gtejo1 Absent Member.
Absent Member.
639 views

IDM - Rights error on eDirectory with admin

Hello everyone, i commited a really bad mistake. This time, to get the attribute value from the resources in the UA, I modified the trustees of the ResourceDefs object (DN:cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=DriverSet,ou=IDM,ou=services,o=Supervielle). The mistake here was that i didnt double check the permissons i was assigning at the time, so when I hited OK, the object the object remained with following rights:



So thats the problem, the admin no longer has the right to write the object, so i can modify the trustees. If the admin cant write in the OU, then cant create any resource or make any change (read as: cant assign any user) in any object inside the OU. So i tried to modify the trustrees, but since i cant modify the OU, then i cant modify the trustees.
So i seached the object in the tree, and saw that the ACL atributes need to be deleted in order to be the same as the other objects in the OU. But i cant delete the ACL atributes of the entry, because they are read only.
Can anyone give me a hand? This is a very critical error, i need to resolve it ASP.
Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: IDM - Rights error on eDirectory with admin

On 4/1/2019 4:34 PM, gtejo wrote:
>
> Hello everyone, i commited a really bad mistake. This time, to get the
> attribute value from the resources in the UA, I modified the trustees of
> the ResourceDefs object
> (DN:cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
> Driver,cn=DriverSet,ou=IDM,ou=services,o=Supervielle). The mistake here
> was that i didnt double check the permissons i was assigning at the
> time, so when I hited OK, the object the object remained with following
> rights:
>
> [image: https://i.ibb.co/x8kfr2B/imagen.png]
>
> So thats the problem, the admin no longer has the right to write the
> object, so i can modify the trustees. If the admin cant write in the OU,
> then cant create any resource or make any change (read as: cant assign
> any user) in any object inside the OU. So i tried to modify the
> trustrees, but since i cant modify the OU, then i cant modify the
> trustees.
> So i seached the object in the tree, and saw that the ACL atributes need
> to be deleted in order to be the same as the other objects in the OU.
> But i cant delete the ACL atributes of the entry, because they are read
> only.
> Can anyone give me a hand? This is a very critical error, i need to
> resolve it ASP.


So you have an account, that has Supervisor rights, but since you
explicitly granted it rights to a container, it seems like it has fewer
permissions now.

Was this admin, granted explicit permissions to be an admin, or was it
made security equals to the admin.acme object?

If not, do you have any admin equivalent users?

(ACL is NOT read-only. You can modify it via LDAP or iManager at will,
IF you have permissions to the attribute).

So find a user that has the permissions and then remove the ACL entries
(Use iManager, since it 'decodes' the raw attributes in play).




0 Likes
gtejo1 Absent Member.
Absent Member.

Re: IDM - Rights error on eDirectory with admin

Thats the solution! Thx geoffc!!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.