Welcome to the Centrify community.
To leverage AD groups to control access using Express.
- Over SSH, you can leverage the SSH user/group allow/deny parameters to control access
https://www.ostechnix.com/allow-deny-ssh-access-particular-user-group-linux/ - To include also the console, use access.conf, you can leverage adclient's PAM and NSS framework integration
http://linux.die.net/man/5/access.conf - You can use the pam_succeed_if shared object with the user_ingroup or user_notingroup PAM directive.
http://linux.die.net/man/8/pam_succeed_if
However, the best option is to use the access control capabilities provided by Centrify zones in the commercial version (Infrastructure Services). Because:
- Works out of the box, nonce configured, no need to touch the clients.
- Supports large numbers of objects and any type of AD trust.
- Multi-platform across UNIX, Linux, Mac and Windows.
- Native support for Multi-factor Authentication.
- Includes DirectAuthorize for cross-platform privilege elevation.
https://community.centrify.com/t5/Centrify-Infrastructure-Services/FAQ-What-is-DirectAuthorize-dzdo-dzwin/td-p/21193 - Report Services for attestation.