What causes DRA Escalation of Powers?

  • 7015801
  • 20-Oct-2014
  • 27-Jan-2015

Environment

NetIQ Directory and Resource Administrator 8.x

Situation

When a Directory and Resource Administrator (DRA) Assistant Admin (AA) performs a move / copy action against an AD object, the AA’s powers over that object are compared. DRA has a built-in security check designed to prevent an AA from gaining extra powers over an AD object. If those powers do not match DRA will display an error “Escalation of powers”

Resolution

In order to prevent an escalation of powers from occurring, the AA must have the exact same permissions over the target and source location. The permissions needed come from the AA’s applicable Active Views. The permissions are not object type specific; instead ALL permissions must be an exact match. The DRA server is querying for an exact list of ANY permission the logged on AA has over ANY object type in the source location; and then comparing to the same list for the target. The DRA server is not taking into account what type of object is the target of the operations.

DRA does have the ability to list all Roles & powers a specific DRA AA has applied to him or her. This accomplished by Right Clicking on the DRA AA and choosing the show powers option. This will list all powers, roles; and which active view provides those powers or roles. This will aid in determining which AVs might be granting powers or roles to the specific DRA AA.

Cause

The escalation of powers error is caused when the powers over an object will change as it's location changes. This occurs because DRA Powers can be tied to a specific location in AD. If AA does not have the exact same powers in the source and target locations, DRA will display an error.