, definitive identity centrally stored and managed in Active Directory. In so doing, you enjoy a variety of both efficiency and security benefits. Need to give a new employee rights to administer web servers scattered across your enterprise? Assign them to an Active Directory group for web developers. Need to ensure a reassigned system administrator can no longer access any system within his previous department? Remove him from the Active Directory group for that department's admins. Managing your non-Windows environment in Active Directory means you can use Centrify DirectManage or other reporting tools to easily generate reports for auditors, assessors, and internal staff that illustrate specifically who has access to which systems, along with who granted the access privileges.
While small organizations can efficiently manage a single Centrify Zone that contains all their non-Windows users and computers, most organizations will benefit by first setting up a Zone hierarchy that starts with a top-level Global Zone. As a best practice, a Global Zone contains all of the Active Directory users who will need access to a non-Windows computer or device. Each user has a UNIX profile that defines their unique user ID (UID) and other attributes. The Zone can be configured to define how new users and computers are assigned UIDs, home directories, and so on, ensuring a consistent, rational UNIX namespace across your enterprise as you grow.
Under the Global Zone, you can then create any number of Child Zones. A Child Zone can inherit the users and their UNIX profiles from the Global Zone. But often you will need to override one or more properties on a Zone by Zone basis to fit the requirements of that particular Zone. Child Zones can be nested to achieve the level of management granularity you need.
As your management and security needs become more sophisticated, you will set up computer roles, user roles, and role assignments to more granularly control access to systems and the privileges users have on those systems. Centrify's unique hierarchical Zones enable you to define roles and role assignments at any level within your Zone hierarchy, and specify whether those properties are inherited or overridden at any individual level. This powerful inheritance model is not only an efficient way to manage users of non-Windows systems, but also has a variety of security benefits:
Centrify's hierarchical Zone technology provides the industry's only solution for quickly and easily migrating UNIX identities from multiple sources into Active Directory. Organizations often have multiple identity stores across which a single user has different UIDs. Other solutions force you to reassign users a consistent UID across all of the computers they need to access as a prerequisite for managing the user's UNIX profile in Active Directory.
Instead, Centrify enables you to import each identity store as they currently exist into a Centrify Child Zone and map a user in that Child Zone to the correct user in the Global Zone. Your Zone hierarchy can contain a mix of Child Zones in which the same user's UID may be inherited from the Global Zone or may be overridden with the UID he has among the computers in a particular Child Zone. A Centrify Zone can also contain NIS maps that associate a user's identity in a NIS domain to their Active Directory account. In cases where computers were locally managed one by one, you can even create a Computer Zone where the user has a unique UID.
Centrify provides migration tools to automate the consolidation of UNIX identity stores into Active Directory.
Without Centrify Zones, organizations can't even begin the process of integrating non-Windows systems with Active Directory until they complete the arduous task of rationalizing their UNIX namespace so that each user has a single, consistent UID across all systems - a process that could take weeks or months, or may not even be practical at all. With Centrify Zones, the process literally takes days.
Another unique and powerful Centrify feature is the Computer Role, which enables a computer to effectively be a member of multiple Zones, one of the most commonly requested capabilities from our customers. A Computer Role is a collection of computers that share a common set of management and security requirements. For example, you might create a Computer Role for web servers and a user role for web developers. The web developer role grants access to the web server Computer Role and defines a limited set of privileges. Membership in the web developer role could then be controlled using an Active Directory group. Giving a web developer consistent access rights and privileges to web servers throughout your enterprise is then as simple as adding them to the Active Directory group. They do not get privileges to other computers in the Zones where the web servers are located.