Symptoms
We need to use a separate service user to create groups in a special OU in our AD. In the K2 help files it says the account to create groups needs to have system operator permissions. Unfortunately I will not get these permissions because they are quite high level and for instance will grant this user the permission to log on locally to the domain server and shut it down.
We granted the permissions to create modify and delete groups in the respective OU using the "Delegation of Control Wizard". Currently I can create groups using the service instance when this service instance is set to static (unfavourable due to security problems) and the SmartObject Service Tester. When I use the same SmartObject in the process it actually creates the group, but then the process goes into error because some permission is missing. Unfortunately it is not clear which permission is missing. We don't have the possibility to see what is happening in the code of this method which would most likely show us what it tries to do. The error message I get is too high level to identify the missing permission:
Message: The user does not have the sufficient permissions to perform this operation. Please ensure you have Account Operator or Administrator permissions. ServiceName: Account Management Service ServiceGuid: cd3804d6-973d-4de4-bf78-8427f6761011 InnerExceptionMessage:
Diagnoses
I tried to reproduce this using the following steps on a Denallix VM:
1) Create a new user, I called it AMU@denallilx.com (for Account Management User)
2) Leave this user's group as is (part of Domain Users group by default).
3) When you now edit the Account Management Service Instance and set it to Static and use this new user's credentials, create a SMO from it then try to create a new User/Group, it works.
This behaviour is very weird, because it shouldn't work. You need Account Operator permissions according to the KB article -
https://help.k2.com/onlinehelp/k2blackpearl/userguide/4.6.10/webframe.html_npd01.html
We also tried to reproduce using K2 Studio:
Steps:
Created a workflow with a DataField to use as the Group Name.
Added a SmartObject Event for the "ADM User" SMO to create a group, using the DataField as the "Name" input mapping.
Open the SmartObject Event again (right-click>properties) and on the Event General Properties change the "Run as" to denallixadm
Deploy the workflow
Start the workflow using WorkSpace and specify a group name in DataField.
The group should be successfully created in AD.
To test, change the "Run As" user to something else e.g denallixob and deploy.
When running the workflow it will give error message "The user does not have the sufficient permissions to perform this operation"
Note: There is a bug in Designer that does not allow you to Configure Credentials on an event. You will have to use K2 Studio or K2 for Visual Studio.
---
The biggest difference between our environment and your environment is that you are using Kerberos.
Resolution
So eventually we sent the ticket to the developers to ask what exactly the Account Management Smart Broker does when creating/getting details from Active Directory, and this is their response:
The Account Management Service Type makes use of System.DirectoryServices.AccountManagement component of the .Net framework for all AD related changes. We simply pass parameters (i.e. Group name, OU to use, Username, etc.) to this API to execute the task. The exact way the API does this is unknown.
To assist in the investigation you may need to enable AD auditing as per https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
I believe after enabling the auditing as per above, the customer was able to resolve this issue internally.
