How do I lock down the delegation of powers in the 'SPA Users from All Managed and Trusted Domains' (NETIQKB43423)

  • 7743423
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
How do I lock down the delegation of powers in the 'SPA Users from All Managed and Trusted Domains' ActiveView?

fact
Directory and Resource Administrator 7.x

fact
Secure Password Administrator 1.0

fix

By default, this ActiveView and its built-in role is delegated to All Users.  Furthermore, the default Rule and Assignments can not be edited or removed.

It is possible to limit or even lock down the default delegation of All Users to this ActiveView.  It can also be configured to allow certain users or certain groups to have access.  To do so, an additional ActiveView will need to be created and then added as an exclusion rule.

Note: You will need to determine ahead of time if you want to limit delegation to individual users or to a certain group or groups. For the example below, a specific group will be used.

Step 1: Create the new ActiveView

To create the new ActiveView:

  1. Launch the Delegation and Configuration Console.
  2. Under Delegation Management, select ActiveViews.
  3. Click New ActiveView from the toolbar and click Next.
  4. Click Add and select Objects that match a rule....
  5. Select Users and then click OK.
  6. Click Add again and select Objects that match a rule....
  7. Select Groups and click on any group.
  8. Select Specific Group... and type in the name of the specific group of users you want to add (see Note above).
  9. Click OK and OK again.
  10. Right-click the group rule you just created and select Exclude Objects.
  11. Click Next and give this ActiveView a name.
  12. Click Next again and then click Finish.

Note: This rule can be adjusted to exclude users instead of the specific group.  You can also add additional groups to exclude by repeating steps 6 - 9.

Step 2: Add the newly created ActiveView to the existing SPA ActiveView

To do this:

  1. Under Delegation Management, select ActiveViews.
  2. From the list of ActiveViews on the right, select and double-click the SPA Users from All Managed and Trusted Domains ActiveView.
  3. Select Rules and click Add.
  4. Select ActiveViews... and type in the name of the ActiveView created in Step 1.
  5. Click Add and then OK.
  6. Right-click the newly-added ActiveView rule and select Exclude Objects.
  7. You will notice you are now excluding all objects managed by the newly-created ActiveView from Step 1.  Click OK to save and exit.

The logic behind this customization is this:  Directory and Resource Administrator (DRA) handles include and exclude rules of nested ActiveViews differently when it processes objects it manages within an ActiveView.  See the chart below:

AV1: Include Object + AV2: Include Object Managed by AV1 = Include Object

AV1: Include Object + AV2: Include Object AND Exclude Object Managed by AV1 = Exclude Object

AV1: Exclude Object + AV2: Exclude Object Managed by AV2 = Include Object

AV1: Exclude Object + AV2: Include Object Managed by AV1 = Exclude Object

Both ActiveViews contain a rule to include all user objects.  If left as-is, all users would still have delegation of powers.  Since the objects being managed by the new A.
ctiveView are being excluded in the original ActiveView, they effectively cancel out.  All users are locked out from delegation of powers.  However, the new ActiveView also contains the group rule that excludes a specific group.  Because the objects being managed by the new ActiveView are being excluded in the original ActiveView, the result is that the specific group is included for delegation of powers.  See below:

If AV1 is the original SPA ActiveView and AV2 is the ActiveView created in STEP1 above....

AV2:  Include All Users | Exclude objects in AV1 (AV1: Include All Users | Exclude Specific Group)  = Exclude All Users | Include Specific Group

Only the members of the specific group included in the ActiveView from Step 1 are delegated the powers in the SPA Users from All Managed and Trusted Domains ActiveView and all other users are locked out.

.


Additional Information

Formerly known as NETIQKB43423