none
FIM Portal Permissions to View Manager

    Question

  • Hi All,

    I've got this requirement that when I first heard it thought would be quite simple but it's turned out not so easy. I'm trying to set up configuration so that a user in the FIM Portal when viewing their own details can click on the hyperlink in the Manager attribute and see their Managers details. This is simple if you just allow all users to read all attributes of all users but the requirement states that users should not be able to read all others, just themselves and their Manager. The problem is that there is no way to target relative to the requestor.

    I've thought about adding a new attribute on user called something like "Manages" that would contain users the user manages and use a WF to populate this attribute from Managed By effectively reversing the reference then it's possible to use a relative requestor MPR that points at the new Manages attribute. But this seems like waaay too much overhead for something that seems so simple. Are there any other approaches I could take here?

    dimanche 24 mars 2013 08:51

Toutes les réponses

  • I've thought about adding a new attribute on user called something like "Manages" that would contain users the user manages and use a WF to populate this attribute from Managed By effectively reversing the reference then it's possible to use a relative requestor MPR that points at the new Manages attribute. But this seems like waaay too much overhead for something that seems so simple. Are there any other approaches I could take here?

    I agree that this seems like too much overhead, but that's probably how I'd do it, to be honest.

    Just to add some extra overhead, keep in mind that if you have a WF which populates the attribute, you'll also have to have one which de-populates it as well. I generally tie this into a single workflow.

    Having a quick think about it, this is probably the most straight-forward way of doing it. Perhaps someone else can come up with something.

    - Ross Currie



    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    lundi 25 mars 2013 02:24
  • I concur with Ross - if you want to use the relative to resource MPR idea then you have no option but to have the ManagerOf property set - and I have done this myself in 2 ways:

    1. using a custom workflow which picks up changes to Person.Manager and completely recalculates the Person.ManagerOf property of the manager - the downside of this approach is that workflows can and usually do fail every now and then (even if it's less than 0.01% of the time), and when they do you will need some sort of housekeeping process to keep tabs on the integrity;
    2. using the sync engine with some other authoritative source of the Person.Manager inverse - I used a variation on the Replay MA to construct Person.ManagerOf and then flow this back into the FIM Portal via the standard FIM MA.  The benefit of this is that there are no workflows that can fail, and the sync engine ensures consistency for you.  The downside is the extra sync cycles required (and the delay this can cause).

    You will have to choose which one suits you best.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    mercredi 27 mars 2013 02:50