Built-in Admin role assigned in any ActiveView appears to give an Assistant Administrator additional (NETIQKB15650)

  • 7715650
  • 02-Feb-2007
  • 20-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.x

symptom
Built-in Admin role assigned in any ActiveView appears to give an Assistant Administrator additional powers in other ActiveViews.

symptom

Consider the following two ActiveViews (AV):

AV1
Include domain and all it's members
Exclude user Administrator

The AA has the Built-in Admin role.

When viewing a list of users in this AV the AA does not see the Administrator user but is able to perform all functions on all other domain objects.  This is as intended.

AV2
Include user Administrator

The same AA has the role to modify the Employee ID field only.

If AV2 were the only AV in the environment, the AA would only be able to modify the Employee ID field.  Put AV1 in the mix and the AA seems to be able to modify all properties of the Administrator account even when selecting it from AV2.  It appears that the Built-in Admin role crosses AV boundaries.

 



cause

This is a display issue with MMC.   When the DRA server sees that the AA has the  Built-In Admin role it does not query powers over a specific object to determine which fields in the property sheets to enable.  All felds are displayed as enabled and editable.  However, an error message is generated whenever an attempt is made to modify a property that the AA does not have any power over.



fix
This issue is addressed in the DRA 7.0 GUI changes.  The options are grayed out whenever an AA cannot modify a particular property.

note

There is no security hole because:

  1. The AA cannot see values that they do not have power over.
  2. If attempt is made to update a property that they do not have power over an authorization error is returned.


Additional Information

Formerly known as NETIQKB15650