Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
How do I get a security group view for a manager

Отвечено How do I get a security group view for a manager

  • Wednesday, December 02, 2009 1:03 PM
     
     
    Sign In to Vote
    0
    Hi All,

    I am trying to get a manger own a dynamically created security group and also being able to administrate this group from his own portal login/view.

    So far I have:
    - Created the security group ( used the manager choice) and assigned the manger as the owner.
    - Logged in as the manager to the portal
    - Played around a bit with the security group MPRs.

    The problem I have is that I can't even see the security group  when i log on as the manger.
    Any suggestions would be welcome and if this is a simple and allready solved problem I would appreciate a link to the solution.
    Thanks
    //Patrik
     

All Replies

  • Wednesday, December 02, 2009 2:15 PM
     
     
    Sign In to Vote
    0
    Hi Patrik!

    To solve this you'll have to...
    1. Add your Manager to a set, lets call it the ManagerSet.
    2. Add the group to a set, lets call it the GroupSet.
    3. Create an MPR with the following settings:
        Display Name: Grant manager right to security group
        Grants permission: True
        Requestors: ManagerSet (Requestors = the ones that are granted rights here)
        Operation: This depends on what you want your manager to be able to do to the group but lets say he/she should only be able to add or remove members to groups in the GroupSet then select Add and Remove values to multi-valued attributes on the group.
        Target Resource Definition Before: GroupSet (This is the set before any operations are made on the group)
        Target Resource Definition After: GroupSet (This is the set after any operations are made on the group - the same set)
        Resource attributes: If you only want him to be able to add/remove members then select the "Manually-managed membership" (Explicit member) attribute here.

    If you want the manager to be able to edit single-valued attributes, add modify as operation and select all or any of the attributes available on groups as Resource attributes.

    Edit: There is a possibility to simply enable the MPR called: Security group management: "Owners can update and delete groups they own"


    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
     
  • Wednesday, December 02, 2009 2:26 PM
     
     
    Sign In to Vote
    0
    Henrik,

    Just curious, can you set a criteria such that anyone who is an owner of a security group may edit the group in FIM?

    Thanks.
    Anu
     
  • Wednesday, December 02, 2009 2:33 PM
     
     
    Sign In to Vote
    0
    Anu,
    Check out the "Owners can update and delete groups they own" MPR and you'll see how...
    It pretty simple just use the Owner attribute as a relative to resource requestor. 
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
     
  • Wednesday, December 02, 2009 3:06 PM
     
     
    Sign In to Vote
    0
    Hi Henrik,

    Thank you for your quick reply. I have tried:
     "Edit: There is a possibility to simply enable the MPR called: Security group management: "Owners can update and delete groups they own""
    before and I am sure it gives the manager some administrative capabilities but it is hard to use them since there seems to be no link on his portal page to any group management, only the usual distribution lists. I will try your suggestion but I'm not convinced that it will give me the gui possibility I need.
    I am using an altered scenario with an AD and a HR file as in the getting started section on technet.
    And I am after the same thing as anu mentioned, Basically reflecting the organizations authorization capabilities into the it resources. So it would seem like that MPR would be a perfect fit.
    //Patrik
     
  • Wednesday, December 02, 2009 3:10 PM
     
     
    Sign In to Vote
    0
    Ok... So there's no "My SG's" in the navigation bar either?
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
     
  • Wednesday, December 02, 2009 3:15 PM
     
     
    Sign In to Vote
    0
    I suddenly remember that non admin users might need the value "BasicUI" as usage keyword in the navbar item and homepage resource item in order for them to be visible, this could solve your problem if the links are not available on the portal.

    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
     
  • Wednesday, December 02, 2009 3:18 PM
     
     
    Sign In to Vote
    0
    Yes that is correct, No SG's are visable when I log on as the manager
     
  • Wednesday, December 02, 2009 3:20 PM
     
     
    Sign In to Vote
    0
    From that I gather that I need to do some research into what the navbar and homepage resource items are and try that out.
     
  • Wednesday, December 02, 2009 3:24 PM
     
     Answered
    Sign In to Vote
    0
    It's not that advanced... Navbar items are the links found on the left side of the portal home page and homepage resources the links in the main frame of the portal... You can find them directly under Administration (when logged in as admin).

    All you need to do is to add the word BasicUI to the usage keyword multi-value textbox for the "link".

    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    • Marked As Answer by pac123 Thursday, December 03, 2009 5:19 PM
    •  
     
  • Wednesday, December 02, 2009 5:06 PM
     
     
    Sign In to Vote
    0
    Ok, I have now tried to apply all links with BasicUI and that yielded views of security groups but they where empty and had no possibility of searching, ergo I can still not find my managers group when logged on as him.

    I have also tried your suggested MPR and applied a MPR that lets users see other users. The result is still pretty much the same, I have a (manager based) security group SG1 which can be administrated by the administrator but not by the owner.
    //Patrik
     
  • Wednesday, December 02, 2009 5:15 PM
     
     Answered
    Sign In to Vote
    0
    I forgot about the Search scope... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4efaeac9-af3c-4694-9a6e-e2644892a80d/

    1) Navigate to "Administration" page
    2) Click "Search Scopes" and add BasicUI in the usage keyword list for following search scopes - All Security Groups, My Security Groups, My SG Memberships

    Edit: Since I found the link I recommend you to use that and skip the MPR I suggested...
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    • Marked As Answer by pac123 Thursday, December 03, 2009 5:19 PM
    •  
     
  • Wednesday, December 02, 2009 5:46 PM
     
     
    Sign In to Vote
    0
    Thank you, That did it.
    To bad that the group is a dynamic so removing/adding members won't work but the result i wanted was to have a report of sorts of which resources a manager is responsible for in an it environment so he/she/it can compare it to "reality". So I am pleased so far, ty again Henrik.
    • Marked As Answer by pac123 Thursday, December 03, 2009 5:19 PM
    • Unmarked As Answer by pac123 Thursday, December 03, 2009 5:19 PM
    •