Access denied creating ExpectedRuleEntry
I want to allow users in a "helpdesk" set to enable account. I added to the MV and ILM schemas a boolean value called "Disabled", which I populate reading userAccountControl from AD. I created an outbound synchronization rule that flows a constant value to userAccountControl: "512 => userAccountControl" (512 means normal account, and the account disabled bit here is set to 0) Then, I created an Action workflow with a synchronization rule activity: Synchronization Rule -> the rule above Action Selection -> Add Finally, I created a management policy, with Grants permission -> checked Requestors -> the people in the set Operation -> Read resouce, Modify resource attributes Target resource definition before request -> Specific set of objects -> "Disabled Accounts" (set of all persons with Disabled=true) Target resource definition after request -> Specific set of objects -> "Enabled Accounts" (set of all persons with Disabled=false) Resource attributes -> Select specific attributes -> Disabled Policy workflows -> the above workflow The problem is that when I log in as a member of the "helpdesk" set and uncheck the disabled flag, the account is updated, but the outbound synchronization rule is not applied. Looking at the server logs, I see an exception stack trace that says "Access to the requested resource(s) is denied", but I don't manage to determine what, specifically, caused the error. Thanks, Paolo
May 25th, 2009 6:47pm
Hi Paolo,
- your outbound sync rule flows a constant value (512) to MV and AD (userAccountControl)
- your MPR manages the sets "Disabled accounts" and "Enabled accounts"
How can your MV attribute switch from Disabled to Enabled, when your Outbound Sync rules flows only the constant 512 to MV? Or did I miss something? At which part do change the MV attribute?
/Matthias
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 9:23am
Hi Matthias, sorry, I didn't express myself clearly. These are the attributes:
AD:userAccountControl, integer
MV:disabled, boolean
ILM:Disabled, boolean
The ILM agent has an import and an export flow for the Disabled attribute, mapped directly to the disabled attribute in the MV. The MV attribute is changed by this direct mapping, and in fact after I change the value in ILM it's synchronized to the MV correctly, just the rule is not created. The AD agent has an inbound rule that sets disabled in the MV according to the value of userAccountControl: Eq(BitAnd(userAccountControl,2),2) The outbound rule sets a value in userAccountControl that does not have the ACCOUNT_DISABLED bit set; the value of ACCOUNT_DISABLED is 2. Hope this is clearer... Thanks, Paolo
May 26th, 2009 10:43am
Hi Paolo,
so your ILM Portal application works correctly, your MV is okay, but the export to AD is incorrect?
How does your Export Attribut flow from MV to AD MA looks like. It must be an advanced attribute flow, since you have to transform a boolean attribut (MV "Disabled") to an Integer (AD MA "userAccountControl")
/Matthias
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 11:24am
Hi Matthias, since the users of the set have only the right to set Disabled to false if it is initially true. I created an outbound rule that flows a constant value to userAccountControl, and I want that rule to be created whenever the workflow is triggered (which can happen only in the transition true->false), there is no advanced flow at all. Cheers, Paolo
May 26th, 2009 12:11pm
I managed to solve my problem, and I'm posting the solution here in case it might be useful for someone else. I had to grant users in the set the permissions to create Expected Rule Entry objects and some permissions on the Expected Rules List attribute of users. Here are the details:
Create a set All Expected Rule Entries , allow dynamic membership, criteria = all EREs.
Create a MPR Helpdesk can create Expected Rule Entries ,
Grants permission: checked
Requestors: specific set => the-helpdesk-set
Operation: Create resource
Resource Definition After Request: Specific set => All Expected Rule Entries
Resource Attributes: All Attributes
Create MPR Helpdesk can create, read, add and modify ERLs :
Grants permission: checked
Requestors: specific set => the-helpdesk-set
Operation: Create, read, add parameters, modify resource
Resource Definition Before Request: Specific set => All People
Resource Definition After Request: Specific set => All People
Resource Attributes: Specific Attributes => Expected Rules List
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 5:36pm