Pseudo Member - Driver object has insufficient rights

Hi All,

Good day. We have IDM 4.7 running on Linux server.

we have a requirement of read the users from a dynamic group and then adds them to its respective static group.

We have written the logic in a Loopback driver, but we are getting message "Driver object has insufficient rights to read the source DN object"

Performing operation query for \MyTree\ORG\Meta\Applications\A0000123\Groups\Dyna-External App.
--JCLNT-- \MyTree\ORG\System\DriverSet\DYNAtoSTATIC-GROUPS : Duplicating : context = 300024251, tempContext = 300024111
Driver object has insufficient rights to read \MyTree\ORG\Meta\Applications\A0000123\Groups\Dyna-External App#[pseudo].Member.
--JCLNT-- \MyTree\ORG\System\DriverSet\DYNAtoSTATIC-GROUPS : Calling free on tempContext = 300024111
Query from policy result

I have already added trustee (Driver object) to Applications container, also added Member, Group Membership, groupsMember with Read and Inherit rights.

But still getting this error.

Not sure what is missing. Request your assistance and comment to fix this.

Thanks in advance





  • Could you paste some more trace?  I was wondering if this perhaps was a Write Managed attribute issue.  But I was checking schema, and I see that the user side attributes Group Membership and Security Equals are flagged as Write Managed, but not the Group side.  (This means that you need permissions to the user to write these values, but also to the target, that is the group you are making them a member of. It is a security thing, and I think you need S permissions to the target object not just W).

  • Have you set the Security Equivalence options for the driver itself? That is where the driver would normally get the rights to the objects in the Tree. You should not have to add the driver object as a Trustee to the Applications container.

    If that has been setup correctly on the driver, then I would guess that there is either an Inherited Rights Filter (IRF) on the containers below your Applications container [ou=A0000123 or ou=Groups] , or an explicit rights assignment, that blocks your permissions flowing down to be able to read the 'Dyna-External App' object.

    Since I have been doing a bunch of work with [pseudo].Member lately I grabbed a quick trace of what I believe is a similar request and get the following example.

    [05/25/20 19:32:57.896]:autogrp ST: Query from policy
    [05/25/20 19:32:57.896]:autogrp ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <product edition="Standard" version="">DirXML</product>
    <contact>NetIQ Corporation</contact>
    <query class-name="dynamicGroup" dest-dn="\LAB1-VAULT2\Vault\AutoGroups\zDG-TestTwo-BP" dest-entry-id="78836" scope="entry">
    <read-attr attr-name="[pseudo].Member"/>
    [05/25/20 19:32:57.898]:autogrp ST: Pumping XDS to eDirectory.
    [05/25/20 19:32:57.899]:autogrp ST: Performing operation query for \LAB1-VAULT2\Vault\AutoGroups\zDG-TestTwo-BP.
    [05/25/20 19:32:57.899]:autogrp ST: --JCLNT-- \LAB1-VAULT2\services\DriverSet\AutoGroups : Duplicating : context = 1362428149, tempContext = 1362428208
    [05/25/20 19:32:57.908]:autogrp ST: --JCLNT-- \LAB1-VAULT2\services\DriverSet\AutoGroups : Calling free on tempContext = 1362428208
    [05/25/20 19:32:57.909]:autogrp ST: Query from policy result
    [05/25/20 19:32:57.909]:autogrp ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <product edition="Standard" version="">DirXML</product>
    <contact>NetIQ Corporation</contact>
    <instance class-name="dynamicGroup" qualified-src-dn="O=Vault\OU=AutoGroups\CN=zDG-TestTwo-BP" src-dn="\LAB1-VAULT2\Vault\AutoGroups\zDG-TestTwo-BP" src-entry-id="78836">
    <association state="associated">ozWjJroGgEKnhKM1oya6Bg==</association>
    <attr attr-name="[pseudo].Member">
    <value timestamp="0#0" type="dn">\LAB1-VAULT2\Vault\Users\Staff\user1</value>
    <value timestamp="0#0" type="dn">\LAB1-VAULT2\Vault\Users\Staff\USER2</value>
    <status level="success"></status>

    I have no specific trustee assignments setup in the tree for the Driver object, just the Security Equivalence configured so the driver is equivalent to a specified admin service account that has full rights in the tree.

    Check your permissions for IRF's or explicit assignments below the Applications container, if the Security has been configured on the driver.