How do you set up dual key administration for deleting various objects in Directory and Resource Adm (NETIQKB47406)

  • Document ID:7747406
  • Creation Date:02-Feb-2007
  • Modified Date:19-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

goal
How do you set up dual key administration for deleting various objects in Directory and Resource Administrator?

goal
What are the most common dual key administration methods? 

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix

Directory and Resource Administrator (DRA) allows you to setup dual key administration for various delete tasks. The basic setup procedure for DRA dual key administration requires you to move or add the object to a temporary location and then delegate a second ActiveView (AV) to delete that object from the temporary location. 

The most common example of dual key method is with the Recycle Bin.  To setup the method in this example, you delegate to the first Assistant Admin (AA) the power to delete the user objects from Active Directory (move to Recycle Bin) and then delegate to the second Assistant Admin, the ability to permanently delete objects from the Recycle Bin. 

The following are some different ways to setup other dual key methods:

For OU deletion

  1. Create ActiveView1 (move OU AV)
  • Rule: Include All OU's but no objects in OU but only allow these objects to be cloned, moved or added to groups
  • Rule: Include Temp OU but no objects in OU
  • Power assigned to AA 1: Move object to OU

      2.    Create ActiveView 2 (Delete OU)

  • Rule: Include Temp OU but only objects that are OU
  • Power assigned to AA 2: Delete OU

With the ActiveView like above the first AA will be able to move OU's to the temp OU (even if they have objects in them). If the OU is empty, then the second AA can delete them. If the OU contains objects in it, they will receive an error.  
 

For Group Deletion

  1. Create ActiveView1 (move OU AV)
  • Rule: Include All Groups but no members in any OU but only allow these objects to be cloned, moved or added to groups
  • Rule: Include Temp OU and members that are groups
  • Power to AA 1: Move object to OU

      2.    Create ActiveView 2 (Delete Group)

  • Rule: Include Temp OU and members that are groups
  • Power to AA 2: Delete Group

For User Deletion (besides the Recycle Bin method)

  1. Create ActiveView 1 (move OU AV )
  • Rule: Include All users in the domain but only allow these objects to be cloned, moved or added to groups
  • Rule: Include Temp OU and members that are users
  • Power to AA 1: Move object to OU

      2.    Create ActiveView 2 (Delete User)

  • Rule: Include Temp OU and members that are users
  • Power to AA 2: Delete users

Note:  Another method that is seldom utilized is the Transfer method. DRA has the ability to allow an Assistant Admin to transfer a user to another ActiveView. The concept is the same as above, however instead of a temporary OU, you utilize a temporary ActiveView and delegate the ability to delete users in that ActiveView to the second Assistant Admin.



Additional Information

Formerly known as NETIQKB47406