• State Not Answered
  • Replies 10 replies
  • Subscribers 66 subscribers
  • Views 1739 views
  • Users 0 members are here
Options
Related

Unable to create a Managed Unit in a Managed Unit Container..

A.R Noobie
10 months ago

Hello everybody,

My experience with Active Roles is still limited but learning every day.

I ran into a problem and it's driving me crazy..

An employee needs a Managed Unit Container (using the MMC Console) where she can create her own Managed Units / queries.

I created a Managed Unit Container and tried creating a Managed Unit inside that container but no matter what type of rights I give this person, she's unable to create one (When she right clicks inside the Managed Unit Container she can create a new container inside this container but not a Managed Unit.

So the Managed Unit Container is visible when she logs in but she's unable to create a Managed Unit inside this container. I tried giving her full rights on the container and I also tried creating an Access Template (with full control permissions for this Managed Unit).

With full access on this Managed Unit Container I expect her to have 2 options available when right clicking in this Container (create a new Container or a Managed Unit like in the screenshot above) but no luck..

I think I am missing something very simple but I just don't see it at the moment.

Any help is appreciated!

Thanks.

Parents
  • 0 2 days ago

    FWIW, there is some wisdom in not allowing delegating creation of Managed Units and their cousins, Dynamic Groups.

    Both of these object classes have the potential to generate a lot of processing load on the Admin Service especially if the membership rules generate large result sets (most impactful in large scale environments of thousands of users).

    Even if it's desirable to allow creation of Managed Units, you would want to be very vigilant about making sure that the delegated permissions on that newly created Managed Unit cannot be managed (i.e.Access Templates linked to the new Managed Unit) by non AR Admins.  Why?  Because there is risk that someone could scope objects into the Managed Unit that they might not otherwise have permissions to and effectively elevate their permissions on those objects.

Reply
  • 0 2 days ago

    FWIW, there is some wisdom in not allowing delegating creation of Managed Units and their cousins, Dynamic Groups.

    Both of these object classes have the potential to generate a lot of processing load on the Admin Service especially if the membership rules generate large result sets (most impactful in large scale environments of thousands of users).

    Even if it's desirable to allow creation of Managed Units, you would want to be very vigilant about making sure that the delegated permissions on that newly created Managed Unit cannot be managed (i.e.Access Templates linked to the new Managed Unit) by non AR Admins.  Why?  Because there is risk that someone could scope objects into the Managed Unit that they might not otherwise have permissions to and effectively elevate their permissions on those objects.

Children
No Data