Applies to: Centrify DirectControl 5.0.x
After adding a group of users to "Role Assignments" in the Centrify DirectManage Access Manager/DirectControl console, the users do not show up in "Show Effective Users" for Centrify servers. It is specific to one group and other groups are working fine.
An attempt was made to add users (vs group) manually with "Login Rights", but was also unsuccessful in making the users visible. The Role Assignments for the group and users were checked and confirmed to be configured correctly.
From the Unix machine, "adquery user -A username | grep zoneE*" returns the user is not Zone-enabled:
What can be done to troubleshoot this?
Check the following areas:
1) Does the user have a valid UNIX profile in the current or parent Zones?
2) Are the following attributes defined to create a complete Effective UNIX profile?:
- Login name
"Effective UNIX profile" means the union of profile attributes from current Zone up to root Zone. Centrify will still consider the "Effective UNIX profile" as complete, even if the profile in child and parent zones separately are incomplete.
- Primary group
- Home directory
The user will be shown in "Show Effective Users" when both the above conditions are satisfied, adquery will also return zoneEnabled:true once this occurs.
1. To check if the user has a UNIX profile in Centrify DirectManage Access Manager/DirectControl console:
- For Zone, check the <Zone node> -> UNIX Data -> Users.
2. To check if the profile is complete, right-click the user profile in the Users node and select Zone Profile.
- For computer, check the <computer node> -> UNIX Data -> Users.
Check to see if the members of group "nix_users_tivoli_admin" are listed in the above locations.
The user should have at least one profile in one of the Zones/computer.
If cumulatively all five of the Effective UNIX profile attributes are defined; the profile is considered complete.