Can an Assistant Admin be granted the powers to clone and create a user account in the same ActiveVi (NETIQKB1897)

goal
Can an Assistant Admin be granted the powers to clone and create a user account in the same ActiveView?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix
No.  Due to the $UCPowerConflictPolicy built-in policy, the Clone and Create a User Account powers cannot be granted to an Assistant Admin in the same ActiveView. With this policy in effect, Assistant Admins can either create user accounts or clone them but not both. If this policy is not in effect, the potential exists for escalation of powers by an Assistant Admin. For more information, please refer to the Directory and Resource Administrator (DRA) User Guide pages 157 and 160

If, for some reason, an Assistant Admin needs both the Create and Clone powers, the $UCPowerConflictPolicy may be deleted by performing the following steps:

1. Launch the MMC interface (DRA 6.x)/Delegation Configuration Console (DRA 7.x) while logged on as an Assistant Admin with, at minimum, the Built-in Policy Role.
2. Expand Policy and Automation Management.
3. Select Policy.
4. Highlight the $UCPowerConflictPolicy policy and click Disable.

Once this policy has been disabled Assistant Admins can be granted the power to create and clone a user account in the same ActiveView.  Otherwise, the only other workaround to this issue is to create two ActiveViews - one with the ability to create users and one with the ability to clone users and assign the Assistant Admin(s) to both.

Formerly known as NETIQKB1897