none
Owners of Security Groups to add/delete users RRS feed

  • Question

  • Hello,

    I am trying to figure out a way where I can have owners of a security group to add and delete users. I created a Management Policy Rule, I can do it this way right?

    Wednesday, July 8, 2015 1:58 PM

Answers

  • Amreena,

    Check on these two MPRs:

    Security group management: Owners can update and delete groups they own

    Distribution list management: Owners can update and delete groups they own

    Are they disabled? If so enable them.

    In looking at my lab I see these as disabled which I think could be the default with FIM 2010 R2.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by aimtiaz Tuesday, July 21, 2015 7:10 PM
    Tuesday, July 21, 2015 4:50 PM
  • The 2 MPRs you enabled, do this.

    1. Open to edit

    2. Click the "Requestors and Operators" tab

    3. Uncheck the box next to "Add a value to a multivalued attribute"

    4. Submit and Save


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by aimtiaz Tuesday, July 21, 2015 7:10 PM
    Tuesday, July 21, 2015 5:35 PM

All replies

  • I believe that is default behavior. Have you tested it?

    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Wednesday, July 15, 2015 6:04 PM
    Wednesday, July 8, 2015 2:06 PM
  • I would have to test using a non-admin login, since I am an admin for my test server.
    Wednesday, July 8, 2015 2:15 PM
  • Not only that, user has to be the owner of the group.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, July 8, 2015 3:41 PM
  • Nosh's belief is correct -- this is the default behavior for groups that are manually managed. Whether or not they require owner approval, any of the owners can modify the group membership.

    1) users must have been imported into the Portal with their domain, accountname and objectSID attributes populated correctly

    2) non-admin users must have been enabled for login

    3) The user must be one of the owners of the group

    4) the group must not be criteria based or manager based

    There should be no need to change or create any MPRs (Aside from those for user login) unless the default MPR for this was deleted or disabled.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Thursday, July 16, 2015 9:12 PM
  • I actually tried this and although the user can see the selection to delete or add a member, but when you do it, it says access denied.
    Monday, July 20, 2015 6:13 PM
  • Please send us some screen shots of this group, so we can find out where is the disconnect.

    According to MS Literature, https://technet.microsoft.com/en-us/library/ee534915(v=ws.10).aspx

    Owner and displayed owner: In FIM 2010, the owners of a group have the rights to make changes to the group; to delete it; and, if the group requires owner approval for joining, to approve requests to join the group. You can load-balance the management of distribution lists by assigning multiple owners, and, more importantly, you can ensure continuity in the management of the group if one of the owners leaves the organization or otherwise happens to no longer be an owner. However, because some external systems only support ownership of a group as single-valued, each group must have one of the owners designated as the Displayed owner so that ownership can be indicated correctly in those connected data sources that require Owner to be single-valued.


    Nosh Mernacaj, Identity Management Specialist

    Monday, July 20, 2015 6:21 PM
  • 2 things.

    1. Is the user in both Owner and Member tab

    2. Click on View Details and send the details. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, July 21, 2015 1:55 PM
  • Yes the user is both Owner and Member, this is the message I get when I click on view details: 
    Tuesday, July 21, 2015 3:39 PM
  • Have you made any changes to the Configuration, like migrated a configuration from another system?

    Have you played with the MPRs at all?  Has any change been made from Out of the box installation to MPRs?

    Here are the options.

    1. You have messed with the MPRs and now access is lost

    I cant remember the names, but there are some MPRs that grant the access, look for something like "Security Group: Owner can manage their group" , make sure to enable it.  Do the same for DLs.

    2. You have found a bug.


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, July 21, 2015 3:48 PM
  • Amreena,

    Check on these two MPRs:

    Security group management: Owners can update and delete groups they own

    Distribution list management: Owners can update and delete groups they own

    Are they disabled? If so enable them.

    In looking at my lab I see these as disabled which I think could be the default with FIM 2010 R2.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by aimtiaz Tuesday, July 21, 2015 7:10 PM
    Tuesday, July 21, 2015 4:50 PM
  • David, that was it! I had Security group management: Owners can update and delete groups they own disabled so I enabled it. Now the owner is able to remove members. So by enabling this MPR I can remove and add, but the problem is I only want the Owner to be able to remove a member, not add any.
    Tuesday, July 21, 2015 5:11 PM
  • The 2 MPRs you enabled, do this.

    1. Open to edit

    2. Click the "Requestors and Operators" tab

    3. Uncheck the box next to "Add a value to a multivalued attribute"

    4. Submit and Save


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by aimtiaz Tuesday, July 21, 2015 7:10 PM
    Tuesday, July 21, 2015 5:35 PM
  • That worked, now it's set up to exactly how I want it! Thank you all so much!
    Tuesday, July 21, 2015 7:10 PM
  • Awesome. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, July 21, 2015 7:23 PM