If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Custom Directory Administrators role

Started by d_idaho, 02 Sep 2010 11:43:55 AM

Previous topic - Next topic

d_idaho

Configuration : IBM Cognos 8.4

We wish to delegate the management of users rights and profiles to another administration team.

Anyway we do not want them to be able to delete or move existing folders, groups and roles we defined in the Cognos namespace.

For that reason we can't set this team accounts as members of the default Cognos namespace "Directory Administrators" role.

We imagined to create a "custom Directory Administrators" role.
This custom role would have the same capabilities as the default one.

But it would not have the write permission on Cognos namespace and subfolders, only on role and groups entries (to be able to add members to them).

This part works fine.

But we need these "custom Directory Administrators" to be able to create and delete users profiles from our Active Directory namespace, and to access to users My folders content.

So we gave this custom role the read and write permissions to the AD namespace entry.

Anyway, this does not work.

Members of our "custom Directory Administrators" role can't create profiles.

When they try to, they get the following message :
QuoteCM-REQ-4012 You do not have the appropriate permissions to update or delete the object "/Directory/ADNamespaceName/SubfolderName/UserName" or a related object.

In fact, the user profile is well created (as we can see with a System administrator account), but our custom administrators can't see it, and get the above error message.

And they can' remove users profiles neither.

Moreover, they can't access to users profiles content ("My Folders" and "My Watch Items" entries).

Maybe is that due to the fact that subfolders in the AD have the "Override the access permissions acquired from the parent entry" option activated, and No entries ?
I tried to change this so they acquire their permissions from the AD namespace entry, but permission changes don't work on AD subfolders.

Moreover, when I create a user profile with a system administrator account, this user entry permissions are overrided and the only entries which have permissions defined on it are the user account, end the default Directory Administrators role.

Does anyone have an idea of the way to create custom directory administrators roles ?

Thanks for your help