Return
-
Title
A change in functionality noted with delegated Move operations after upgrading to Active Roles 8.2 -
Description
After upgrading to Active Roles 8.2, delegated Active Roles Users are now encountering error when attempting to move objects into or out of containers where in previous versions, the delegated permissions were sufficient.
The operations will start failing with one of the following errors:
Attempted to perform an unauthorized operation.ORAccess is denied. -
Cause
Defect ID 440163 was resolved in Active Roles 8.2
This defect existed in 7.x, 8.0.x, and 8.1.x versions of Active Roles, where permissions precedence was not calculated correctly for Move operations.
In previous versions of Active Roles, if an Allow Move permission and a related Deny permission were both delegated at the same level, the Allow permission would incorrectly resolve instead of the Deny.
It is always the intended goal of Active Roles to mimic Active Directory functionality wherever possible. The following Active Directory permission precedence should be honored, the first being the highest precedence:-
Explicit Deny
-
Explicit Allow
-
Inherited Deny
-
Inherited Allow
NOTE: At a low level, a Move operation in Active Directory involves a copy and a delete. Because of this, permissions that deny Delete or Delete Child will block a Move operation.
-
-
Resolution
Re-assign delegations so that Allow permissions have a higher precedence than Deny permissions. -
Change Request
440163