How Can I Manage Access Rules for Computers in Different Zones?
You can use computer roles—groups of computers with a common purpose—to simplify assigning access roles. A computer role is simply an Active Directory group of computers. You create this group because a specific set of computers have something in common. For example, you can create a security group for all Oracle database servers in your organization, or all Oracle servers in a specific location, or all Oracle servers owned by a certain team of administrators. The same computers might be in multiple Active Directory groups, but each group defines a specific purpose. The computers might also be in the same zone or different zones.
A computer role enables you to associate an Active Directory group of computers with a specific set of access rules that apply to just that set of computers.
To create a computer role that defines access rules for a group of computers
-
Create Active Directory groups for the sets of users who have specific access rights.
For example, you might create a group for OracleUsers and a group for OracleAdmins in the IBM Security UNIX Groups organizational unit.
-
In Access Manager, expand Zones and parent and child zones to find the zone for the computer requiring a computer role.
-
Expand Authorization, right-click Computer Roles, then select Create Computer Role.
-
Type the name and description, then select Create group to create the Active Directory security group for the computers than share a common purpose.
For example, create a new global group named Oracle Servers.
-
In Access Manager, create or identify the access rights and role definitions that will be specifically applicable for the set of computers.
For example, define the access rights appropriate for the Oracle users and for the Oracle administrators.
Add role definitions for the Oracle users (OracleLoginRights) and administrators (OracleAdminRights), then add the appropriate rights to each role.
-
Assign the role definitions to the appropriate Active Directory groups.
For example, assign the OracleLoginRights role to the OracleUsers group and the OracleAdminRights role to the OracleAdmins group.
-
Add the computers to the computer role group.
For example, expand Computer Roles and Oracle servers, right-click Members, then select Add Computer to add each Oracle server to the Members node.