000017010 - 'Insufficient permissions' when running a report as a delegated administrator

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 5, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017010
Applies ToAuthentication Manager 7.1X and APP 3.0X

All OS
Issueerror:  "Insufficient permissions" when running a report as a delegated administrator
Users with admin role cannot run reports in RSA Authentication Manager 7.1

Error : "insufficient permissions" when trying to run reports as a delegated administrator

Note: Reports created prior to creating a new admin role should be deleted. The new Admin role should be configured first, as described in the article below, and then create the reports needed by the new admin role. Delete any old reports created before the Admin role was created.


Reports created by a user with an admin role can be run by the user that created them. To add the ability to run reports for an existing Admin role which were not created by the user trying to run them in AM 7.1 please follow these directions.


Perform these steps in the security console:
Navigate to Administration->Administrative Roles-> Manage Existing and locate the administrative role to which you wish to grant report rights.
Pull down on the carat next to the admin role name and select "edit." There will be a series of tabs across the top of the page, "Scope", "General Permissions", "Authentication Manager Permissions" etc. The two tabs that require modification to grant report rights to the Administrator Role are the Scope and General Permissions tabs.
Open the "Scope" tab, and scroll down the page to the "Administrative Scope" section. Check the boxes for the Security Domain(s) and Identity Source(s) to which this Administrative role will have rights for running reports.
Click "Save" (NOT save and finish)

Open the second tab, "General Permissions", and in the "Manage Delegated Administration" section on the Security Domains line check the "View" box.
Scroll further down the page to the "Manage Reports" section.  In this section check the permissions you wish to assign this role regarding reports. On the "Reports" line select a minimum of at least "Add" and "View" (alternately, click "all".) On the "Run Reports" line select the "May run and schedule report jobs" item.
NOW select "Save and Finish" at the bottom of the screen to complete the modification to allow this Administrative role to access reports.

To test the settings, log out of the Security Console as the superadmin and back in as a user assigned the Administrative Role that has been modified. 
You should be able to run reports.

Note: If 7.1/APP 3.0 was upgraded to SP2 from base AM 7.1 then you must also enable the following items under the "General Permissions" tab of the Administrative role. In the Realm Administrator section select the ?May manage all administrators' private report jobs? item on the Report Job Manager line. In the Manage Reports section select the ?May run and manage any of the activity reports? item on the Audit Report Manager line. It has been observed that on systems installed with the AM 7.1 SP2 or SP4 full kit  the Report Job Manager and the Audit Report Manager items are not required.


 NOTE: Audit report manager is only available as a menu option if the scope of the role includes 'system domain'. If the admin role is locked down to a subdomain, you will not be able to add 'audit report manager'. Instead, create a new admin role, with a system domain scope, and choose only audit report manager as the option. Then, add this single-use role to the administrator (so they now have multiple roles assigned) and they will retain their original restrictions and options, but also be able to run reports.

Legacy Article IDa50752