Resolution
Directory and Resource Administrator 6.60
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x
symptom
Computer tasks are available to Assistant Admins that have been delegated the power to modify Groupmembership.
symptom
When delegating the power to reset passwords, the following User tasks are available:
- Display a user's Properties
- Update a user's Properties
- View a user's Vital Statistics
- Reset a user's password
Tasks are displaying in the Web console that have not been specifically delegated.
cause
This is by design of the DRA 6.6 and above versions of the Web Console.
fix
The Directory and Resource Administrator 6.6 and above version of the web console do not hide tasks like the DRA 6.5 and prior web console did. It disables and enables fields based on powers. Whereas in the DRA 6.5 web console, it was "all or nothing" (i.e. you either had all powers over a task or you could not see the task) For example, in DRA 6.6 and beyond you can just have power the over description field only and you will get "Update a user's Properties" task with only the description field enabled.
Another example is if you delegate the GroupMemberAdd power to an Assistant Admin, then the Users, Groups and Computers Account Management tasks are enabled in the web console. For example, the Computers task is enabled because one of the tasks under the Computers section is "Add a computer to groups." The web console enables this task because the Assistant Admin was delegated the GroupMemberAdd power. This may be enabled even though the ActiveView may not contain any rules to include computer objects.
From a usability perspective exposing the additional tasks is confusing for Assistant Admins. A ticket is open to development to investigate if there is a better means on enabling tasks in the web console.