none
failed-modification-via-web-services RRS feed

  • Question

  • Recently we made some modifications to our environment.  We added a new attribute on FIM that will be used to populate a new database.  We setup a MPR, sync rule  and workflow for this. We setup our MPR as a transition In but am wondering if this the correct way to go.  What we are trying to do is provision and deprovision based on this new attribute.  All users that do not have a value for this new attribute are able to be provision into FIM.  All accounts that will be utilizing the attribute are the ones getting the error below. Any idea as to what maybe causing this.   Like i said it only affects the users associated with this set.

    I ran the "test FIM management agent account" script and get the following error: Registry configuration and FIM MA configuration for MA account don't match."  I dont get it why would it work on 150,000 accounts and only fail on 1300.  Any idea? 

    thanks, 

    "There is an error executing a web service object modification request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Fault Reason: Policy prohibits the request from completing. Fault Details: <requestfailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><requestadministratordetails><failuremessage>No policy grants the Requestor permission to complete all changes. Exception: ManagementPolicyRule Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 462, Message: Permission denied. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader() at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId) --- End of inner exception stack trace --- at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)</failuremessage><requestfailuresource>ManagementPolicyRule</requestfailuresource></requestadministratordetails></requestfailures> Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(UniqueIdentifier objectId, CultureInfo locale, Put putBody) at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() Inner Exception: Policy prohibits the request from completing."


    Monday, July 9, 2012 2:18 PM

Answers

  • Hi,

    Have you added your new attribute(s) in the following locations:

    • FIM Portal / Administration / Filter Permission / Administrator Filter Permission
    • FIM Portal / Management Policy Rules / Synchronization: Synchronization account controls users it synchronizes

    regards

    Tuesday, July 10, 2012 4:06 AM

All replies

  • (...) No policy grants the Requestor permission to complete all changes. (...) - check MPRs configuration. Investigate failed requests and see what was modified (check pending exports). Use explore tool from portal (Management Policy Rules -> Explore) to check what are effective MPRs for this request
    Monday, July 9, 2012 3:03 PM
  • Sorry I logged in with my other user name.  didn't notice that i was logged in with a separate account.

    I go to explore under MPR.

    Chose the following settings:

    Find -> a requestor or a target resource

    criteria -> Requestor: built-in Admin account"; target Resource: Employee Set"

    and then show results.

    I notice that the MPR chosen is "General workflow: filter attribute validation for non-administrators."  which the built-in Admin account is not part of.  Should it be part of that requestors group or should I have defined something else when creating the new attribute? All the users which in this case are all employees are not even getting created in FIM, just the metaverse. I an export them to all the other locations just not into the portal.


    • Edited by Joet-Tech Monday, July 9, 2012 3:36 PM
    Monday, July 9, 2012 3:35 PM
  • Hi,

    Have you added your new attribute(s) in the following locations:

    • FIM Portal / Administration / Filter Permission / Administrator Filter Permission
    • FIM Portal / Management Policy Rules / Synchronization: Synchronization account controls users it synchronizes

    regards

    Tuesday, July 10, 2012 4:06 AM
  • Thanks guys.  Looks like i was missing the last entry there as far as the sync rights goes. 
    • Edited by Joet-Tech Friday, July 13, 2012 3:18 AM
    Wednesday, July 11, 2012 8:19 PM
  • I faced same issue when we tried to add new attribute , this answer helped me to resolve the issue
    Wednesday, May 31, 2017 9:04 PM