Users from a specified set should be able to add / remove members from any existing security group. I've defined follwoing objects:
Set "FIM User Admins" containing all Users I want to allow to update security group memberships.
Management Policy Rule "FIM User Admins: Administrate Security Group Memberships"
with the following settings:
Typ: Request
Disabled: False
Requestors: FIM User Admins
Operation: Add / Remove
Grants permission: true
Target Resource Definition Before Request: All Security Groups
Target Resource Definition Afther Request: All Security Groups
Resource Attributes: Manually-managed Memberships
Authorization Workflow: FIM User Admin Approval On Manage Security Group Members
Authorization Workflow: "FIM User Admin Approval On Manage Security Group Members"
Type: Authorization (Ask for Approval)
Approvers: fim-user-admins (security group with the same users as in the set)
Approve Threshold: 1 Approvers
Duration: 3 Days
Escalated Approvers: fim-user-admins
Mail templates: Default
The sepcific users are able to add other users to every security group but the request has to be approved by an administrator (Pending approval). If I try to remove a user, I get an "access denied" message.
I need the posibility for thouse users in the "FIM User Admins" set to add and remove users to and from every security group with auto approval.
How can I do that?