Environment
NetIQ Directory and Resource Administrator 8.x
Situation
NetIQ Directory and Resource Administrator (DRA) allows DRA Administrators to create active views (AV) over specific OU’s within DRA Managed Domains. These AVs control what actions can be done, who can do them (Specific DRA Assistant Admins) , and what actions can be done. The DRA Security model is based on explicit assignment of rights. If a specific right or power is not explicitly assigned to a specific object, for a specific DRA AA; he or she will be denied the ability to perform that action.
Resolution
When creating any object in an Active Directory environment, the Assistant Admin must have a target OU included in the ActiveView granting the Create or Clone power. When the Assistant Admin creates an object of that type, the default target OU will be the one specified in the ActiveView rule. For example, consider an ActiveView structure as follows:
AV1
- Include OU domain_name/OU1 but none of its members
- Include groups but none of its members in domain domain_name
- AA1 is granted the All Properties - Create a Group power
AV2
- Include OU domain_name/OU2 but none of its members
- Include users in domain domain_name
- AA1 is granted the All Properties - Create a User Account power
Additional Information
If another ActiveView grants the Assistant Admin the Create power forone of theseobjects and includes athird OU, the Assistant Adminwould then be able to select thethird OU during the create operation. To find other ActiveViews the Assistant Admin may be a member of, please perform the following steps:
- Launch the DRA Delgationg and Configuration or Account and Resource Management Console.
- Search for the DRA Assistant Admin in question
- Right Click on the AD User Account, and Select Show Powers
- Expand the ActiveViews list item to obtain a list of all ActiveViews that Assistant Admin is a member of. Expanding the subsequent list items will also reveal the Assistant Admin groups and the Roles the Assistant Admin has in each ActiveView.