Access Denied creating Resource in Custom Activity


  • This is on 2010 R2 RC

    I have a custom resource that I have given rights to FIM Admins to create. I can create the new resource by going to ‘all resources’, selecting the resource type and selecting ‘add’, So I know there is a functioning MPR that allows this user to create these resources.

    If I try to create same resource via a custom activity, I get two results.

    1. If I set the CreateResourceActivity ActorID to be the FIM service account, the resource is created.
    2. If I set the Actor ID to be the parent workflow’s ActorID (The same FIM admin person – who shows up in the request as being the person requesting the creation) – I fail with:

    Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule
    request, Boolean applyAuthorizationPolicy)
    workItem)\r\n\r\n**METHOD:Void ProcessRequestResponse(System.Object,

    I verified:

    The Actor is the FIM admin (I see it in the request)

    The same Actor is able to create the resource manually.

    I also noticed that when viewing the request – the ‘Applied policy’ list is blank, where I would normally see the MPR that grants rights to the FIM admins account to create this object.

    This looks like the MPR that allows you to create the custom resource through the portal UI doesn't apply to the same user creating the same custom resource in a custom activity.


    Also - there is a new Createresource boolean property called 'ApplyAuthorizationPolicy' which doesn't appear to effect the outcome - This is new in R2 apparently, since it's not in the docs.

    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

    Friday, February 24, 2012 6:31 AM

All replies

  • try to fill ActorID with zeros.

                        if (this.SyncAccountEnabled == true)
                            UpdateDestination.ActorId = new System.Guid("e05d1f1b-3d5e-4014-baa6-94dee7d68c89");
                            UpdateDestination.ActorId = new System.Guid("00000000-0000-0000-0000-000000000000");
    Friday, February 24, 2012 7:32 AM
  • I really thought this would work, but it didn't.. Still get the access denied, even though the request shows it's being executed as the built-in FIM admin.

    Interestingly, there is a preceeding ReadResource activity that does just fine with it's access using the same '0's' notation or the ResourceID of the parent workflow.

    Doing something wrong or bug??

    I may just go with using the service account - except I need the identity of the person who created the original request. I could just store it in an attribute of the new resource but that's a bit of a hack. I don't have forever to play with this, so I may end up going that route..

    Thanks for the ideas

    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

    Friday, February 24, 2012 9:02 PM
  • file a bug on the Connect site - chances that you'll get an aswer are very high.

    as far as I know they changed a behaviour of child activities a little bit to let you manually select which MPRs must be applied.

    so I would expect either this new feature to work or let you submit requests within an original requestor context as with RTM.

    Saturday, February 25, 2012 9:00 AM