none
Custom resource/attribute not visible in FIM portal for non-admins RRS feed

  • Question

  • hi all

    I have a problem I am not able to solve and hope somebody can help. We have created an custom Resource in the FIM portal called Customer. It is an User Resource Type and  attribute type customer, data type=reference.

    We have made this attribute visible in the Users Properties by editing the RCDC for Configuration for User Creation, Configuration for User Editing and Configuration for User Viewing. It is now visible for alle users in the FIM Portal.

    But when an non-admin searches for an attribute in that Field, nothing shows up.... only member of the administrator set, are able to display the results.

    I have added the Resource to Filter permission - Administrator Filter permission + non-administrator filter permission.

    I have added the Resource to MPR - General: Users can read non-administrative configuration resources?

    Can anyone help?

    Best regards Andre


    Andre

    Friday, October 24, 2014 1:43 PM

Answers

  • Try to create a new MPR, search scope shows result within the context of your super FIM adminstrator

    • Type: Request
    • Requestor set: All people
    • Grants permission for read
    • Target set : "All Customer object" (maybe you need to create it)
    • Select all attributes


    Sylvain

    • Marked as answer by froand Friday, October 31, 2014 7:59 AM
    Thursday, October 30, 2014 2:51 PM

All replies

  • Hi,

    you must give users permission to the attribute/resource itself.

    So for additionl attributes on the objecttype Person (the reference attibute you created) modify:

    User Management: users can read .... (there are two MPRs)

    or which I find is better practice, Create a own MPR for permissions to that Attribute.
    In order to give read Access to your custom resource you "must" create your own MPR to give permission.

    (I try to aviod modifying the Default MPRs and Sets wherever I can, and create my own ones.)

    The "filter permission" resources are for using that attributes as a criteria for sets or dynamic goups.

    Keep in mind, permission to objects in Portal Need 2 permissions mostly:

    1. permission to view the UI elements
    2. permission to read the objects themselfs

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, October 24, 2014 1:57 PM
  • Hi and thanks for the quick answer.

    I forgot to say, I have added the New Resource (customers) in the MPR:

    User management: Users can read attributes of their own 

    User management: Users can read selected attributes of other users

    I created a New MPR like you said with same config as the above MPR, but with only the new Resource (customers) under Select spesific attributes.

    Still does not show, do i have to restart IIS?


    Andre

    Friday, October 24, 2014 2:27 PM
  • Hello Andre,

    i often run into the same Problem, and after checking all permissions the "iisreset" was the solution.

    So I think you schould give it a try.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, October 24, 2014 2:30 PM
  • hmm, sorry did not effect the result :(

    Andre

    Friday, October 24, 2014 2:38 PM
  • Hi Andre,

    hmm so my last guess is you need a search scope for the custom resource, and give users permissions to use this search scope, in order to make them able to find the custom resource objects on the reference attribute on the user.

    Create an search scope, and give it the following Usage Keywords:

    customized
    BasicUI
    Global
    Person

    With the BasicUI Keyword, all Users are given permissions to use this searchscope.

    After an iisreset, the new search scope should appear when users select an customer they search for.

    Its just a guess, its hard to guess exactly from remote whats wrong on your site.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, October 24, 2014 2:56 PM
  • I can't seem to get this working either. There has to be something I'am doing wrong..


    Andre

    Thursday, October 30, 2014 12:38 PM
  • Hi,

    To be clear,

    • You have create one new resource type 'Customer' and one attribute 'Customer' (Reference, binded to Person object)
    • Update RCDC for Person (create/edit/view) to add a picker attribute with those parameters
    UsageKeywords: This is an optional string property. You can define a list of search scopes to be used in the Resource Picker by providing a list of the usage keywords that are supported by the SearchScopeConfiguration structure, where each keyword is separated by a (‘).
    
    ResultObjectType: This is an optional string property. The resource type is used to render resources in the pop-up dialog-box list. This is used with the Filter to help the Identity Picker identify what resource type is returned by the Filter, and render the data accordingly. This property is mutually exclusive with the UsageKeywords property (see above). When the search scope is applied, this has no effect. The string that is accepted for this property is any single, valid, resource-type name, for example, Person. When the filter is expected to return multiple resource types, Resource is used. 

    • Modify MPR "User management: Users can read attributes of their own" and "User management: Users can read selected attributes of other users" to add this new attribute
    • Create a new MPR to give the right of all users to view new resource 'Customer' on all attributes

    Is that right?

    Regards,


    Sylvain


    • Edited by Sylvain.c Thursday, October 30, 2014 1:18 PM
    Thursday, October 30, 2014 1:18 PM
  • Hi Sylvan

    Here are my answers:

    • You have create one new resource type '_Customer' and      one attribute 'Customer' (Reference, binded to Person object)
      • yes
    • Update RCDC for Person (create/edit/view) to add a      picker attribute with those parameters
      • yes
    • Modify MPR "User management: Users can read      attributes of their own" and "User management: Users can read      selected attributes of other users" to add this new attribute
      • yes
    • Create a new attribute to give the right of all users      to view new resource 'Customer' on all attributes
      • Hmm, I don’t know if I did this part.

    I did get results from my new search scope: customers. But this search scope did not show up anywhere..


    Andre

    Thursday, October 30, 2014 1:52 PM
  • Try to create a new MPR, search scope shows result within the context of your super FIM adminstrator

    • Type: Request
    • Requestor set: All people
    • Grants permission for read
    • Target set : "All Customer object" (maybe you need to create it)
    • Select all attributes


    Sylvain

    • Marked as answer by froand Friday, October 31, 2014 7:59 AM
    Thursday, October 30, 2014 2:51 PM
  • Hi,

    if I look at you first image, the attribute _Customers looks a bit strange to me.

    Is that an attribute of the customer resource attribute type ?

    I would assume to use DisplayName or something like that, as this is the attribute users will search in when using the scope.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, October 30, 2014 4:25 PM
  • Try to create a new MPR, search scope shows result within the context of your super FIM adminstrator

    • Type: Request
    • Requestor set: All people
    • Grants permission for read
    • Target set : "All Customer object" (maybe you need to create it)
    • Select all attributes


    Sylvain

    That did it, it Works :)

    Thank you so much for the help, I have been strugling With this issue for weeks.

    Best regards Andre


    Andre

    Friday, October 31, 2014 8:01 AM
  • Yes, _Customer is the Resource attribute.

    You are right, its much better to have displayname as search attribute.

    Thanks for alle the help.

    Best regards Andre


    Andre

    Friday, October 31, 2014 8:03 AM