KB-2721: Insufficient access rights given when creating computer roles, though all rights granted in "delegate zone control" wizard.
Applies to: Centrify DirectControl Console version 5.0.x on Windows
Problem: An insufficient access rights error is shown when creating a computer role even though the account has been granted all rights in the "delegate zone control" wizard.
Cause: This is intended behaviour and the reason is similar to why "delegate zone control" cannot delegate the permissions to create zones.
If a user is granted to have the "create msDS-AzScopeName" permission, the account will be the owner of the msDS-AzScopeName object. The owner can then grant itself permission to "create container" under that msDS-AzScopeName, regardless of whatever deny permissions were set in the ancestor containers.
If the user creates a container under msDS-AzScopeName, they can then make themselves have permission to "create AD user". Creating an AD user on AD is an important privilege and should not be easily granted to anybody. This is why DirectControl Console does not allow delegation to create zones and delegation to create computer roles.
Resolution:
- Precreate the computer role with a Domain Admin account.
Or:
** If there is no concern for the security issue mentioned in the Cause ** 1. Grant User/Group "create msDS-AzScope objects" right for the msDS-AzApplication object ONLY under the corresponding zone's authorization container.
2. Grant User/Group "create msDS-AzRole objects" right for the msDS-AzScope object under the corresponding zone's authorization container.
3. Grant User/Group the PROPERTIES permission "write msDS-TasksForAzRole" for msDS-AzRole object under the corresponding zone's authorization container.