TO-BE Architecture of ST

Domain

Windows Account belonging to MWS Domain

Cn=gurpreet singh,ou=users,dc=mws,dc=com
objectSid = abcxyz

ST.COM

(Windows account and equivalent scp associated

through SID)

Equivalent SCP to be used by Centrify

Agent Tool (Contains unix resources login
information)
Cn= gurpreet @st.com
Keywords(multi-valued attribute) = parentlink:
abxyz
= login: singhg
= unix uid: 1001
= gid: 2001
= shell: /home/rand.pm

w
2-

ay

st
u
tr

CAD.ST.CO
M

Note:This is mere example. In actual implementation, attribute names may differ.

2w

ay

tr

us
t

MWS.ST.CO
M

Information about previous

slide

As you can see that there is a normal windows AD account cn=gurpreet singh with
objectclass =person/user. It has an SID =abcxyz. This account resides in MWS Domain
There is another domain CAD.ST.COM where we will have Centrify Agent tool installed
to give users access on CAD/Unix resources.
For an AD object in MWS domain to have access on CAD/Unix resources, Centrify will
create a separate cad/unix identity in CAD domain. These identities are called service
connection point (SCP).
And that SCP will link with the AD object on the basis of SID of that AD object. So in
previous slide, Centrify created an SCP cn=gurpreet@st.com. This SCP has a multivalued attribute called keywords which contain some key value pairs. One of those
key value pairs is parentlink: abcxyz which contains the SID of the AD object
(cn=gurpreet singh) in MWS domain.
The attribute keywords also contain another key value pair login: singhg which is
the login name to be used to have access on CAD/Unix resources. We can also call this
as unix login name.

GroupID Requirements
ST.CO
M

While adding members to a security group, owner shall be

able to search on the basis of unix login name (singhg) which
resides under keywords attribute in an SCP in CAD domain
but the member added to the group should be the associated
windows user in MWS domain.

GroupI
D

This is what user sees in GroupID Self Service Portal

Cn=test-group,dc=mws,dc=com
members:
cn=singhg (which is SCP in CAD domain but is
actually
pointing to a
windows user in MWS
domain)

h
rc
a
Se is
th

d
an

ow
sh

Bu
ta

dd

th
is

CAD.S
T.COM

This is what it actually is in Active Directory

Cn=test-group,dc=mws,dc=com
members:
cn= gurpreet
singh,ou=users,dc=mws,dc=com(which is the actual
AD object in MWS domain)

ease note that the above requirement is a separate requirement and has no impact on the current working of GroupID.
This may be achieved through separate portal of separate instance of GroupID

MWS.
ST.CO
M

GroupID Requirements

Similarly while deleting a member from a security group, owner shall be able to search on the basis of unix login
name (singhg) but when he/she clicks on delete button the actual windows user in MWS domain should be
deleted.

ST.CO
M

GroupI
D
h
rc
a
Se is
th

CAD.S
T.COM

d
an

ow
sh

Bu
td

el

et
e

th
is

MWS.
ST.CO
M