Applies to: All version of Centrify DirectControl
 
Question:
 
In Access Manager, why does "Show Effective Windows User Rights" show results when no Windows Rights have been assigned?
 
For example, I create a zone named Global and assign the "Unix Login" role to the user tetsu (fig1). When I right click on the Global zone and select "Show Effective Windows User Rights" (fig2) it shows tetsu as having "UNIX Login" role (fig3) even though I have not assigned him Windows Rights.
 

Answer:
 
Show effective Unix user required a combination of Unix profile (identity) and role assignment (access control) check. If a user missed either one of the requirement, it will show no result as this is not a complete setup.
 
But for show effective Windows user, Windows user identity already exist in AD and since both Unix login role and Windows login role are actually the same Azman object with different attribute set only (In GUI, Windows authorization configuration also exist in Unix login role). Therefore, the Unix role assignment will show up.
 
A role can contain any combination of Windows rights, UNIX rights and system rights.
Besides, roles has audit / rescue / MFA flags that affect both UNIX and Windows.
You can also say all roles are always both Windows and UNIX.
 
e.g. Even for UNIX login role, it has "Audit if possible" that also affect Windows.