Assistant Admins cannot add members to groups even though they have been granted the Built-In Group (NETIQKB2804)

  • Document ID:7702804
  • Creation Date:02-Feb-2007
  • Modified Date:22-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

fact
Directory and Resource Administrator 6.x

symptom
Create a new ActiveView defined with the following steps:
  • Launch the MMC and select ActiveView Management, then ActiveViews.
  • Click New and create an ActiveView, give it a name and description, then click Finish.
  • Click Include OU and click Next.
  • Define the domain as needed and click Next.
  • Define the OU as needed and click Next.
  • Select the Users and Groups checkboxes (clear those for Contacts, Computers, and OUs) for the member objects to be managed and click Next.
  • Select the Only allow the OU or its members to be added to groups or moved to OUs checkbox and click Next.
  • Enter a name and description for this rule and click Finish.
  • Assign this ActiveView to an Assistant Admin and grant the Builtin Group Role.

Logon as an Assistant Admin assigned to this ActiveView and try to add a member to a group in the defined OU. You will receive an error stating that the Assistant Admin does not have enough power to perform the requested operation. You could also see an error indicating that Power Escalation can occur.

symptom
Assistant Admins cannot add members to groups even though they have been granted the Built-In Group Role.

cause

The process to add a member to a group involves two objects. The group that is being added to is one object and the member being added is the other. We use the word target to refer to the group and source to refer to the object that is being added to the group. Rules in DRA can be either Source rules, Target rules, or Source/Target rules. The exception defined in the ActiveView created above makes this rule is a Source rule. The OU and it's members can only be added to groups. If the exception had not been selected, the rule would be a Source/Target rule. Groups in the OU could then be added to other groups in that samee OU.

We also have an exception that allows you to restrict groups to being only targets (a Target rule). In this case, you can add members to them but the group itself can't be added to other groups. The idea behind source and target is that you can restrict the ways that the groups in the ActiveView can be used.



fix
Clear the Only allow the OU or its members to be added to groups or moved to OUs exception from the rule definition for the ActiveView. This changes the rule from a Source rule to a Source/Target rule and will allow the Assistant Admin to add a member.

note
This behavior is by design.

Additional Information

Formerly known as NETIQKB2804