A Management Agent Generates an Error While It Modifies the ZcExecutionInfo Attribute (310500)

RESOLUTION

To operate successfully, the MA must be able to modify itself. In particular, it must be able to record its state in the zcExecutionInfo attribute to track its progress. The MA operates under the security settings for the user who starts the MA. These settings must include the ability to create, modify and delete the MA object so that the zcExecutionInfo attribute can be set appropriately.

For a description of how to set security sub-entries in the MMS folder, read the "Controlling Access Permissions for an Area" topic in the online MMS System Administration Manual.

You can use any of the following methods to verify the security settings for a particular MA:

• Verify the security settings for the individual MA object.
• Verify the security settings for the area that is local to the MA in the MMS folder tree.
• Place the applicable active security subentry "higher" in the folder tree and verify its security settings.

You set security settings in Microsoft Metadirectory Services (MMS) by using subEntry objects and you activate the security settings at Admin points. MMS security is very detailed. You can set the security on individual objects. Or, you can configure the security for a subfolder.

To configure the appropriate security settings for an MA:

1. Identify the MMS account that you want to use to run the MA.
2. Using Compass, log on to MMS by using an account that already has sufficient access rights to make security changes throughout the directory. By default, the MMS Administrator account has this ability in a new MMS installation.
3. Using the Bookmarks action in the left pane, click Management Agents.
4. In the right pane, click the target MA.
5. Using the Actions section in the left pane, click Access Control. This gives you the finest degree of control so that you can configure access to just this MA.
6. In the This Entry's Permissions dialog box, add or delete the distinguished names of the objects and lists to which you want to grant or deny permission. Note that if no entries are listed in the dialog box, the permissions that control access to this MA are set in the next higher security subentry. One tab affects the visibility of the object and its attributes. The other tab affects the ability to create, modify, or delete the object and its attributes
7. Click OK or Cancel to close the dialog box.
8. By default, a security subentry named Connector Space Security is created when you install MMS. Click this object, and then click Properties. The This Administration Area's Security Policy dialog box opens. Note that this object controls the subtree in which it exists. You configure access control for the object itself in the Access Control action. This is not the action that is required for this example.
9. On the two tabs (Admin Area's Read and Browse Permissions and Admin Area's Create, Modify and Delete Permissions), add or delete the distinguished names of the objects and lists to which you want to grant or deny permission. Note that if no entries are listed in the dialog box, you set the permissions that control access to this MA in the next higher security subentry.
10. Until you are able to identify and configure the appropriate access permissions for the specific user or group that you identified in step 1, continue to move up the directory structure, verifying or configuring the security subentries as defined in steps 8 and 9. Note that the names of the individual security subentries are not "Connector Space Security." This name applies only to the security subentry that controls the root of the connector space. However, the security subentry displayed with a spherical, blue icon and has the zcSubEntryName distinguishing attribute.
11. After you identify the controlling security subentry and configure its permissions to allow the specific account to have sufficient access rights, click OK.
12. Click the Operate MA action.
13. Click Run the Management Agent.