Published: 2003-03-26
Applies to: Content Studio ver. 3.2 and 3.3 running i an Active directory domain
Type: Information
Symptoms
A user that is member of a group that is a member of another group does not get permissions in Content Studio even though that the main group has been given permissions in Content Studio.
Cause
The current version of the Content Studio security model is fully backward compatible with the Windows NT 4 domains. In Active Directory groups can be members of other groups something that is not supported in the old domain model used by Windows NT 4. The underlying system procedures that Content Studio uses to discover a user's group membership does not detect a user's membership in nestled groups. So if you in CS set permissions for a group that has other groups as members Content Studio will not be able to use permission for the members of the subgroups. Thus users must be a direct member of that group in order to detect the membership.
However Content Studio does detect domain groups that are members in a group local to the web server.
Ex. the local alias (group) "Users" normally contains the domain group "Domain Admins" and this type of groups in groups was supported under Windows NT 4 and is supported by Content Studio.
However Content Studio does detect domain groups that are members in a group local to the web server.
Ex. the local alias (group) "Users" normally contains the domain group "Domain Admins" and this type of groups in groups was supported under Windows NT 4 and is supported by Content Studio.
Resolution
Make the users in question a direct member of the group or upgrade to version 3.5.
Status
This limitation has been fixed in Content Studio version 3.5.