Environment
Directory and Resource Administrator 8.x
Situation
How do I create an ActiveView that allows an Assistant Admin to be able to see the members of managed groups without having powers over those members' user accounts?
How do I allow Assistant Admins to see all the members of a group when the ActiveView does not include those members' user accounts in any rule?
How do I allow Assistant Admins to see all the members of a group when the ActiveView does not include those members' user accounts in any rule?
Resolution
If the ActiveView only has roles and powers for group management, you may safely allow the Assistant Admin to see all the members of a group.
If the ActiveView has roles or powers that allow the management of user accounts, you cannot expose the members of the groups without also allowing the Assistant Admins to manage those members' user accounts as well. In this situation, it is recommended that you create a second ActiveView for group management. Move your rules, roles, and powers for group management to the new ActiveView. In the new ActiveView, you may modify the group rule using the same instructions above to expose the membership of the groups. Do not inculed any roles or powers that allow management of user accounts beyond auditing or viewing properites as desired.
If the ActiveView has roles or powers that allow the management of user accounts, you cannot expose the members of the groups without also allowing the Assistant Admins to manage those members' user accounts as well. In this situation, it is recommended that you create a second ActiveView for group management. Move your rules, roles, and powers for group management to the new ActiveView. In the new ActiveView, you may modify the group rule using the same instructions above to expose the membership of the groups. Do not inculed any roles or powers that allow management of user accounts beyond auditing or viewing properites as desired.
Cause
There are times when a DRA Assistant Admin might need to see a user's group memberships; but not manage those memeberships.
Additional Information
Formerly known as NETIQKB54234