none
Why do I STILL see "Permission Denied" on my extended attributes?? RRS feed

  • Question

  • I have added several AD attributes e.g. roomNumber and url that we use into the MetaVerse and FIM Portal schemas. I did this on the Portal by Administration/Schema Management... as Administrator.

    I created the Attribute. I then bound it to Resource Type "User"

    I then amended the MPR Administrators can read and update users and added these newly created/bound attributes to the list of managed attributes.

    I go to Users and select a victim. I can EDIT a User on the Portal and I see in Extended Attributes all these new attributes and I can fill values into the boxes and save the User OK.. ON THE PORTAL.

    Now, when I go to the Sync Engine. I open the FIM MA and refresh schema. That is OK.

    I see in the Attribute Flow dialog these new attributes available and I map roomNumber <--- roomNumber for Export allowing nulls.

    On an Export run it just hangs giving Permission Denied Error seen on Event Viewer. Sample message:

    Requestor: urn:uuid:fb89aefa-5ea1-47f1-8890-abe7797d6497
    Correlation Identifier: d58ec690-f5ff-41ee-a0a9-b5dacb14f9f9
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1317, Message: Permission denied: <ai><Name>roomNumber</Name></ai>
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
       at System.Data.SqlClient.SqlDataReader.get_MetaData()
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader()
       at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
       --- End of inner exception stack trace ---
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

    I have restarted all services and run iisreset with no effect.

    I just dont understand this FIM. Why can I modify that attribute on the Form (in Extended Attributes view) but the Synchronization Engine hasnt the rights? What have I missed permssions-wise?

    *HH

    Monday, May 7, 2012 6:55 AM

Answers

  • You have to grant right for the Synchronization accouct same way you did for the Administrators.

    Search MPR:
    Synchronization: Synchronization account controls users it synchronizes
    • Marked as answer by HaroldHare Tuesday, May 8, 2012 6:06 AM
    • Unmarked as answer by HaroldHare Tuesday, May 8, 2012 6:10 AM
    • Marked as answer by HaroldHare Tuesday, May 8, 2012 6:10 AM
    Monday, May 7, 2012 7:45 AM

All replies

  • Hello,

    have you also modify the MPR Synchronization account controls users it synchronizes ?

    This MPR is used to give the Built-in Synchronization account the permission to modify the users in the portal.

    By default, this account is not a member of Administrators Set, which can explain you can modify the information when you are connected as an Administrator but not the FIM MA since it used the Built-in Synchronization account.

    Monday, May 7, 2012 7:43 AM
  • You have to grant right for the Synchronization accouct same way you did for the Administrators.

    Search MPR:
    Synchronization: Synchronization account controls users it synchronizes
    • Marked as answer by HaroldHare Tuesday, May 8, 2012 6:06 AM
    • Unmarked as answer by HaroldHare Tuesday, May 8, 2012 6:10 AM
    • Marked as answer by HaroldHare Tuesday, May 8, 2012 6:10 AM
    Monday, May 7, 2012 7:45 AM
  • Thank you all very much for pointing me n the right direction.

    I needed to add these additional attributes in the Target Resource set of the Sync Account controls users it synchronizes. I did it for the Administrator but not for this sync account MPR. I simply enabled it.

    *HH

    Tuesday, May 8, 2012 6:13 AM