Hi,

I've been giving a user (let's call him userA) the Role Manager role,
without creating any container to which this userA is a trustee.

This userA has access to the Assign Roles, and can therefore browse the
users to assign roles to.

When i choose a userB in using this browsing method, i can see which
roles he has access to, and moreover i can delete them, even if my userA
hasn't any Trustee right on the role to be deleted (or its container).
Any idea why ? I would like to avoid this behavior, which is not secure
to my mind.

Any idea what i'm doing wrong ? Or what i could do to avoid that ?

Thanks in advance


--
adminnovel
------------------------------------------------------------------------
adminnovel's Profile: http://forums.novell.com/member.php?userid=33631
View this thread: http://forums.novell.com/showthread.php?t=363426