000014293 - How does the Access Manger Help Desk Admin work

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014293
Applies ToRSA Access Manager 6.0.4
RSA Access Manager Entitlements Manager (AdminGUI)
IssueHow does the Access Manger Help Desk Admin work

Following error shows in Entitlements Manger when trying to modify the user lockout status of a user:

Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1


Eserver debug output shows the following error message:

13:57:14:671 [*] [APIClientProxy-0] - Thread requesting stream.
sirrus.da.exception.PermissionDeniedException: Insufficient permission for modify entity user1
 at sirrus.da.admin.User.setAdminLockedout(User.java:1273)
 at sirrus.api.adaptors.objects.APIUserAdaptor.fillInUserData(APIUserAdaptor.java:432)
 at sirrus.api.command.write.SaveUserCmd.execute(SaveUserCmd.java:84)
 at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
 at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
 at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
 at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:1003)
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:742)
13:57:14:671 [*] [APIClientProxy-0] - Thread requesting stream.
Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1
 at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:214)
 at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
 at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
 at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:1003)
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:742)
13:57:14:671 [*] [APIClientProxy-0] - Return code is 4 msg is Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1

CauseThe Role to edit passwords only provides rights to change the users passwords.  No other rights to the user object are provided with this role.  In order to change the users lockout status you must assign the "Edit" "Users" role as well.
ResolutionAccess Manager includes a special built in administrator object specifically for managing passwords and user lockout status. This object is called "Help Desk Admin" and is available as a check-box on the user page after promoting a user to an administrator.  Administrators that are Help Desk Admins automatically get the rights to change passwords and change user lockout status regardless of any other roles.  As with any administrator you must also assign an administrative role to the user.  For help desk users it is typical to create an empty role that does not have any additional rights although you may assign additional right if you wish.
WorkaroundCreated an Administrative Role that only has permissions for the Administrator to "Edit" "Passwords".
Legacy Article IDa45643

Attachments

    Outcomes