none
Create Set with Access Denied with filter permissons correct RRS feed

  • Question

  • I am standing up a FIM lab and need to create a set. I'm logged in as an administrator and the attribute I want to use in the SET's filter is "HR Effective Status." I give the set a name, create the filter with the HR Effective Status attribute and view the members with no problems. However, when I click the submit button, I get an access denied error (see screen shot). Prior to creating the set, I had added this HR Effective Status attribute to both the Filter permission objects (Administration-->All Resources-->Filter Permission), but this does not seem to be the problem. Both MPRs that are kicked off seem to be set properly too. Any ideas on what the problem might be?

    Thank you in advance for any help!

     

     

     

    Friday, May 9, 2014 3:48 PM

All replies

  • After troubleshooting this further, it seems that I only get an "Access Denied" message when I attempt to create the set using criteria-based membership. If I uncheck the "Enable criteria-based membership..." checkbox and add manual members, the set is created as expected - no errors. However, any type of criteria-based membership gives me access denied. This is true whether I select a specific user attribute, the user resource itself, or any other of the many other resources available in the dropdown.

    Friday, May 9, 2014 7:03 PM
  • Have you tried creating a "God" MPR for administrator - giving all rights over all objects - just to check it isn't a permissions error? Are all MPRs that might be needed enabled?
    Tuesday, May 13, 2014 8:21 AM
  • Have you verified the "Default" MPRs? Are those MPR's enabled? There can be an MPR as "God" MPR by which we can grant permission to Admin users to make changes as required.

    Regards,

    Manuj Khurana

    Tuesday, May 13, 2014 1:08 PM
  • Thanks for the feedback.

    All the default MPRs seem to be enabled - see screen shot for the MPRs that are not enabled. How do I create a "God" MPR to rule out permissions? Like what should the MPR be configured as?


    • Edited by barocky82 Tuesday, May 13, 2014 3:32 PM
    Tuesday, May 13, 2014 3:32 PM
  • Create an MPR called "Admin can do anything" (or whatever):

    - Requestors: administrators set

    - Operations: tick everything

    - Permissions: grants permissions

    - Target Resources: all objects

    - Resource Attributes: all attributes

    Dave

    Wednesday, May 14, 2014 10:24 AM
  • Barocky82,

    Have you by chance modified the Administration:Administrators control set resources MPR and removed Filter from the Resource Attributes? Can you create other sets with criteria-based membership?

    If you've added the new attribute to the filter permission it should work without any further changes.  If you do decide to create an MPR allowing admins to do anything, please make sure you remove this configuration after the issue is identified.


    Wednesday, May 14, 2014 7:59 PM
  • @Dave: Thank you for responding. I have created an MPR as you mentioned above and I still get the same exact error that I posted originally at the top. I'm wondering if I should just export the FIM config from my production environment and import it into my lab. I'm obviously missing something. Any other ideas before I attempt that?

    @Andrew: Thank you, Andrew. I have confirmed that the Administration: Administrators control set resources MPR is configured to have "Filter" in the selected Resource Attributes. Any other ideas?

    Thanks to both of you!

    Friday, May 16, 2014 1:19 PM
  • Just checking some things that people sometimes forget:

    • since you created your new attribute/binding, have you restarted the FIMService and performed an IISRESET on the FIM web server?
    • have you checked the FIM event log (Event Viewer/Applications and Services Logs) for a more detailed error when you get the general "Denied" exception when saving your query-based set?
    • if the FIM database has been used for a while, chances are you will need to reindex some things - you may just be getting timeouts.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 11:28 AM
    Friday, May 16, 2014 2:15 PM
  • While creating the Criteria based set, after you get permission deny error. Go to "Search Request" and open the request which was generated as denied, in this request you can find the error details about why this is happening. Still if you are not able to find anything in the request, you can also check the Event Viewer for more details that why arer you getting access denied while creating the Criteria based set.

    Regards,
    Manuj Khurana

    Wednesday, July 16, 2014 8:51 AM