Roles and Rights Issues

  • There is no 'Require multi-factor authentication' system right for the

    predefined 'Windows Login' role. To define this system right for MFA, use

    the pre-defined Require MFA for logon role, or create a new custom role.

    (Ref: CS-40888)

  • Windows Network Access rights do not take effect on a Linux or UNIX

    machines. If you select a role to start a program or create a desktop that

    contains a Network Access right, you can only use that role to access

    Windows computers. The Windows computers you access over the network must be

    joined to a zone that honors the selected role. The selected role cannot be

    used to access any Linux or UNIX server computers on the network. (Ref:

    32980a)

  • Network Access rights are not supported on the Windows 2008 R2 Terminal

    Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled

    on the client side. (Ref: 34368b)

  • To elevate privileges to the “Run as” account specified in a Windows right,

    the “run as” account must have local logon rights. If you have explicitly

    disallowed this right, you may receive an error such as “the user has not

    been granted the requested logon type at this computer” when attempting to

    use the right. (Ref: 34266a)

  • If your computer network is spread out geographically, there may be failures

    in NETBIOS name translation. If a NETBIOS name is used, Active Directory

    attempts to resolve the NETBIOS name based on the domain controller that the

    user belongs to, which in a multi-segment network might fail. Therefore,

    Network Access rights might not work as expected if the remote server is

    located using NETBIOS name. You may need to consult your network

    administrator to work around this issue. (Ref: 39087a)

  • File hash matching criteria in the Application right is not supported for a

    file larger than 500MB. This is to make sure DirectAuthorize does not spend

    too much CPU and memory resources to calculate the file hash. User trying to

    import a file with the size larger than 500MB will see an empty value for

    the file hash field. (Ref: 56778a)

  • For a small set of application, enabled matching criterion - “Product Name”,

    “Product version”, “Company”, “File Version” or “File Description” of a

    Windows Application Right may fail to match after upgrading agent under the

    following conditions: - Any value for the enabled matching criteria is

    defined by either import from a process or file - The matching criteria is

    defined by 5.1.3 or 5.2.0 DirectManage Access Manager since the number of

    affected application is expected to be relatively low, proactively updating

    the defined matching criteria of Windows Application Right is not necessary.

    (Ref: 60053a)