Update description field on a managed unit fail

Hi

In the Helpdesk site I have created custom form with access to the description attribute and linked this to the directory object type of a Managed Unit. I have also created a user account with limited permissions in ARS but enough to allow changes to the Description attribute on the managed unit as far as I can see. The link to this custom form is visible to the user when in the web interface but when I open up the form the description attribute  is visible but greyed out.

At first I thought there was some issues with the web interface but narrow things down I opened up a Powershell command prompt running as this user and tried to change the description attribute from there like this:

$conn = Connect-QADService -Proxy

$strMU = "CN=Managed Units,CN=Configuration"

$mu = Get-QADObject -SearchRoot $strMU -Connection $conn -Type edsManagedUnit | where {$_.Name -eq "MyManagedUnit"}

$mu | Set-QADObject -Description "NewDescription" -Proxy

Set-QADObject : Administrative Policy returned an error.
Attempted to perform an unauthorized operation.
At line:1 char:8
+ $mu | Set-QADObject -Description "NewDescription" -Proxy
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=MyManagedUnit,...N=Configuration:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet

I have tried to give this user more or less full access permission to "CN=Managed Units,CN=Configuration" but I still don't succed with this operation unless I use my ARS Admin account. I also find see three events in the "Active Roles Admin Service" eventog that confirms that the update operation is unsuccessful:

EventID 2002 (Information)

Operation on an object failed due to the 'Access is denied' error.
Object: CN=MyManagedUnit,CN=Test,CN=Managed Units,CN=Configuration
Object type: edsManagedUnit
Action: SetInfo
Attributes involved in the operation: description 

EventID 2001 (Information)

Pre-processing operation on object caused a policy violation
Policy: AccessCheck
Object: CN=MyManagedUnit,CN=Test,CN=Managed Units,CN=Configuration
Details: Administrative Policy returned an error. Attempted to perform an unauthorized operation.

EventID 2693 (Error)

Operation failed
Operation ID:
Operation GUID: 00000000-0000-0000-0000-000000000000
Details:
Administrative Policy returned an error.
Attempted to perform an unauthorized operation.

Additional information on my environment:

The version of ARS I'm using is 7.3.1.47

Everything works as expected with my ARS Admin account

What type of permission am I missing here? Has anyone seen this behaviour before?

Regards

Staffan

Parents
  • I did some experimentation on this.

    I went so far as to create a virtual attribute - edsvaTempMUDescription and delegate access to it via an Access Template.  My "regular" delegated user could not update this either.

    It certainly appears that the properties of MUs cannot be delegated to non AR Admins out of the box.

Reply
  • I did some experimentation on this.

    I went so far as to create a virtual attribute - edsvaTempMUDescription and delegate access to it via an Access Template.  My "regular" delegated user could not update this either.

    It certainly appears that the properties of MUs cannot be delegated to non AR Admins out of the box.

Children