Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3376: How to limit a user to access to only one particular machine in Classic Zone

Centrify DirectControl ,  

12 April,16 at 11:45 AM

Applies to: All versions of Centrify DirectControl on All Platforms
 
Question:
 
For Classic Zone, once a new user is added to the Zone, the user will be able to access all the servers inside that Classic Zone.
(No role assignment is required)
 
For example:
 
[root@redhat Desktop]# dzinfo str
Zone Status: DirectAuthorize is enabled
User: str
Forced into restricted environment: No
 
  Role Name        Avail Restricted Env 
  ---------------  ----- -------------- 
  (str has no roles assigned)
 
 
  PAM Application  Avail Source Roles         
  ---------------  ----- -------------------- 
  (str can use any pam application)
 
 
Privileged commands:
  Name             Avail Command               Source Roles         
  ---------------  ----- --------------------  -------------------- 
  (str has no privileged command rights)
 
 
[root@redhat Desktop]# ssh str@localhost
str@localhost's password: 
Last login: Thu Aug  8 00:28:44 2013 from 192.168.0.111
[str@redhat ~]$ 
 
 
 
Can the user be limited to only one particular machine in Classic Zone?
 
Answer:
 
To achieve this, follow the procedures below after adding the target AD user into the target Classic Zone:
 
Open up Centrify DirectManage Access Manager console:
  1. In the target Classic Zone, create a new role called, in below example, "Restricted to Login".
     
  2. Right click on the newly created role > Properties, add a redundant PAM access right (in below example, it is called "Restricted to Login") to this role. 
     
  3. Right click on the newly created role > Assign Users and Groups, assign the target AD user (in below example, AD user is Fred Thomas) with this new role "Restricted to Login". See the screen capture below. 

    At this stage, AD user Fred Thomas will not have any access right to all the computers in the target Classic Zone.

     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     

     
    "dzinfo <user name>" output after running "adflush -f" in the target computer:

    [root@redhat Desktop]# dzinfo fred.thomas
    Zone Status: DirectAuthorize is enabled
    User: fred.thomas
    Forced into restricted environment: No

      Role Name        Avail Restricted Env 
      ---------------  ----- -------------- 
      Restricted to    Yes   None           
      Login                                 

        Effective rights:


      PAM Application  Avail Source Roles         
      ---------------  ----- -------------------- 
      Restricted to    Yes   Restricted to Login  
      Login                                       


    Privileged commands:
      Name             Avail Command               Source Roles         
      ---------------  ----- --------------------  -------------------- 
      (fred.thomas has no privileged command rights)

    [root@redhat Desktop]# ssh fred.thomas@localhost
    fred.thomas@localhost's password: 
    Account cannot be accessed at this time.
    Please contact your system administrator.
    Connection closed by ::1
    [root@redhat Desktop]# 


     
  4. In the target computer that the target AD user will be allowed to access, right-click on a role that grants the user login right (in the example below, it is called "Login Role") > "Assign Users and Groups", assign the target AD user with "Login Role".

    See the screen capture below.




























    Note: Make sure the "Login Role" assigned to target user has the appropriate login right(s).

    See the screen capture below for the PAM access right for the "Login Role"


































    At this stage, AD user Fred Thomas will not have any access right to all the computers in the target Zone, except the for target computer above. 
     
  5. As local admin or root, run "adflush -f" on the target machine to make the role assignment changes effective, the target user will be able to login to the target machine only. 
     
    [root@redhat Desktop]# dzinfo fred.thomas
    Zone Status: DirectAuthorize is enabled
    User: fred.thomas
    Forced into restricted environment: No
     
      Role Name        Avail Restricted Env 
      ---------------  ----- -------------- 
      Restricted to    Yes   None           
      Login                                 
      Login Role       Yes   None           
     
        Effective rights:
     
     
      PAM Application  Avail Source Roles         
      ---------------  ----- -------------------- 
      !*               Yes   Login Role           
      ssh*             Yes   Login Role           
      Restricted to    Yes   Restricted to Login  
      Login                                       
     
     
    Privileged commands:
      Name             Avail Command               Source Roles         
      ---------------  ----- --------------------  -------------------- 
      (fred.thomas has no privileged command rights)
     
    [root@redhat Desktop]# ssh fred.thomas@localhost
    fred.thomas@localhost's password: 
    Last login: Thu Aug  8 01:00:53 2013 from localhost
    [fred.thomas@redhat ~]$ 
 
Whenever there is a user that needs a similar arrangement (i.e. prohibit that user from accessing all machines in the Classic Zone apart from one machine), the logic is: 
  1. Add the user to Zone 
  2. Assign the user with "Restricted to Login" role in Zone > Roles 
  3. Assign the user with "Login Role" in Zone > Computers > <target computer> > Role Assignments 
  4. Run "adflush -f" to make changes effective. 
 
Centrify DirectControl version 5 and above offers a better solution for this kind of scenario - Hierarchical Zones.
Please see the following link or contact Centrify if further information is needed:
http://www.centrify.com/directcontrol/zones.asp
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.