none
Security Groups Issue RRS feed

  • Question

  • Hi,

    Different type of users can log in FIM Portal 2010. I have configured many Security Groups and I want to make visible to a specified set of users only a specified set of Security Groups. This users are non admin users. I want to make visible this set of Security Groups only to these users and to the owner of these SGs. I have tried to modify the default management policy rules for Security Groups ("Security Group Management: Users can add or remove any member of groups subject to owner Approval", "Security Group management: Users can read selected attributes of group resources"), by making as Target Resource Set, the Set of the Security Groups I want to make accessible to non admin users and the owner, but I get an error. Also I have tried to disable the default MPRs and I have created new MPRs identical with the defaults but as Target Resource Set is the Set that contains only the desired Security Groups. But this also generates an error. The "Security Group Users" set contains only the authorized users and the owner of these SGs.

    What else can I try?

    Thanks,

    Griselda

      

    Monday, December 3, 2012 12:44 PM

All replies

  • You will need new sets and MPRs:

    • A set containing the users you want to see the groups
    • A set of the groups
    • A request MPR that grants the set of users (requestors) the ability to read and modify multi-value attributes of the groups set

    You may need more than one MPR if the users can read more attributes than they can edit. Eg one MPR to read attributes and one MPR to modify certain attributes. 

    Tuesday, December 4, 2012 12:11 AM
  • Thank you for the answer Cam eron.

    I have few questions. I have tried before to create new sets and MPRs as you have described, but I get an error when trying to access the SGs. I have disabled the two MPRs: "Security Group Management: Users can add or remove any member of groups subject to owner Approval", "Security Group Management: Users can read selected attributes of group resource", and the two new created MPRs are enabled. Should the two default MPRs be enabled, while the new created MPRs are also enabled? And should I remove the users that want to see the groups from "Security Group Users" set and let them only in the new created set that is the requestor set of the new MPRs?

    Thanks,

    Griselda 

    Tuesday, December 4, 2012 2:50 PM
  • The new MPR's should provide enough permission to be able to edit users group memberships. Also, the users that can see the groups can remain in the "Security Group Users" set.

    Could you post your MPR configuration and the error you're getting?

    Edit:

    Can the group administrators read user information? If not you'll need to create an MPR for that as well. 



    Tuesday, December 4, 2012 11:57 PM
  • The two MPRs I have created are:

    1. MPR1 where the Specific Set of Requestors is the set of users that I want to see the Security Groups, the Operation is Add a value to a multivalued attribute, and Grant Permissions is checked, Target Resource Definition before and after operation is the set of Security groups that the users should see, the Resource Attribute is Manually-managed Membership

    2. MPR2 where the Specific Set of Requestors is the set of users that I want to see the Security Groups, the Operation is Read Resource, Grant Permission is checked, Target Resource Definition before Request is the set of Security Groups that the users should see, specific attributes are selected.

    If I disable  "Security Group Managemet: Users can add or remove any member of groups subject to owner Approval" and "Security Group Management:Users can read selected attributes of group resource" MPRs, and enable the new MPR1 and MPR2, when a user of the set that are allowed to see the specified SGs opens SGs in the Portal, a general error message is displayed that says to contact the administrator.

    The security Groups that I want the users to see don't have users as members, but resources of a custom type.

    The group owners can read the resources of the custom type that are members of the SGs.

    Thanks,

    Griselda 

    Wednesday, December 5, 2012 9:41 AM
  • Take a look at your non-administrator Filter permission and try adding the set of SG's to the allowed membership reference.  You should be able to turn back on those MPR's you disabled if you check there.
    Wednesday, December 5, 2012 2:35 PM
  • Please, can you explain in details what should I do?

    Thanks in advance,

    Griselda

    Thursday, December 6, 2012 10:34 AM