Symantec IGA

  • Private Community
 View Only

  • 1.  ETAUTIL Error: Your account lacks MODIFY access.

    Posted May 01, 2019 10:50 AM

    Hello Guys,

     

    I'm trying to use etautil to assign a list of provisioning roles to a group of users.

     

    I am running this command:

     

    • etautil.exe -d im -u etaadmin -p ****** -f assig_prov_roles.txt >> etautil_log.txt

     

    the content of the fille is the following:

     

    • update "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects" eTGlobalUser eTGlobalUserName="prueba usuario 601" to +eTRoleDN="eTRoleName=BAS_Generico,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im,dc=eta"

     

    When run it i'm getting the following error:

     

    • :ETA_E_0007<MGU>, Global User 'prueba usuario 601' modification failed: You are not authorized to perform this function. Your account lacks MODIFY access to SyncUsers on one or more Provisioning Role objects.

     

    To run the command i'm using the "etaadmin" user, which is the default user for the provisioning server, this user has the "DomainAdminitrator" admin profile assigned by default, and this gives control to the entire domain.

     

    I'm not sure if there's something i'm missing in the command but the etaadmin user should be able to run this operation.

     

    Any ideas on this ?

     

    Regards.



  • 2.  Re: ETAUTIL Error: Your account lacks MODIFY access.
    Best Answer

    Posted May 01, 2019 11:05 AM

    Instead of this:

     

    • update "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects" eTGlobalUser eTGlobalUserName="prueba usuario 601" to +eTRoleDN="eTRoleName=BAS_Generico,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im,dc=eta"

     

    Use this:

     

    • update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='prueba usuario 601' to +eTRoleDN='eTRoleName=BAS_Generico,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im';

     

    I removed the dc=eta suffix the role value which is not supposed to be there. I also changed the double quotes to single quotes, and added the semi-colon at the end of the command. Note that this command will add the role but will not try to create any accounts. If you want to trigger the account creation then you also need to include eTSyncUsers='1' in the same command such as:

     

    • update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='prueba usuario 601' to +eTRoleDN='eTRoleName=BAS_Generico,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUsers='1';