Assistant Admins can enable user accounts via the Web console when they are only delegated the power (NETIQKB37812)

  • 7737812
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.60

symptom
Assistant Admins can enable user accounts via the Web console when they are only delegated the power to disable user accounts.

symptom
The 6.6 Web Console allows a user account that is disabled to be enabled when only the power "Disable Account - Modify a User Account" has been granted.  The MMC grays out this option and works correctly.  The Web Console allows full control over the account disable/enable.

cause

This issue is due to a bug in the web console and server:

1) The server code for authorizing user enable/disable is not verifying correct powers.
2) The web console is not checking for the appropriate custom attributes that are needed to enable/disable a user.



fix
This issue is corrected with the release of Directory and Resource Administrator (DRA) 7.0.  Install the latest version of DRA to resolve this issue.

Additional Information

Formerly known as NETIQKB37812