-
标题
A change in functionality noted with delegated Move operations after upgrading to Active Roles 8.2.x -
说明
After upgrading to Active Roles 8.2.x, delegated Active Roles Users are now encountering error when attempting to move objects into or out of containers where in previous versions, the delegated permissions were sufficient.
The operations will start failing with one of the following errors:
Attempted to perform an unauthorized operation.OR
Access is denied. -
原因
Defect ID 440163 was resolved in Active Roles 8.2
This defect existed in 7.x, 8.0.x, and 8.1.x versions of Active Roles, where permissions precedence was not calculated correctly for Move operations.
In previous versions of Active Roles, if an Allow Move permission and a related Deny permission were both delegated at the same level, the Allow permission would incorrectly resolve instead of the Deny.
It is always the intended goal of Active Roles to mimic Active Directory functionality wherever possible. The following Active Directory permission precedence should be honored, the first being the highest precedence:-
Explicit Deny
-
Explicit Allow
-
Inherited Deny
-
Inherited Allow
NOTE: At a low level, a Move operation in Active Directory involves a copy and a delete. Because of this, permissions that deny Delete or Delete Child will block a Move operation.
-
-
解决办法
Re-assign delegations so that Allow permissions have a higher precedence than Deny permissions. -
变更请求
440163