Templates and Sample Forms

This section provides templates and samples that you can customize and use in the deployment process. These templates represent documents that are commonly used, such as change control requests and email notifications of software changes. Your organization may require you to use organization-specific versions of these documents.

Simplified Environment Analysis and Zone Design Template

This template provides a framework for the information that the deployment team should collect, analyze, and document in evaluating the existing network infrastructure and how it will change after deployment. Depending on your environment and requirements, you might need to collect additional information, but this template describes the most common elements with examples that you can adapt to your organization.

  1. Introduction

    Use this section to provide a brief overview of the deployment plan. For example, document the features you plan to deploy, any primary goals that might affect design decisions, and any dependencies or special considerations, such as activities that require change control approval or enhanced permissions.

  2. Network architecture

    Use this section to capture details about your existing network configuration and Active Directory architecture. For example, you might want to record information about the Active Directory site, forest, and domain controllers, including trust relationships and domain and forest functional levels, if applicable.

    You might also include details about your DNS configuration, including whether you have more than one DNS namespace and any port requirements, firewall restrictions, and any network connectivity issues. For details about the default ports used, see Default ports for network traffic and communication.

  3. Verify Privilege Server Suite-managed computers

    Use this section to provide details about the existing UNIX, Linux, and Mac OS X computers on which you plan to deploy the Verify Privilege Server Suite Agent.

  4. Provisioning process

    Use this section to describe the process for provisioning computers, groups, and users.

  5. Rights, roles, and role assignments

    Use this section to describe the rights, roles, role assignments, and configuration policies you require. For example, if you use the sudo program and the sudoers file, use this section to document how rights and roles defined in the sudoers file and whether the sudoers file is managed locally on each computer or in a central location.

  6. Zone architecture

    Use this section to identify the Active Directory schema you are using and where Verify Privilege Server Suite-related objects are located in the Active Directory forest.

  7. Deployment preparation in Active Directory

    Use this section to summarize the deployment of Verify Privilege Server Suite components into the existing Active Directory forest and domain.

  8. Windows installation

    Use this section to describe how zones will be created and configured.

  9. UNIX deployment

    Use this section to describes the deployment of Verify Privilege Server Suite Agents on UNIX computers.

  10. Group Policies

    Use this section describes the group policies that will be deployed for UNIX computers.

Change Control Request Form

Most larger organizations require a formal change request to be submitted for any changes to Active Directory. The purpose of this template is to illustrate a request for creating new Active Directory organizational units, groups, and users. If the deployment team is not allowed to add UNIX groups and group members to Active Directory after the organizational structure if created, it is likely the project will experience delays.

Computer:

Change Requested:

Approved By:

Test Case Matrix Sample

To validate the pilot deployment, most organizations execute at least some formal testing of features and functionality. The purpose of this template is to suggest a basic set of test cases to execute that apply to most environments. These test activities apply to setting up your environment, installing the software, and performing common administrative tasks. You can skip any activities that don’t apply to your organization.

Testing Matrix

Activity Remarks Date
Create the OU Structure with a script or manually Active Directory setup activities
Create the OU Permissions with a script or manually
Create Security Groups with a script or manually
Create Distribution Groups with a script or manually
Create the Zones Container with the Setup Wizard, a script, or manually
Create the Licenses Container with the Setup Wizard, a script, or manually
Create the service account for the Zone Provisioning Agent
Update the local or domain policy to allow the Zone Provisioning Agent service to Log on as a service right
Deploy the agent on computers
Create a zone with a script or Access Manager console Access Manager console activity
Delegate zone control with a script or using the Delegate Zone Control Wizard
Pre-Create Computer account
Import UNIX groups from group files or group NIS maps
Resolve mapping issues
Import UNIX users from passwd files or passwd NIS maps
Assign interactive users to the UNIX Login role Authorization activities
Assign users who need profile but not access to the listed role
Join computers to the domain using adjoin You should prepare for migration and create one or more initial zones before you join the domain.
Configure root-equivalent rights
Configure root-equivalent replacement role
Add an Active Directory group for the role
Test role access
Test role privileges control
Identify current management process (manual or automated) UID consolidation activities
Document the new management process
Define the business rule for assigning UIDs (for example, SID)
Identify active users to preserve, migrate, and keep
Run adfixid to change file ownership
Identify current management process (manual or automated) GID consolidation activities
Document the new management process
Define the business rule for assigning the primary GID values (for example, GID)
Identify the Active Directory groups for primary GID assignments Domain Users
Validate Active Directory log on credentials User login activities
Validate successful access to UNIX, Linux, Mac OS X
Validate successful application usage
Validate password complexity policy
Validate account lockout policy
Validate role enforcement
Validate single sign on
Validate password reset
Test period users validated Clean up activities
Test period groups validated
Test period roles validated
Run adrmlocal to remove local accounts

Preliminary Software Delivery Notification Email Template

The purpose of this template is to notify users that they are scheduled to receive new software that will be delivered to their computers. This email notice should include a specific delivery date or a time frame estimate, if possible. Although you can delete this information from the email message you send out in your organization, this notice is most effective if users know specifically when the change is scheduled to occur. You can also customize the specific requirements or objectives that Verify Privilege Server Suite is helping your organization achieve.

Colleagues:

The [Department Testing Verify Privilege Server Suite] has successfully completed testing of the Verify Privilege Server Suite software and is ready to begin the deployment portion of the project. The target date for deployment is [Scheduled time].

Deployment of this software will greatly enhance our ability to comply with multiple industry requirements to include [List objectives, such as: PCI, Sarbanes-Oxley compliance, Internal/External Security Audit, specific organization initiatives]. These requirements are in alignment with prioritized corporate business objectives.

The Verify Privilege Server Suite software enables the streamlining of authentication, access controls and privileges, and auditing for all corporate IT systems. For the most part, deployment and streamlined authentication and authorizations services occurs “behind the scenes” with minimal, if any, user disruption. You should not notice any operational changes when the software is deployed to your computer.

Thank you for your cooperation,

[IT Department Signature]

Department-specific Announcement and Instructions Email Template

The purpose of this template is to notify users in a specific department that they are scheduled to transition to using Verify Privilege Server Suite for authentication and authorization. This email notification indicates that you plan to join the computers in the department to an Active Directory domain during down time. Depending on your organization’s policies, this email may suggest users log on with their Active Directory credentials or explicitly state that they can continue to log on with their existing credentials.

Colleagues:

The [Specific department you are deploying to, such as: Accounting Department] is scheduled to begin the transition to Verify Privilege Server Suite next week. In order to ensure a smooth transaction we simply ask that you log off of all systems before leaving for the weekend. When you return to work the following week, you should [be able to log on with your current user name and password].

If you experience any difficulties logging on, or with application connectivity, please submit a ticket or contact the support desk immediately. Several members of each department helped the IT team perform successful testing and validation of this new solution, and we anticipate a smooth transition.

Thank you for your cooperation,

[IT Department Signature]

General Announcement and Deployment Schedule Email Template

The purpose of this template is to notify a broader user community of the deployment schedule for multiple departments across the company. This sample also illustrates the type of notes you can incorporate into the email message to keep other groups informed of their status. The general announcement may also include portions of the other two email templates. For example, you may want to include the objectives the transition to Verify Privilege Server Suite helps the company achieve or the instructions to use current or Active Directory credentials after migration.

Colleagues:

At the completion of the week, the [Verify Privilege Server Suite Deployment Project Team] will allocate first response resources to the next department scheduled for deployment.

This is the schedule coordinated with the Department Heads throughout the company:

Date DEPARTMENT REMARKS
9 May 2017 Information Technology
16 May 2017 Accounting
23 May 2017 Marketing Pending EOQ Reports
30 May 2017 Security
6 Jun 2017 Sales
13 Jun 2017 Executive
20 Jun 2017 PMO
27 Jun 2017 Data Warehouse Pending EOQ Reports
3 Jul 2017 Training
10 Jul 2017 Business Development
17 Jul 2017 Audit

The IT Department would like to thank everyone to date for their work on this project, and look forward to a successful deployment. If you have any questions, please submit them to the [Server Suite_project] distribution list and include your contact information. We will respond with answers or contact you directly for more information.

Sincerely,

[IT Department | Verify Privilege Server Suite Deployment Project Team]

Deployment Team Task Checklist

Before you install the pilot deployment, you should prepare a deployment checklist to ensure you have the information you need to successfully complete the deployment. For example, you should review port requirements, verify DNS resolution, and create one or more spreadsheets that describe the user and group accounts to be imported and any special relationships, such as membership in specific groups that need to be preserved or any special configuration you want to implement.

Creating a deployment checklist is optional, but can help you to collect detailed information about each of the computers targeted for deployment.

The following example illustrates information you can collect and record in a deployment team task checklist.

Preparing computers for deployment
Operating system, version, and patch level for target computers
Host name and IP address for target computers
Current disk space for target computers
Review the details of the current DNS configuration For example: Is the address resolved through a UNIX DNS server, Windows DNS server, or settings in the /etc/hosts and /etc/resolv.conf files? Is the computer using a DNS server that has SRV records for Active Directory domain controllers? Are UNIX subnets registered and associated with Sites in Active Directory? Are you using a disjointed DNS namespace, where a UNIX computer name may be server.company.com but the Active Directory domain name is server.windows.company.com? Are you using DNS aliases and do they resolve correctly? Are there multiple network interfaces (NIC) in use?
Current network time provider (NTP) For example, does the computer use a different server to determine the time than the Active Directory domain controller?
Current firewall configuration For example, are there any firewalls blocking required ports between the UNIX computer and the Active Directory domain controllers for the registered sites?
Current applications and services For example, do you have Perl, Samba, or OpenSSH deployed? Are the versions you have compatible with the Verify Privilege Server Suite Agent or—if a Verify Privilege Server Suite version is available—to be replaced by versions provided by Verify Privilege Server Suite? Do you have existing authentication providers deployed? Are existing applications and services Kerberos-enabled or PAM-enabled? Are there other applications that require local users or groups?
Current source of user and group information For example, are the /etc/passwd and /etc/group files the only source of user information for the users who access this computer or other identity stores, such as existing LDAP servers or NIS domains, used? Are there any specific users or groups that should remain locally defined?
Current NSS configuration For example, have you reviewed the contents of the nsswitch.conf file to check for other sources of user and group information?
Connectivity between this computer and the domain controller For example, is there a reply from the domain controller when you run the ping command?
User names and UIDs checked for conflicts across the target group
Zone requirements analyzed for the target group
Zone identified for this computer
Verify Privilege Server Suite Agent installed and the computer joined to the domain
Groups allowed or denied access identified for this computer
Existing users and groups for this computer imported into Active Directory
Imported user and group profiles mapped to Active Directory accounts
Allowed or denied groups configured using parameter values or group policy

If you use a deployment checklist, you can also include additional notes and details about the activities performed. For example, a partially completed checklist might look something like this:

Preparing computers for deployment
Operating system: Sun Solaris 10 with all patches applied (17-April-2017)
Host name and IP address: aspen, 177.29.10.10
Current DNS configuration: Resolved through the enterprise DNS server, spider.ajax.org
Current time source is NTP server: ntpd on solstice.ajax.org Change for deployment: Use SNTP on the Active Directory domain controller
Current firewall configuration: No port issues
Existing OpenSSH version to be replaced, no other issues found.
Current source of user and group information: /etc/passwd, /etc/group, and NIS domain nwest03 have users who access aspen
Connectivity with the domain controller: Verified by JR (2-May-2011).
User names and UIDs checked for conflicts across the target group: Analyzed by JR and DC (4-May-2017).
Zone requirements analyzed for the target group: Zones required for the target group are nwest01, swest02, corp-main, and nwest03 (9 May 2017). SF to recommend new extended zone descriptions for approval.
Zone identified for this computer: nwest03
Verify Privilege Server Suite Agent installed and the computer joined to the Active Directory domain: dc3colorado.ajax.org, OU: US-UNIX-Computers
Groups allowed r denied access identified for this computer: Allowed access group—all_employees, oracle_sys Denied access—consultants, temps
Existing users and groups for this computer imported into Active Directory: Completed by DC (20-May-2017).
Imported user and group profiles mapped to Active Directory accounts: Work complete for users and groups that already had matching Active Directory candidates. Work in progress for the remaining profiles without any matching Active Directory candidate. Target date for completion: 31-May-2017
Allowed or denied groups configured using parameter values or group policy: TBD