When a delegated Assistant Admin attempts to perform certain functions such as adding\removing an ob (NETIQKB28904)

  • 7728904
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

symptom

When a delegated Assistant Admin attempts to perform certain functions such as adding\removing an object to a group or moving an object between Organization Units an error message is received.



symptom
Error: 'Authorization failed, power escalation has occurred. An Attempt was made to add a power / role that the user does not have, or the operation would have resulted in the user having more powers over the object.'

cause

The above error message is a result of an attempted operation which would have resulted in the Assistant Admin having more powers over the object.  If the Assistant Admin performing the operation does not have the same powers over the object before and after the operation has completed Directory and Resource Administrator will prevent the operation from being performed.



fix

For example:

An Assistant Admin is assigned to two separate ActiveViews configured as follows:

  • AV1: ActiveView called AV1 includes all users and groups in the domain.  The Assistant Admin has the ability to only modify group membership over the objects included in AV1.
  • AV2: ActiveView called AV2 includes all users in a group called Contractors.  The Assistant Admin has the ability to modify all user account properties and delete user accounts included in AV2.

If the Assistant Admin attempts to add a user called "User1", to the group called "Contractors", they will receive the above error message because the results of this operation will grant the Assistant Admin more powers over "User1".  By adding "User1" to the "Contractors" group, "User1" would be included in AV2 and the Assistant Admin can then modify properties of the user account and\or delete the user account thus causing an Escalation of Power.

In order to prevent an Escalation of Power as described above, Directory and Resource Administrator does not allow the Assistant Admin to perform an operation which could result in the Assistant Admin having more powers over an object.  The Assistant Admin must have equal or more powers over the object before the operation completes or the attempted task will fail.



note
The above described situation is by design to avoid a security hole allowing Assistant Admins to grant themselves more powers over an object than they would otherwise have; thereby causing an Escalation of Power.

Additional Information

Formerly known as NETIQKB28904