Resolution
goal
How do I grant an Assitant Admin all powers over all domain object but prevent access to the Configuration node?
fact
Directory and Resource Administrator 6.x
fix
note
If a power has the words All Properties in it, it is not necessary to grant the more specific individual powers of the same type. An example of this is the All Properties - Modify a User Account power, which encompasses all the displayed attributes of a user object. By using it, other, more granular powers like Dial-in Properties - Modify a User Account and Address Properties - Modify a User Account, are not needed.
How do I grant an Assitant Admin all powers over all domain object but prevent access to the Configuration node?
fact
Directory and Resource Administrator 6.x
fix
You cannot grant the Assistant Administrator (AA) the Built-In Admin role. While that would grant the AA powers over all objects, that would also grant the AA power to make changes in the Configuration node. To allow an Assistant Administrator to make any change to any domain object while preventing access to the DRA configuration options, a custom role must be created. This role should include all powers in the following power categories:
- Computers
- Connected Users
- Contacts
- Devices
- Event Logs
- Exchange Mailboxes
- Groups
- Open Files
- Organizational Units
- Print Jobs
- Print Queues
- Services
- Shares
- User Accounts
- Web Console
note
If a power has the words All Properties in it, it is not necessary to grant the more specific individual powers of the same type. An example of this is the All Properties - Modify a User Account power, which encompasses all the displayed attributes of a user object. By using it, other, more granular powers like Dial-in Properties - Modify a User Account and Address Properties - Modify a User Account, are not needed.
Additional Information
Formerly known as NETIQKB15403