I'm trying to find out what the minimum necessary edir rights are for a user to associate an app object with a user or OU. Something has apparently changed inadvertently in our rights configuration.

App object and the OU to be associated (containing the users) are different OUs. I'm sure it's eDir rights because if I grant the assigning user supervisor rights (entry and attribute) to both the user and object OU it works.

Thanks...