How to organise FIM with multiple Helpdesk to maintance different sets of users RRS feed

  • Question

  • We want to setup a FIM environment

    Our customer has mulitple Helpdesk desks for different sets of users.

    The helpdesk persons A, may not see all information of User Set B

    The Helpdesk Persons A, may only perform actions on User Set A

    The biggest helpdesk has 200 persons, and manages 150000 users.

    When we use "relative to resources", this will mean - all 200 persons need to be added as reference to the 150000

    In order to prevent these large references, we want to think of a different design.

    We also do not was to copy MPR/WFW etc. for each e.g. read action per helpdesk

    Does anyone has a good idea how to proceed?

    Thursday, March 21, 2013 3:28 PM

All replies

  • You're going to need one or more MPRs for each helpdesk.

    You would not want relative to resource, though. You would create a set of users that each helpdesk services and a set of helpdesk users for that helpdesk. Based on those two sets, you can construct MPRs to grant each set of permissions.

    My Book - Active Directory, 4th Edition
    My Blog -

    Thursday, March 21, 2013 8:24 PM
  • To expand on Brian's Post.

    4 Sets:

    Helpdesk A staff
    Helpdesk B staff
    User Set B
    User Set A

    4 MPRs:
    Helpdesk A can read and perform actions on Set A
    Helpdesk B can read and perform actions on Set B
    Helpdesk A can see limited attributes on Set A
    Helpdesk B can see limited attributes on Set B

    When configuring each MPR, on the "Requestors and Operations" tab, instead of choosing "relative to resources", you select "Specific Set of Requestors".

    So for the first MPR, (Helpdesk A can read/perform actions on Set A), you might have:

    Specific Set of Requestors: Helpdesk A staff
    Operation: Read/Add multivalue/remove multivalue/modify single-value

    Then on the Target Resources tab:

    Target Before: User Set A
    Target After: User Set A
    Resources Attributes: <whichever attributes you want them to be able to see/modify>

    For the next 3, you'd just change those settings appropriately.

    - Ross Currie | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Friday, March 22, 2013 3:18 PM