This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

How does the Access Manger Help Desk Admin work

Article Number

000014293

Applies To

RSA Access Manager 6.0.4
RSA Access Manager Entitlements Manager (AdminGUI)

Issue

How does the Access Manger Help Desk Admin work

Following error shows in Entitlements Manger when trying to modify the user lockout status of a user:

Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1


Eserver debug output shows the following error message:

13:57:14:671 [*] [APIClientProxy-0] - Thread requesting stream.
sirrus.da.exception.PermissionDeniedException: Insufficient permission for modify entity user1
 at sirrus.da.admin.User.setAdminLockedout(User.java:1273)
 at sirrus.api.adaptors.objects.APIUserAdaptor.fillInUserData(APIUserAdaptor.java:432)
 at sirrus.api.command.write.SaveUserCmd.execute(SaveUserCmd.java:84)
 at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
 at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
 at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
 at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:1003)
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:742)
13:57:14:671 [*] [APIClientProxy-0] - Thread requesting stream.
Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1
 at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:214)
 at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
 at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
 at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:1003)
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:742)
13:57:14:671 [*] [APIClientProxy-0] - Return code is 4 msg is Not authorized (RC_NOT_AUTHORIZED): Insufficient permission for modify entity user1


Cause

The Role to edit passwords only provides rights to change the users passwords.  No other rights to the user object are provided with this role.  In order to change the users lockout status you must assign the "Edit" "Users" role as well.

Resolution

Access Manager includes a special built in administrator object specifically for managing passwords and user lockout status. This object is called "Help Desk Admin" and is available as a check-box on the user page after promoting a user to an administrator.  Administrators that are Help Desk Admins automatically get the rights to change passwords and change user lockout status regardless of any other roles.  As with any administrator you must also assign an administrative role to the user.  For help desk users it is typical to create an empty role that does not have any additional rights although you may assign additional right if you wish.

Workaround

Created an Administrative Role that only has permissions for the Administrator to "Edit" "Passwords".
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 04:57 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.