Hi
In the Helpdesk site I have created custom form with access to the description attribute and linked this to the directory object type of a Managed Unit. I have also created a user account with limited permissions in ARS but enough to allow changes to the Description attribute on the managed unit as far as I can see. The link to this custom form is visible to the user when in the web interface but when I open up the form the description attribute is visible but greyed out.
At first I thought there was some issues with the web interface but narrow things down I opened up a Powershell command prompt running as this user and tried to change the description attribute from there like this:
$conn = Connect-QADService -Proxy
$strMU = "CN=Managed Units,CN=Configuration"
$mu = Get-QADObject -SearchRoot $strMU -Connection $conn -Type edsManagedUnit | where {$_.Name -eq "MyManagedUnit"}
$mu | Set-QADObject -Description "NewDescription" -Proxy
Set-QADObject : Administrative Policy returned an error.
Attempted to perform an unauthorized operation.
At line:1 char:8
+ $mu | Set-QADObject -Description "NewDescription" -Proxy
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=MyManagedUnit,...N=Configuration:String) [Set-QADObject], ObjectAlreadyExistsException
+ FullyQualifiedErrorId : ActiveRoles.ManagementShell.Powershell.Cmdlets.SetObjectCmdlet
I have tried to give this user more or less full access permission to "CN=Managed Units,CN=Configuration" but I still don't succed with this operation unless I use my ARS Admin account. I also find see three events in the "Active Roles Admin Service" eventog that confirms that the update operation is unsuccessful:
EventID 2002 (Information)
Operation on an object failed due to the 'Access is denied' error.
Object: CN=MyManagedUnit,CN=Test,CN=Managed Units,CN=Configuration
Object type: edsManagedUnit
Action: SetInfo
Attributes involved in the operation: description
EventID 2001 (Information)
Pre-processing operation on object caused a policy violation
Policy: AccessCheck
Object: CN=MyManagedUnit,CN=Test,CN=Managed Units,CN=Configuration
Details: Administrative Policy returned an error. Attempted to perform an unauthorized operation.
EventID 2693 (Error)
Operation failed
Operation ID:
Operation GUID: 00000000-0000-0000-0000-000000000000
Details:
Administrative Policy returned an error.
Attempted to perform an unauthorized operation.
Additional information on my environment:
The version of ARS I'm using is 7.3.1.47
Everything works as expected with my ARS Admin account
What type of permission am I missing here? Has anyone seen this behaviour before?
Regards
Staffan