× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Zone delegation permissions

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: ‎05-02-2016
#1 of 3 2,128
Accepted Solution

Zone delegation permissions

[ Edited ]

Dear

 

In our setup we have granted zone permissions to users and to groups.
Now, I would like to create a report in orde to list out those permissions.

 

Is there a standard way to retrieve/list out thes kond of permissions?
Does any one has a report or or a tcl script to do so?

 

Thank you for a reply.

 

Erwin Mellaerts

Centrify Guru I
Posts: 1,814
Registered: ‎07-26-2012
#2 of 3 2,115

Re: Zone delegation permissions

[ Edited ]

Hello @KBC10976,

 

Welcome to Centrify.

 

Zone Delegation Report

The quickest answer is that you can leverage the "Zone Delegation Report" from the Access Manager report center.

zone delegation report.png

PROS:  This will give you a granular report per principal and the rights they have.  You can export to pdf, excel, xml, etc.

CONS:  It will be slow in a large AD environment.  It's using LDAP.

 

Reporting by other Means

Using the recommended best practices.

This makes reporting a simple exercise on listing AD group memberships.

 

The Centrify OU structure pre-creates AD groups ready for delegations,  Centrify OU > Zone Administration.  The lastest best practice establishes 4 groups:

best-practices.png

 

Centrify Administrators have all rights

Authorization Managers have the rights related to rights, roles and role assignments (Add/remove/modify)

UNIX Data managers have the rights related to user/group & local user/local groups  as well as NIS maps (add/remove/modify)

Computer Managers have the rights related to computers (add/remove/modify).

 

From that point on, you can simply report on group membership.  E.g. PowerShell

Get-ADGroupMember "Centrify Administrators" | Select-Object name

name
----
John Doe
Diana Wirth

E.g using adquery group

$ dzdo adquery group -A "Centrify Administrators"  | grep members
Demo Password: 
members:centrify.vms/Staff/IT/John Doe, centrify.vms/Staff/IT/Diana Wirth

Alternatively, you can use the attached PowerShell script to generate the report.

 

I hope this highlights the benefits of using the best practices.

 

Writing your own

I am not an adedit or TCL expert, but I'd look under the samples folder (/usr/share/centrifydc/samples/adedit) or look at the script I attached to this post.  That is the PowerShell version of the Zone Administration report included with the PowerShell samples.  If you are versed in adedit, you should be able to see the logic and translate it into it.

 

 

Also, maybe one of the PS folks will chime-in to this thread.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 2
Registered: ‎05-02-2016
#3 of 3 2,088

Re: Zone delegation permissions

Thank you.
I'll give it a try.