Absent Member.
Absent Member.
2486 views

Password Policy in Imanager 2.7.3

I have granted the PASSWORD role to several OU's so the members in that OU can alter the password policy (add and delete users) and allowed a scope from the root of the tree including subcontainers.

However when anyone in these OU's tries to add someone to a password policy they get error -672 - Client does not have rights.

I have even tried adding a user to this role, and get the same message.. the only users who can assign users to a policy is myself and the initial admin account.

Without granting too much access how can I allow certain users to use this role so I dont have to get involved in every single account creation.
Labels (1)
0 Likes
1 Reply
Knowledge Partner Knowledge Partner
Knowledge Partner

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Give access to modify the nsimAssignments attribute on the actual password
policies, either manually to the users or to the role/task somehow. You
could also move the password policies to those OUs so they are local to
the users and within the scope of the iManager assignment and that would
likely help if the plugin is setup with rights properly.

The reason this happens is that not only are users modified
(nspmPasswordPolicyDN) when an assignment is given to them but the
password policy itself is also linked back to the users for administration
purposes via iManager (nsimAssigments). Your users likely lack rights in
cn=Password Policies,cn=Security as you did not set the scope there.

Good luck.





leecymj wrote:
> I have granted the PASSWORD role to several OU's so the members in that
> OU can alter the password policy (add and delete users) and allowed a
> scope from the root of the tree including subcontainers.
>
> However when anyone in these OU's tries to add someone to a password
> policy they get error -672 - Client does not have rights.
>
> I have even tried adding a user to this role, and get the same
> message.. the only users who can assign users to a policy is myself and
> the initial admin account.
>
> Without granting too much access how can I allow certain users to use
> this role so I dont have to get involved in every single account
> creation.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKQitWAAoJEF+XTK08PnB52UgQAMeWHpmZUu/cKCuHyAuN24JH
uheYhDmfdTehntevAWKSACWd+fOICRMar6BLsr5f//XVTczgnte6qrEfL6TVM9XP
UfPbJS9EVFQxc8cIGlqrFgELPoptATpN1jS5FQIcsrGdRelC8f9gCzohnq/6602b
PKiJ5aLmsNy4JwJlPRdyIcxwhv9S8StpvH9GPRtp9bzSmpoevRm9prQGbBOaf1/L
Sgy/DLiWdm8oLh8QOcaL9fglTeU8lZd52nf243qviIJq1MQlIpcKR2mDSNDcfhbj
wQHKhaUZxihXRS0heSwva8MDp6XdrMhBpZbuFZrbfeRDsFwpmKPdU39SL6EzNYkO
mYvgLvh0RsOWCXSh+N/n2GKdtaMUcNjNVdHJz+vwplxYSMkSoOQcuQDiPXRLHExm
c0TLajO2KZ05eUlbgAvhzi9EGzPBINSw2Gs9ZjnGEDSsQQ+DdLNONajzKfeFvTjg
ChmveBn3fKdGgpMqlRSr5d5uhVqPl4R1/S50ZfAtMKsEwtcofOjTgKqU58hjmrGS
uZ8EF/YBdX2Pi0HA8vB0acoEIjPVjJAg5FmIzSE9iOqNF/ezBfubfu6dpYeCIL+9
tAazL/uCYqUu2nYCMw40x4Dlxn+MGlVSDBgp6rOtXwhV6AiPV8sEEBkqQW/UqpMk
VMfZk9Cdx7D2l/GcYFmB
=lKGK
-----END PGP SIGNATURE-----
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.