When using System Center 2012 Operations Manager (OpsMgr) to manage System Center 2012 Data Protection Manager (DPM) servers and leveraging the role-based access control, it is possible that a restricted user can attempt certain actions that they don't have permission to and get a message indicating it was successful.
Checking the jobs view in DPM for the given protection group will show that the job is not actually initiated in DPM. Restrictions for the user will be followed.
This is most likely to happen only when dealing with a protection group. When the same action is attempted at the data source level, users will be presented with the expected message indicating the action is not allowed.
This is caused by unexpected return values from the agent task in OpsMgr.
The DPM team is aware of the condition and is working on a resolution that will be targeted for the next DPM QFE.
It is important to note that the action is not actually being performed. There is no unexpected elevation of privileges. The roles as defined in OpsMgr are being honored at all times.
Following are examples of the expected behavior and the erroneous message.
If a restricted user attempts to launch a consistency check for a data source from the OpsMgr console, initially a message will be displayed indicating the job is being sent.
Run Consistency Check on data source Status: Run Consistency check on data source
This will then be followed by an error indicating the user does not have permission.
Failed to start <task type> on data source You do not have permissions to perform this action. Your DPM administrator must give you permissions to any one of the following tasks - Run <task type> (ID: 33238)
If the same user attempts to initiate the consistency check, but this time at the protection group level, the experience changes and an erroneous message is displayed. First, an indication that job is being sent will be displayed.
Run Consistency Check on Protection Group Status: Run Consistency Check on Protection Group
At this point, OpsMgr reports that the job was successfully started.
Run Consistency Check on Protection Group Status: Successfully started consistency check on Protection Group
The above message is the erroneous message as the job will not be started on the DPM server.
DPM DPM2012 RBAC role based access control DPM 2012