FIM 2010 R2: Security group management by non-administrators RRS feed

  • Question

  • Hi All,

    We have a small set of users (belonging to a particular department) who should be able to login to the portal and manage a select set of groups - the users should be able to add and remove members from these said groups. In most of the cases, the groups already exist in Active Directory and we bring them into FIM Portal.

    I have done the following so far:

    a) Created a set of users based on their departments - works fine

    b) Created a set of groups that the users in (a) should be managing - works fine

    c) Created 3 MPRs (resembling the MPRs that already exist for Group Management by administrators). 1 of these MPRs allows the set of users to read the attributes of the groups in the set in (b). The second allows the set of users to create and delete groups in the set. The third allows the set of users to "add a value to a multi-valued attribute", "remove a value from a multi-valued attribute", and "modify a single-valued attribute". In the list of attributes, I have included most of the attributes including "Manually-managed membership". All these 3 MPRs have the grant permission box checked.

    I (as a member of the set of users in (a)), can login to the portal, view the groups in set (b), modify the description, add an owner, remove an owner etc. When I try to add or remove a member from a group where I am one of the owners, everything is fine. BUT, when I try to add or remove a member from a group where I am not listed as an owner, it gives me an "Access denied" error with these details: "The request included members which the requestor is not authorized to add and/or remove from this group"

    I am a member of the set in (a) and can remove/add members from the groups that I am the owner of. My questions are:

    A) What else do I need to do to add/remove members from a group that I am not the owner of but this group still belongs to the set (b).

    B) Why does the Portal force me to add an owner to every group that of set (b) that I click to view/edit. Isn't there a way around that i.e. not having to put any owner and still be able to add/remove members. For all the groups in set (b), the Join Instruction is set to "None" (i.e. any user can become a member of the group).

    I hope someone can shed some light on this. I have seen similar questions on the forum from a few years ago but they hadn't been answered (completely).


    Wednesday, October 8, 2014 10:25 AM

All replies

  • Hello,

    this is because there are to MPRs which Trigger a Group Validation Workflow (Requestor Validation).

    These 2 MPRs are responsible:

    - Group management workflow: Validate requestor on add member to open group
    - Group management workflow: Validate requestor on remove member

    The MPR Triggers this workflow for "All Non-Administrators".

    So you should edit the All Non-Administrators" Set and add the following to it:

    ResourceID not in (your set in a).

    So the Requestor Validation workflow will no longer be triggerd for your users in Set (A)


    Peter Stapf - ExpertCircle GmbH - My blog:

    Wednesday, October 8, 2014 11:00 AM
  • Hi Peter,

    That's great. I did that and it works - amazing !! You certainly saved me some grief :)

    Do you reckon there is a way to do this without changing an already existing set definition i.e. if I can achieve this only by defining my own sets, mprs, workflows - whatever it takes.

    Secondly, do you know if there is a way such that we don't have to go and define owner(s) for each group in our set ?

    Thanks a lot once again !

    Wednesday, October 8, 2014 12:59 PM
  • Hi,

    normally I also try to aviod changing the predefined MPRs, Workflows and Sets.
    But in this case I see no other way, I changed this even in my implementations für some customers.

    regarding your second question:

    The above solution works exactly as you need, for all users in the Non-Adminstrator set, no owner Validation is needed, so just give the users rights to Change the member attribute.

    I have a customer who also has no Group owners defined and I implemented the Management of that Groups for Helpdesk just with permission MPRs.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Wednesday, October 8, 2014 1:40 PM
  • Hi Peter,

    Thanks for the quick reply.

    Well in my case if I open a Group and let's say remove a member and click "submit", it takes me to the owners tab if no owner has been defined. Then if I just put in anybody as an owner, it goes on to actually submit the request.

    I don't think this is about owner approval per se but just that FIM is not allowing me to make a change to a group that does not have an owner defined. Is there a flag somewhere which sayd whether a group should have an owner or not ?



    Wednesday, October 8, 2014 1:51 PM
  • Hi,

    yes i remember this, it's some time ago I've implemented that.
    In this case I set the owner to the Builtin SyncService Account with an MPR on Group creation or on Groups with empty owners.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Wednesday, October 8, 2014 2:08 PM
  • Hi.

    Excuse me for replying to a very old thread, but I have similar problems (in MIM 2016). I have a number of groups that I want anyone to be able to join without any approval (ie open groups). The user's requests get denied and it seems to be because of the "Group management workflow: Validate requestor on add member to open group" MPR. If I understand the answer above correctly the solution would be to remove ALL my users from the "All Non-Administrators" set. I'm not really comfortable with doing this though as I'm not perfectly clear on which unwanted side effects this will get. Is there any way of seeing everything a specific set is used for? I think all this is kinda weird, I thought the point with open groups was that they were really open for anyone to join...

    Also I have the same problem as the OPs B question. Whenever I open a group and change anything I'm forced to choose an owner and a displayed owner in order to be able to save. The groups have been created using sync and works fine without owner so why is owner suddenly mandatory when I edit them in the portal? Setting the sync account as owner seems like more a workaround than a solution.

    Tuesday, March 28, 2017 11:46 AM