In part three of this blog, I continued the discussion of using the mkComputerRoles.tcl script with a ComputerRoles.csv definition file to add AD accounts to the User Groups. I showed how to add the AD account to the User Groups from the passwd files, as listed in the ComputerRoles.csv file. As an alternative, I also showed how to add the AD accounts to the User Groups as explicitly defined in a “map file”.
In this final blog of the series, I will show how to implement an enhanced separation of duties model with the mkComputerRoles.tcl script.
Active Directory OU Structure for an Enhanced Separation of Duties Model
The Centrify best practices OU structure is designed to implement a basic separation of (administrative) duties model (this was discussed in part 1). In some cases, however, the need exists to implement a more granular separation of (administrative) duties model. One method of achieving this granularity of separation of (administrative) duties is to store the UNIX computer objects, User Groups and Computer Groups in OUs based on the required separation of duties. Then, create distinct AD security groups and delegate to them the required AD rights to manage objects in those OUs.
For example, suppose there is a need to separate the administration of UNIX computers based on their usage; that is production versus development. Then, the Centrify best practice OU structure as discussed in part 1 of this blog, could be manually augmented. For example, an OU called Prod and one called Dev could be created in the Computer Roles, User Roles and Computers OUs. Also, AD security groups such as cfyA_ProdAdmins and cfyA_DevAdmins could be created in the Centrify Administration OUs. These security groups can then be delegated the appropriate AD rights on the relevant OUs (see table below).
An example of the enhanced OU structure and new security groups is:
The minimum AD rights that are delegated to the security groups are:
OU | Group | Delegated Permissions |
OU=Dev,OU=Computer Roles | cfyA_DevAdmins | Using DSA.MSC (ADUC): · Create, delete and manage groups · Modify the membership of a group |
OU=Prod,OU=Computer Roles | cfyA_ProdAdmins | Using DSA.MSC (ADUC): · Create, delete and manage groups · Modify the membership of a group |
OU=Dev,OU=User Roles | cfyA_DevAdmins | Using DSA.MSC (ADUC): · Create, delete and manage groups · Modify the membership of a group |
OU=Prod,OU=User Roles | cfyA_ProdAdmins | Using DSA.MSC (ADUC): · Create, delete and manage groups · Modify the membership of a group |
OU=Dev,OU=Computers | cfyA_DevAdmins | Using ADSIEDIT.MSC(ADSIEDIT): On the Object Tab: · Create/Delete Computer Objects (This Object and All Child Objects) · Reset password (Descendent Computer Objects) · Change password (Descendent Computer Objects) · All Extended Rights (Descendent Computer Objects) · Validated write to DNS host name (Descendent Computer Objects) · Validated write to service principal name (Descendent Computer Objects) On the Properties Tab · Write userAccountControl · Write operatingSystem · Write operatingSystemVersion · Write operatingSystemHotfix · Write operatingSystemServicePack · Write Description · Write displayName · Write name · Write Name · Write ComputerName (pre-Windows 2000) · Write dNSHostName |
OU=Prod,OU=Computers | cfyA_ProdAdmins | Using ADSIEDIT.MSC(ADSIEDIT): On the Object Tab: · Create/Delete Computer Objects (This Object and All Child Objects) · Reset password (Descendent Computer Objects) · Change password (Descendent Computer Objects) · All Extended Rights (Descendent Computer Objects) · Validated write to DNS host name (Descendent Computer Objects) · Validated write to service principal name (Descendent Computer Objects) On the Properties Tab · Write userAccountControl · Write operatingSystem · Write operatingSystemVersion · Write operatingSystemHotfix · Write operatingSystemServicePack · Write Description · Write displayName · Write name · Write Name · Write ComputerName (pre-Windows 2000) · Write dNSHostName |
The UNIX administrators of the development computers would be added to the group cfyA_DevAdmins and the UNIX administrators of the production computers would be added to the cfyA_ProdAdmins group.
The Centrify Zone Structure for the Enhanced Separation of Duties Model
Corresponding to the enhanced OU structure, a zone structure is created. It consists of a single parent zone named Global and two child zones named Dev and Prod. For example:
Using Centrify Access Manager, the cfyA_DevAdmins and cfyA_ProdAdmins groups are delegated full (All) control of the Dev and Prod zones, respectively. For example:
and:
Execute the mkComputerRoles.tcl script
The ComputerRoles.csv file looks like this:
Where the engcen6 computer will be joined to the Dev zone and added to the computer role DevServers.
The mkComputerRoles.tcl command to use is:
mkComputerRoles.tcl -d centrifyimage.vms -f ComputerRoles.csv -j ad,scp -a –o ou=dev,ou=computers,ou=centrify –c “ou=dev,ou=computer roles,ou=Centrify” -r “ou=dev,ou=user roles,ou=Centrify” -u tetsu
Note: The mkComputerRoles.tcl script should be executed by a user who is a member of the cfyA_CentrifyAdministrators group, which has been delegated AD rights to create objects under the Centrify OU.
Results of executing mkComputerRoles.tcl script
After executing the mkComputerRoles.tcl script the following objects are created in AD:
- The Computer Role DevServers is created in the child zone Dev. The Description field is written and an AD group, called a Computer Group (or Computer Role Group) cfyC_DevServers, is created for the Computer Role. For example, as seen in Access Manager:
- The Computer Group is created in OU=Dev,OU=Computers. For example, as seen in ADUC:
- The computer object is created in OU=Dev,OU=Computers. For example, as seen in ADUC:
- The computer object is added to the Computer Group, cfyC_DevServers. For example, as seen in ADUC:
- A Service Connection Point (SCP) object for the computer is created. For example, as seen in Access Manager:
and as seen in ADUC:
- The User Group, cfyUC_UNIX Login_DevServers, is created in OU=Dev,OU=User Roles. For example, as seen in ADUC:
- The UNIX Login role is assigned to the computer role, DevServers using the group cfyUC_UNIX Login_DevServers. For example, as seen in Access Manager:
Summary
I showed that the mkComputerRoles.tcl script can be used to create AD objects in OUs specified on the command line. Consequently, it can be used to implement a granular separation of (administrative) duties model.