Centrify DirectManage Access Manager Suite 2017.1 or earlier
The AD user from trusted domain is the member of domain local group (in trusting domain).
Permissions ‘Allow – Create/Delete classStore objects’ and ‘Allow – Full Control on descending classStore objects’ are granted to the domain local group on the target zone container.
The AD user is still not able to change the default zone container in Access Manager and will receive error message "You do not have permission to create the zone container at domain.com/Centrify/Zones". Cause:
In current Access Manager, there is an extra checking on the given default zone container about the create container permission. It is irrelevant as no more container needed to be created.
Besides, change default zone container will also delete the old default zone container identifier, and then the permission to delete the zone container identifier is also required.
The zone container identifier is a classStore object stored in the zone container, for example the $CentrifyZoneContainer is the identifier circled in below image.
The zone container identifier
is an AD object created as:- Type = classStore;
- Name = $CentrifyZoneContainer;
- DisplayName = $CimsZoneContainerVersion2Workarounds:This problem can be addressed by 2
workarounds to manually place the identifier to the proper location. 1. Create a new zone container identifier in target zone container with power shell command and remove the old zone container identifier.New-ADObject -Name `$CentrifyZoneContainer -DisplayName `$CimsZoneContainerVersion2 -Type classStore -Path "OU=targetcontainer,DC=domain,DC=com"
* Please replace the above path "OU=targetcontainer,DC=domain,DC=com" with the real path.
2. Move the old zone container identifier
to the target container.
i) Right click on the old zone container identifier
and go to 'Move';
ii) Select the target zone container from the promoted list;
iii) Click 'OK' to save the change.
Then the current zone container will be shown as the target one in launched Setup wizard. Resolution:
This issue has been fixed in Suite 2017.2.