Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

mkComputerRoles.tcl: A Script for Enabling Centrify Deployment (part 4)

11 April,19 at 11:51 AM

In part three of this blog, I continued the discussion of using the mkComputerRoles.tcl script with a ComputerRoles.csv definition file to add AD accounts to the User Groups. I showed how to add the AD account to the User Groups from the passwd files, as listed in the ComputerRoles.csv file. As an alternative, I also showed how to add the AD accounts to the User Groups as explicitly defined in a “map file”.

 

In this final blog of the series, I will show how to implement an enhanced separation of duties model with the mkComputerRoles.tcl script.

 

Active Directory OU Structure for an Enhanced Separation of Duties Model

The Centrify best practices OU structure is designed to implement a basic separation of (administrative) duties model (this was discussed in part 1). In some cases, however, the need exists to implement a more granular separation of (administrative) duties model. One method of achieving this granularity of separation of (administrative) duties is to store the UNIX computer objects, User Groups and Computer Groups in OUs based on the required separation of duties. Then, create distinct AD security groups and delegate to them the required AD rights to manage objects in those OUs.

 

For example, suppose there is a need to separate the administration of UNIX computers based on their usage; that is production versus development. Then, the Centrify best practice OU structure as discussed in part 1 of this blog, could be manually augmented. For example, an OU called Prod and one called Dev could be created in the Computer Roles, User Roles and Computers OUs. Also, AD security groups such as cfyA_ProdAdmins and cfyA_DevAdmins could be created in the Centrify Administration OUs. These security groups can then be delegated the appropriate AD rights on the relevant OUs (see table below).

 

An example of the enhanced OU structure and new security groups is:

 

 Screen Shot 2016-09-29 at 12.25.53 PM.png

 

The minimum AD rights that are delegated to the security groups are:

OU

Group

Delegated Permissions

OU=Dev,OU=Computer Roles

cfyA_DevAdmins

Using DSA.MSC (ADUC):

·      Create, delete and manage groups

·      Modify the membership of a group

OU=Prod,OU=Computer Roles

cfyA_ProdAdmins

Using DSA.MSC (ADUC):

·      Create, delete and manage groups

·      Modify the membership of a group

OU=Dev,OU=User Roles

cfyA_DevAdmins

Using DSA.MSC (ADUC):

·      Create, delete and manage groups

·      Modify the membership of a group

OU=Prod,OU=User Roles

cfyA_ProdAdmins

Using DSA.MSC (ADUC):

·      Create, delete and manage groups

·      Modify the membership of a group

OU=Dev,OU=Computers

cfyA_DevAdmins

Using ADSIEDIT.MSC (ADSIEDIT):

On the Object Tab:

·      Create/Delete Computer Objects (This Object and All Child Objects)

·      Reset password (Descendent Computer Objects)

·      Change password (Descendent Computer Objects)

·      All Extended Rights (Descendent Computer Objects)

·      Validated write to DNS host name (Descendent Computer Objects)

·      Validated write to service principal name (Descendent Computer Objects)

On the Properties Tab

·      Write userAccountControl

·      Write operatingSystem

·      Write operatingSystemVersion

·      Write operatingSystemHotfix

·      Write operatingSystemServicePack

·      Write Description

·      Write displayName

·      Write name

·      Write Name

·      Write ComputerName (pre-Windows 2000)

·      Write dNSHostName

OU=Prod,OU=Computers

cfyA_ProdAdmins

Using ADSIEDIT.MSC (ADSIEDIT):

On the Object Tab:

·      Create/Delete Computer Objects (This Object and All Child Objects)

·      Reset password (Descendent Computer Objects)

·      Change password (Descendent Computer Objects)

·      All Extended Rights (Descendent Computer Objects)

·      Validated write to DNS host name (Descendent Computer Objects)

·      Validated write to service principal name (Descendent Computer Objects)

On the Properties Tab

·      Write userAccountControl

·      Write operatingSystem

·      Write operatingSystemVersion

·      Write operatingSystemHotfix

·      Write operatingSystemServicePack

·      Write Description

·      Write displayName

·      Write name

·      Write Name

·      Write ComputerName (pre-Windows 2000)

·      Write dNSHostName

 

The UNIX administrators of the development computers would be added to the group cfyA_DevAdmins and the UNIX administrators of the production computers would be added to the cfyA_ProdAdmins group.

 

The Centrify Zone Structure for the Enhanced Separation of Duties Model

Corresponding to the enhanced OU structure, a zone structure is created. It consists of a single parent zone named Global and two child zones named Dev and Prod. For example:

Screen Shot 2016-09-29 at 12.29.51 PM.png

 

Using Centrify Access Manager, the cfyA_DevAdmins and cfyA_ProdAdmins groups are delegated full (All) control of the Dev and Prod zones, respectively. For example:

Screen Shot 2016-09-29 at 4.06.03 AM.png

and:

Screen Shot 2016-09-29 at 4.02.36 AM.png

 

Execute the mkComputerRoles.tcl script

The ComputerRoles.csv file looks like this:

Screen Shot 2016-09-29 at 4.18.33 AM.png

Where the engcen6 computer will be joined to the Dev zone and added to the computer role DevServers.

 

The mkComputerRoles.tcl command to use is:

mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a –o ou=dev,ou=computers,ou=centrify –c “ou=dev,ou=computer roles,ou=Centrify” -r “ou=dev,ou=user roles,ou=Centrify” -u tetsu

 

Note: The mkComputerRoles.tcl script should be executed by a user who is a member of the cfyA_CentrifyAdministrators group, which has been delegated AD rights to create objects under the Centrify OU.

 

Results of executing mkComputerRoles.tcl script

After executing the mkComputerRoles.tcl script the following objects are created in AD:

 

  • The Computer Role DevServers is created in the child zone Dev. The Description field is written and an AD group, called a Computer Group (or Computer Role Group) cfyC_DevServers, is created for the Computer Role. For example, as seen in Access Manager:

 Screen Shot 2016-09-29 at 5.12.19 AM.png

 

  • The Computer Group is created in OU=Dev,OU=Computers. For example, as seen in ADUC:

Screen Shot 2016-09-29 at 6.13.36 AM.png

 

  • The computer object is created in OU=Dev,OU=Computers. For example, as seen in ADUC:

Screen Shot 2016-09-29 at 6.18.30 AM.png

  • The computer object is added to the Computer Group, cfyC_DevServers. For example, as seen in ADUC:

Screen Shot 2016-09-29 at 6.21.46 AM.png

 

  • A Service Connection Point (SCP) object for the computer is created. For example, as seen in Access Manager:

Screen Shot 2016-09-29 at 6.22.49 AM.png

 

and as seen in ADUC:

Screen Shot 2016-09-29 at 6.41.37 AM.png

 

  • The User Group, cfyUC_UNIX Login_DevServers, is created in OU=Dev,OU=User Roles. For example, as seen in ADUC:

Screen Shot 2016-09-29 at 6.25.04 AM.png

 

  • The UNIX Login role is assigned to the computer role, DevServers using the group cfyUC_UNIX Login_DevServers. For example, as seen in Access Manager:

Screen Shot 2016-09-29 at 6.29.08 AM.png

 

Summary

I showed that the mkComputerRoles.tcl script can be used to create AD objects in OUs specified on the command line. Consequently, it can be used to implement a granular separation of (administrative) duties model.

 

 

 

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.