none
Customized Set RRS feed

  • Question

  • Hi,

    Is it possible to create two sets, one for requestors and the other for targets, related to a MPR that return in Users search scope only users that are in the target Set

    Thank you

    Sunday, March 11, 2018 1:58 PM

Answers

  • This is definitely doable. You'll need three MPRs and three users sets:

    - MPR 1

     - Set 1 "All Finance Users"

     - Grant Helpdesk1 Read, Modify all attributes for All Finance Users

    - MPR 2

     - Set 2 "All HR Users"

     - Grant Helpdesk2 Read, Modify all attributes for All HR Users

    - MPR 3

     - Set 3 "All Users"

     - Grant Helpdesk3 Read, Modify all attributes for All Users

    If you want to have different buckets of attributes that are readable vs writeable, you just need to duplicate the MPRs (you can reuse the sets) and break out those two permissions.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, March 13, 2018 3:02 PM
    Moderator
  • Just to expand on Brian's answer:

    You will need 6 sets.

    1 for each of the help desk users: Finance Helpdesk, HR Helpdesk, All users Helpdesk (these will probably be static or manually managed rather than criteria based) and then 1 set for each of the targets Finance, HR and All users (there will be criteria based).


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by MIM User Thursday, March 15, 2018 9:13 AM
    Tuesday, March 13, 2018 8:12 PM

All replies

  • Can you provide some more context/detail? I don't understand what you're trying to achieve.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Monday, March 12, 2018 11:43 PM
    Moderator
  • Sure

    The goal is the allow two kind of help desks to see and modify different users based on an attribute value

    ex.

    The Set of helpdesk1 can see and modify (under "All Users") only users with department = finance

    The Set of helpdesk2 can see and modify only users with department = hr

    The Set of helpdesk3 can see and modify all users

    Thank you

    Tuesday, March 13, 2018 4:51 AM
  • This is definitely doable. You'll need three MPRs and three users sets:

    - MPR 1

     - Set 1 "All Finance Users"

     - Grant Helpdesk1 Read, Modify all attributes for All Finance Users

    - MPR 2

     - Set 2 "All HR Users"

     - Grant Helpdesk2 Read, Modify all attributes for All HR Users

    - MPR 3

     - Set 3 "All Users"

     - Grant Helpdesk3 Read, Modify all attributes for All Users

    If you want to have different buckets of attributes that are readable vs writeable, you just need to duplicate the MPRs (you can reuse the sets) and break out those two permissions.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, March 13, 2018 3:02 PM
    Moderator
  • Just to expand on Brian's answer:

    You will need 6 sets.

    1 for each of the help desk users: Finance Helpdesk, HR Helpdesk, All users Helpdesk (these will probably be static or manually managed rather than criteria based) and then 1 set for each of the targets Finance, HR and All users (there will be criteria based).


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by MIM User Thursday, March 15, 2018 9:13 AM
    Tuesday, March 13, 2018 8:12 PM
  • Hi

    I actually have done it (2 Sets for each help desk) but it doesn't worked

    After a little research I saw that the default MPR: "User management: Users can read selected attributes of other users" was enabled, so I disabled the MPR as its worked as expected

    Thank you Brian and David

    Thursday, March 15, 2018 9:12 AM