The 'Do not allow these objects to be cloned, moved or added to groups' restriction does not prevent (NETIQKB37237)

  • 7737237
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 7.x

symptom
The 'Do not allow these objects to be cloned, moved or added to groups' restriction does not prevent Assistant Admins from cloning or adding the object to groups.

symptom
Assistant Admins are able to clone user accounts, and add them to a group, even though the ActiveView rule has the 'Do not allow these objects to be cloned, moved or added to groups' restriction.

cause
The ActiveView is working as designed.  If the ActiveView has two rules, which include the same objects, and only one has the restriction, the Assistant Admin will be able to manage the objects without the restriction being enforced because the objects are included by one of the rules that do not have any restrictions.

fix

The product is working as designed. 

For example if a single ActiveView has two rules configured as follows:

  • Include all users in domain XYZ.
  • Include all users with name matching A* in domain XYZ, but Do not allow these objects to be cloned, moved or added to groups.

If the ActiveView has been configured with the above two rules, and has been delegated the powers to clone user accounts in this ActiveView, the Assistant Admins will be able to clone any user account in the XYZ domain even though the second rule has the restriction to not allow any users beginning with 'A' from being cloned.  This is because the users begining with 'A' have been included in the ActiveView by the first rule which does not have the restriction.

In order to prevent the Assistant Admin from cloning user accounts beginning with 'A' create a rule to Exclude all users with name matching 'A' in domain XYZ in the ActiveView.  This will prevent the Assistant Admins from cloning any users that begin with 'A'.



Additional Information

Formerly known as NETIQKB37237