Assistant Admins are able to change the group membership of a target account during a clone operatio (NETIQKB11200)

  • 7711200
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.50

symptom

Assistant Admins are able to change the group membership of a target account during a clone operation even though they are not assigned the power to do so.



symptom
If an Assistant Admin is delegated a custom role that includes the All Properties - Clone a User Account power and the ActiveView contains an object rule to include any groups in the domain, the Assistant Admin is incorrectly granted the power to change group membership of the target account during the clone operation.

cause

The cause of this issue is a result of DRA version 6.50 incorrectly translating the power All Properties - Clone a User Account when it is included in a custom role.  



fix

Hotfix 11200 improves group membership security by ensuring that just the All Properties - Clone a User Account power does not allow an Assistant Admin to change the membership of a target account.
 
To install this hotfix, run the DRA65000_Hotfix11200.exe file on the Administration server computer.  This hotfix modifies the EaSec.dll file on the Administration server computer.  By default, this file is located in the Program Files\NetIQ\DRA folder.



Additional Information

Formerly known as NETIQKB11200