locked
Auto approving security group membership changes RRS feed

  • Question

  • Users from a specified set should be able to add / remove members from any existing security group. I've defined follwoing objects:

    Set "FIM User Admins" containing all Users I want to allow to update security group memberships.

    Management Policy Rule "FIM User Admins: Administrate Security Group Memberships" with the following settings:
    Typ: Request
    Disabled: False
    Requestors: FIM User Admins
    Operation: Add / Remove
    Grants permission: true
    Target Resource Definition Before Request: All Security Groups
    Target Resource Definition Afther Request: All Security Groups
    Resource Attributes: Manually-managed Memberships
    Authorization Workflow: FIM User Admin Approval On Manage Security Group Members

    Authorization Workflow: "FIM User Admin Approval On Manage Security Group Members"
    Type: Authorization (Ask for Approval)
    Approvers: fim-user-admins (security group with the same users as in the set)
    Approve Threshold: 1 Approvers
    Duration: 3 Days
    Escalated Approvers: fim-user-admins
    Mail templates: Default

    The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval). If I try to remove a user, I get an "access denied" message.

    I need the posibility for thouse users in the "FIM User Admins" set to add and remove users to and from every security group with auto approval.
    How can I do that?

     

    Friday, August 27, 2010 12:02 PM

Answers

  • The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval).

    Do you have other defined policies that could be applied and ask for approval from an administrator.

    Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.

     

    • Marked as answer by TobyU Monday, August 30, 2010 9:00 AM
    Friday, August 27, 2010 3:13 PM

All replies

  • The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval).

    Do you have other defined policies that could be applied and ask for approval from an administrator.

    Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.

     

    • Marked as answer by TobyU Monday, August 30, 2010 9:00 AM
    Friday, August 27, 2010 3:13 PM
  • > Do you have other defined policies that could be applied and ask for approval from an administrator.

    > Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.

    I did so and disabled the "Group management workflow: Owner approval on add member" MPR. It works fine now.

    To allow removing of users as group members, I had to disable th "Group management workflow: Validate requestor on remove member" MPR.

    Thanks for your help!

    Monday, August 30, 2010 9:00 AM