[title]: # (Classic Zones (2.x,3.x,4.x)) [tags]: # (windows api) [priority]: # (1)
Classic IBM Security Zones (2.x, 3.x, 4.x)
In classic IBM Security zones, each zone is a separate tree stored in the directory. The root of the zone tree is an Active Directory container with the same name as the zone. The zone attributes described in the logical data model are stored in the attributes of this container object. Within the zone container, there are sub-containers for the Users, Groups, and Computers in the zone.
The following figure illustrates the basic structure used for classic zones.
Within each of the sub-containers, there are serviceConnectionPoint
(SCP)
objects. The serviceConnectionPoint
(SCP) objects contain the IBM Security
attributes for each user, group, or computer defined for the zone. Each of user,
group, or computer serviceConnectionPoint
objects also has a link back to its
parent object (shown as dotted lines in the figure above).
The zone tree structure separates IBM Security and UNIX-specific attributes for each zone from every other zone and from the base Active Directory objects for the users and groups. This structure has the following important benefits:
-
It enables a single Active Directory user to have many different UNIX profiles.
-
It enables you to delegate administrative tasks to users and groups on a zone-by-zone basis.
The following figure illustrates how the zone tree structure enables a single Active Directory user to have many different UNIX profiles.
In a classic zone, the IBM Security and UNIX-specific attributes are separate from all of the other zones and from the base Active Directory objects for the users and groups. This enables delegated management of UNIX-related tasks, such as adding or removing UNIX profiles, within each zone.