Zone delegation permissions
05-02-2016 04:26 AM
In our setup we have granted zone permissions to users and to groups.
Now, I would like to create a report in orde to list out those permissions.
Is there a standard way to retrieve/list out thes kond of permissions?
Does any one has a report or or a tcl script to do so?
Thank you for a reply.
Solved! Go to Solution.
05-02-2016 08:03 AM
Welcome to Centrify.
Zone Delegation Report
The quickest answer is that you can leverage the "Zone Delegation Report" from the Access Manager report center.
PROS: This will give you a granular report per principal and the rights they have. You can export to pdf, excel, xml, etc.
CONS: It will be slow in a large AD environment. It's using LDAP.
Reporting by other Means
Using the recommended best practices.
This makes reporting a simple exercise on listing AD group memberships.
The Centrify OU structure pre-creates AD groups ready for delegations, Centrify OU > Zone Administration. The lastest best practice establishes 4 groups:
Centrify Administrators have all rights
Authorization Managers have the rights related to rights, roles and role assignments (Add/remove/modify)
UNIX Data managers have the rights related to user/group & local user/local groups as well as NIS maps (add/remove/modify)
Computer Managers have the rights related to computers (add/remove/modify).
From that point on, you can simply report on group membership. E.g. PowerShell
Get-ADGroupMember "Centrify Administrators" | Select-Object name name ---- John Doe Diana Wirth
E.g using adquery group
$ dzdo adquery group -A "Centrify Administrators" | grep members Demo Password: members:centrify.vms/Staff/IT/John Doe, centrify.vms/Staff/IT/Diana Wirth
Alternatively, you can use the attached PowerShell script to generate the report.
I hope this highlights the benefits of using the best practices.
Writing your own
I am not an adedit or TCL expert, but I'd look under the samples folder (/usr/share/centrifydc/samples/adedit) or look at the script I attached to this post. That is the PowerShell version of the Zone Administration report included with the PowerShell samples. If you are versed in adedit, you should be able to see the logic and translate it into it.
Also, maybe one of the PS folks will chime-in to this thread.