Role for Group Administration only works if user/role has too much eDir rights

BlankL.S.,

Been searching for a TID that describes what rights are needed for a
user/role to administer group membership. Finally found TID 10064960. We use
groups there where rights go beyond context level (not a whole context or
users from several contexts. Step 1 in this describes what we want. Step 2
gives to much rights, because we have to give it at almost the top level.

Now our config:

Edirectory 8.7.3.1 (planning to update to 8.7.3.2 very shortly) running on
netware 5.1SP7 and 6.5SP1 platform.

With only TID step 1 rights granted the following happens.
After adding a user to a group:
Group properties tab 'members' and 'sequrity equal to me' show the added
user.
User properties tab 'memberships' subtab 'security equal to' show the group.
Subtab 'Group Membership' show the group if it is the first group where the
user is a member of. If this is not the case the group isn't added within
the user properties. Inconsistensie in eDirectory.

Giving a group administrator also the rights mentioned in step 2 of the TID,
this user can delete also other groups from the user properties. However the
user isn't removed from the group. This means an inconsistency in eDirectory
or is this working as designed ?

Tried to configure it with iManager. But this doesn't solve this issue.

Any other possible solution ? Is there a way to check users and groups
concerning membership/security equal ?

Thanks.

Johan Brinkman


0
J
8/26/2004 3:14:34 PM
novell.edirectory.netware 7858 articles. 0 followers. Follow

2 Replies
653 Views

Similar Articles

[PageSpeed] 53
Get it on Google Play
Get it on Apple App Store

Johan,
If you're open to third party utilities, our eControl product allows you to
assign non-technical people the ability to carry out user management tasks
(like Group Management) from a web browser without any eDirectory, GroupWise
or File System Rights.  You can check it out live by following the links to
eControl at www.omni-ts.com.

Regards,


Aldo Zanoni
Director of Customer Service
Omni Technology Solutions
aldo@omni-ts.com
www.omni-ts.com



"J. Brinkman" <J.brinkman_no@mail.erasmusmc.nl> wrote in message
news:u7nXc.1893$zN.1293@prv-forum2.provo.novell.com...
> BlankL.S.,
>
> Been searching for a TID that describes what rights are needed for a
> user/role to administer group membership. Finally found TID 10064960. We
use
> groups there where rights go beyond context level (not a whole context or
> users from several contexts. Step 1 in this describes what we want. Step 2
> gives to much rights, because we have to give it at almost the top level.
>
> Now our config:
>
> Edirectory 8.7.3.1 (planning to update to 8.7.3.2 very shortly) running on
> netware 5.1SP7 and 6.5SP1 platform.
>
> With only TID step 1 rights granted the following happens.
> After adding a user to a group:
> Group properties tab 'members' and 'sequrity equal to me' show the added
> user.
> User properties tab 'memberships' subtab 'security equal to' show the
group.
> Subtab 'Group Membership' show the group if it is the first group where
the
> user is a member of. If this is not the case the group isn't added within
> the user properties. Inconsistensie in eDirectory.
>
> Giving a group administrator also the rights mentioned in step 2 of the
TID,
> this user can delete also other groups from the user properties. However
the
> user isn't removed from the group. This means an inconsistency in
eDirectory
> or is this working as designed ?
>
> Tried to configure it with iManager. But this doesn't solve this issue.
>
> Any other possible solution ? Is there a way to check users and groups
> concerning membership/security equal ?
>
> Thanks.
>
> Johan Brinkman
>
>


0
Aldo
8/28/2004 6:31:25 PM
On Thu, 26 Aug 2004 15:14:34 GMT, "J. Brinkman"
<J.brinkman_no@mail.erasmusmc.nl> wrote:

>Been searching for a TID that describes what rights are needed for a
>user/role to administer group membership. Finally found TID 10064960.

http://straylight.cso.niu.edu/edir/10064960.html

There's also a CoolSolutions document on this.

>We use
>groups there where rights go beyond context level (not a whole context or
>users from several contexts. Step 1 in this describes what we want.

I spent quite a lot of time getting this to work, correctly. It's a long story.
The short version is that it DOES work, with only rights to the Group object,
with two restrictions:

1) Using Console1, you MUST use a version newer than 1.3.6. I have a 1.3.6a that
has a bug fix in it that makes this work. All previous versions are broken. They
(wrongly) attempt to check the rights to the User object, then silently fail to
make the necessary changes.

2) You will have to make changes via the Group object. You can go to
Group->Members->Add, but you cannot go to User->Groups->Add.

We use this extensively here as well, for the same reason you are looking at it.


>With only TID step 1 rights granted the following happens.
>After adding a user to a group:
>Group properties tab 'members' and 'sequrity equal to me' show the added
>user.
>User properties tab 'memberships' subtab 'security equal to' show the group.
>Subtab 'Group Membership' show the group if it is the first group where the
>user is a member of. If this is not the case the group isn't added within
>the user properties. Inconsistensie in eDirectory.

I'd be willing to bet money that you're using Console1 1.3.6 or earlier. That's
exactly what I found. It took me over a year to get that fixed.

I don't know if there was a Console1 1.3.6b, but I'm pretty sure that there was
and that it just wasn't publicly released. I know 1.3.6a wasn't publicly
released. There is now a 1.3.6c available that is public, and at least in theory
should include my fix from 1.3.6a. I guess I should probably go verify that to
be sure, but try it yourself and let me know (via followup post here) how it
turns out.


>Tried to configure it with iManager. But this doesn't solve this issue.

I have not yet tested iManager (for this). In theory, it should work correctly,
but I haven't tried it. Which version of iManager are you using?



---------------------------------------------------------------------------
 David Gersic                                            dgersic_@_niu.edu

 I'm tired of receiving rubbish in my mailbox, so the E-mail address is
 munged to foil the junkmail bots. Humans will figure it out on their own.
0
dgersic_
8/30/2004 2:24:33 PM
Reply:

Similar Artilces:

Roles, roles, roles
Hey is it posible o have a role for a user to only update the content? I don't want that user to change skins or to make other admin changes... up I think if you allow a role to edit contents on a module level he wont be able to change anything else. Did you try that? cheers, erikErik van Ballegoij, The Netherlands if you allow a role to edit contents in a module lets say discussions module, then that role will be able to edit, delete the threads. so for a role to be able to add new thread only, do we need to write our own code?-keeara g------------------ keeara, see...

role-based authorization -- user role part is not working
Hi, I followed this link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp to setup role based authorization. However the 'isinrole' part didn't work. 'user.Identity.Name' works correctly. I set a few breakpoints and started debug. In the 'locals' window, under 'Me-User-..-ticket', there is nothing for 'UserData'. What did I do wrong? here is how I created the ticket. During the debug, I can see value for roles is correct ("0"). i used numbers for the roles not words. authTicket = New FormsAuthenticationTicket(1, username, DateTime.Now, DateT...

Specific User -> Administrator Roles & Authorized Roles
Hi All, Has there been any discussion about setting up Administrator and Authorized Roles for, Tabs and Modules to based on a specific user? I think it would be handy to have a specific user control a specific module or tab. For example, let say I want UserABC to have edit control of the links module without creating a special role for that user. I would also see this being important if there is ever a file manager for specific users. For files they only have access to. -- Ingram ...

Update GridView If User Is In Administrators Group(Roles)
Hi All..Well I have two web forms i.e. view_enrollment.aspx & add_enrollment.aspx. When a non administrator user (in roles) views the view_enrollment.aspx i don't want him to update the auto-generated column i.e. Edit.I would appreciate your valuable reply.Abdul Ghaffar Hi,Hunzian:Try to use this code in the page load event:if(User.IsInRole("Admin")){this.GridView1.AutoGenerateEditButton = false;}Best Regards,__________________________________________________Sincerely,Rex LinMicrosoft Online Community SupportThis posting is provided "AS IS" with on warranties, and confers...

Manage Users For This Role / Manage Roles For This User Question
In the roles/user management pages there is a link called Manage Users For This Role and Manage Roles For This User respectively. I want non Admins to be able to see these pages, and currently I have it so that they can see the manage users and manage roles pages. However, when a non admin clicks on Manage Users For This Role or Manage Roles For This User link it does not display the control, just an empty page. I can get around this by giving edit rights to the page, but I do not want them to have edit rights for the page. Any ideas? Thanks  ...

Roles
I'm using a CreateUserwizard control and in the code behind for CreatedUser event I am trying to add the following single line of code:  Roles.AddUserToRole ... etc. However, Intellisense does not show Roles. (I am seeing RoleServiceManager but not Roles) Any idea why? I have Visual Studio 2008 and the project is targeting .NET Framework V3.5. Also, I have <roleManager enabled="true"> in the web.config file. Intellisence will work automatically, There is no relation to web.config, if any problem use,using System.Web.Security; ...

Can't Modify Role Associations / Insufficient Rights for Users assigned Roles
When I try to modify an iManager Role I get the following error message: (Error -613) An attribute value being added to an object might be incorrect or the value is pointing to an object that does not exist in the tree. Under the error message is a place for iManager to list the Details and the Object name that caused the error but there are no details or objects listed. I get the error message whether or not I try to modify the role from the Modify iManager Roles link or the Modify Member Association. I am not even able to remove the association for a particular member. I...

Delete Roles how affect Users in that roles
Dear all,  I know that Roles.deleteRoles(e.command.arguement). If deleted the roles, how the users if they belong to that roles. Would their roles also be dropped? I mean if looping the user roles. What will be the result. hi the delete will fails if there is a usrs assigend to the role , so before you want to delete the Role, you should remove the users from that role ,by using Roles.RemoveUserFromRole(UserName,RoleToDelete)   http://msdn2.microsoft.com/en-us/library/aa478950.aspx http://forums.asp.net/p/1181608/2004433.aspxRegards,Anas Ghanem.Note:Please Don't hesi...

Questions about role:group and role:gridcell
In the following grid example: http://www.cita.uiuc.edu/software/mozilla/test/dhtml/grid/grid-1.html Questions 1. role:group is used associate the rows of an e-mail and this I give focus to as the user use UP and DOWN arrow to move through the list, what should be read by the screen reader? Is group the way to do this. DOes this group need a labelledby? 2. I give focus to individual cells role:gridcell using the LEFT and RIGHT arrow keys, only that cells contents will be read. Will the labelledby also be read? Jon Jon Gunderson, Ph.D. Director of IT Accessibility Services ...

Creating User Account Without Default Security Role (Registered User Role)
  My DNN version is 3.1.1. The portal is set to Private Registration. Unauthenicated users have access to the basic pages of the site. We require my company's current customers to register and be approved to have access to all other pages that contain information restricted to them (the major part of the site). As you know, authorizing a user account applys the Registered User security role by default and this is how I control access to the customer areas.  We want to create a page that will be used by Marketing to allow potential customers by login to...

Populating roles and user/role mappings
I am using asp.net 2.0 and want to use role-based security using windows authentication and sqlserver.  I have setup my web.config to do this successfully and am able to add roles and user mappings via code.  However, at this point I don't want to build a page that allows the maintenance for this because I want to get this website done quickly, so I just want to input the roles and user mappings intially and have them stored in the database.  When the website is up, I will have to add users from time to time and possibly modify user/role mappings as w...

roles User.IsInRoles() and Roles.IsUserInRole()
Have some problems with roles    When I use  User.IsInRole("Admin") it retuns false even that it exists in the database and it appears when I run the code below. string[] test = Roles.GetRolesForUser();string hepp = "";foreach (string tst in test){    hepp += tst + "<br/>";} it returns Admin.with other words Roles.IsUserInRole("Admin") is true.Roles --> contains the roles but it is not transfered to User.   What am I doing wrong? Hur får jag User.IsInRole() till true? Can you post the code tha...

Problem : Get a list of user belonged to a role or to know if a user already has a role
What code can I write to know if a user belonged to a Role already ? and How can I get a list of a  user already in an existing role ? Please have a look at my code below : Protected Sub AddUsers_OnClick(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnAddUsersToRole.Click' I wanna add some code here to check if a user already belonged to a Role' Please insert your code here. Thanks a lot. ' A role must be selected If RolesListBox.SelectedItem Is Nothing Then Msg.Text = "Please select a role." Exit Sub End If ...

Roles not working without role provider ?
Hallo,i created a web site by using the standard asp.net 3.5 Membership Provider and the Role Manager.I have used a sitemap with securityTrimmingEnabled enabled and i have set the roles i need for each seperate folder. Everything worked perfectly. Now, i changed my authorization procedure and i removed the memberhip provider, as long as i needed some functionallity it didn;t provide me.I builded a "default" authorization procedure by using a login button, creating the Cookie and the ticket and also i do handle the  Application_AuthenticateRequest.The sitempap seems to be ...

Web resources about - Role for Group Administration only works if user/role has too much eDir rights - novell.edirectory.netware

File:Food and Drug Administration logo.svg - Wikipedia, the free encyclopedia
Unless otherwise noted, the contents of the Food and Drug Administration website (www.fda.gov) —both text and graphics— are public domain . [1] ...

Ted Cruz calls Obama administration support for trans teens “lunacy”
... conservative show Louder With Crowder, Ted Cruz took a brief aside from hate-mongering over Syrian refugees to get a dig in at the Obama administration ...

Sen. Dianne Feinstein: Administration’s war against ISIS has gone on too long - Videos - CBS News
Senate Intelligence Committee member Sen. Dianne Feinstein, D-California, says that the war against ISIS and the situation abroad has gotten ...

Obama administration appeals immigration case to Supreme Court
CNN Obama administration appeals immigration case to Supreme Court CNN Washington (CNN) The Obama administration asked the Supreme Court on ...

Tucker Carlson And Guest Blame Obama Administration For Paris Attacks
... to protest against the teaching of Arabic in a New York school. Today we need to find a way to tie this tragedy in Paris to the Obama Administration, ...

Obama administration takes immigration fight to Supreme Court
The Obama administration asked the Supreme Court to review a federal court decision blocking President Obama's executive order granting quasi-legal ...

Obama administration assures governors that Syrian refugees undergo rigorous security vetting
The Obama administration is assuring governors that refugees who come to the United States in its resettlement program undergo a rigorous security ...

Obama Administration Weighs Partnership with Russia Against Islamic State
The Obama administration is considering ways to form a closer partnership with Russia against the Islamic State terrorist group, including intelligence ...

President Obama Compares Syrian Refugees to Mayflower Pilgrims, Administration ...
ABC News President Obama Compares Syrian Refugees to Mayflower Pilgrims, Administration ... ABC News President Barack Obama, flanked by Attorney ...

Obama administration assures dissenting governors on refugee vetting
The Obama administration is assuring governors that refugees who come to the United States in its resettlement program undergo a “rigorous security ...

Resources last updated: 11/27/2015 2:41:28 AM