Resolution
fact
Directory and Resource Administrator 6.50
symptom
symptom
In this situation, if an Built-in Admin selects AV1 from the list in the lower right section of the ActiveView management | Collections | Assistant Admin groups snap-in node and clicks the Roles button, a list window will appear displaying both Role1 and Role2. Selecting Role2 and clicking on the Remove Roles button generates the above error message.
symptom
An Assistant Admin is assigned to two separate ActiveViews (AV1 and AV2) and is delegated the roles Role1 and Role2 respectively. In addition to individually assigned powers, Role1 also includes Role2 as a nested role.
cause
To list the roles when viewing them in the Assistant Admin groups snapin node, Directory and Resource Administrator (DRA) uses the ContainerEnum operation. This operation lists all containers (in this case the roles each contain individual powers) assicated with the Assistant Admin for the selected ActiveView. Because Role2 is part of Role1, DRA displays it. The operation to remove the nested role, however, checks only the role to be removed for association with the Assistant Admin. It does not check the parent role.
fix
To resolve this issue you will need to upgrade to Directory and Resource Administrator 7.0.
Directory and Resource Administrator 6.50
symptom
Error: 'The Role_Name role could not be removed from the AA_Group_Name Assistant Admin' The Specified objects are not associated. When Removing a Nested Role
symptom
In this situation, if an Built-in Admin selects AV1 from the list in the lower right section of the ActiveView management | Collections | Assistant Admin groups snap-in node and clicks the Roles button, a list window will appear displaying both Role1 and Role2. Selecting Role2 and clicking on the Remove Roles button generates the above error message.
symptom
An Assistant Admin is assigned to two separate ActiveViews (AV1 and AV2) and is delegated the roles Role1 and Role2 respectively. In addition to individually assigned powers, Role1 also includes Role2 as a nested role.
cause
To list the roles when viewing them in the Assistant Admin groups snapin node, Directory and Resource Administrator (DRA) uses the ContainerEnum operation. This operation lists all containers (in this case the roles each contain individual powers) assicated with the Assistant Admin for the selected ActiveView. Because Role2 is part of Role1, DRA displays it. The operation to remove the nested role, however, checks only the role to be removed for association with the Assistant Admin. It does not check the parent role.
fix
To resolve this issue you will need to upgrade to Directory and Resource Administrator 7.0.
Additional Information
Formerly known as NETIQKB11479