This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Auto approving security group membership changes

Question
0

Sign in to vote

Users from a specified set should be able to add / remove members from any existing security group. I've defined follwoing objects:

Set "FIM User Admins" containing all Users I want to allow to update security group memberships.

Management Policy Rule "FIM User Admins: Administrate Security Group Memberships" with the following settings:
Typ: Request
Disabled: False
Requestors: FIM User Admins
Operation: Add / Remove
Grants permission: true
Target Resource Definition Before Request: All Security Groups
Target Resource Definition Afther Request: All Security Groups
Resource Attributes: Manually-managed Memberships
Authorization Workflow: FIM User Admin Approval On Manage Security Group Members

Authorization Workflow: "FIM User Admin Approval On Manage Security Group Members"
Type: Authorization (Ask for Approval)
Approvers: fim-user-admins (security group with the same users as in the set)
Approve Threshold: 1 Approvers
Duration: 3 Days
Escalated Approvers: fim-user-admins
Mail templates: Default

The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval). If I try to remove a user, I get an "access denied" message.

I need the posibility for thouse users in the "FIM User Admins" set to add and remove users to and from every security group with auto approval.
How can I do that?

Friday, August 27, 2010 12:02 PM

Answers

0

Sign in to vote
The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval).

Do you have other defined policies that could be applied and ask for approval from an administrator.

Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.
- Marked as answer by TobyU Monday, August 30, 2010 9:00 AM
Friday, August 27, 2010 3:13 PM

All replies

0

Sign in to vote
The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval).

Do you have other defined policies that could be applied and ask for approval from an administrator.

Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.
- Marked as answer by TobyU Monday, August 30, 2010 9:00 AM
Friday, August 27, 2010 3:13 PM
0

Sign in to vote

> Do you have other defined policies that could be applied and ask for approval from an administrator.

> Go to search requests and open one of those joins requests. Check the applied policy tab and see if there is more than one policy that ask for approval.

I did so and disabled the "Group management workflow: Owner approval on add member" MPR. It works fine now.

To allow removing of users as group members, I had to disable th "Group management workflow: Validate requestor on remove member" MPR.

Thanks for your help!

Monday, August 30, 2010 9:00 AM