FIM Administrators Set


  • Hi

    I'm having an issue with FIM portal logging though I'm a member of 'Administration' set in portal it doesn't allow me to login to it, does anyone has an idea this 'Administration' set is connected which MPRs,WF etc or is there a way to created a new 'Administration' set which will grant access to portal as 'Administrator'


    Tuesday, October 29, 2013 7:38 PM

All replies

  • What happens when you try to login?

    Thanks, Brian

    Tuesday, October 29, 2013 9:12 PM
  • It says invalid credentials, other workaround which I found is I have added my account as a secondary site collection Administrator on Sharepoint Central Administration which allowed me to login to FIM Portal but how do I give Admin access to other users in FIM Portal?


    Tuesday, November 05, 2013 10:32 AM
  • If you are a member of the default Administrators set then default "Administrators can ..." MPRs will grant you privileges to basically every activity accessible through the FIM Portal.  By default the account with which FIM was installed is a member of this set - this grants the corresponding permissions associated user logged onto the FIM portal - something they can't do unless they are members of the appropriate role on the SharePoint site hosting FIM.

    One option would be to grant SharePoint READER rights to the Domain Users group for each domain linked to users listed in the FIM Portal.  You may choose to be more selective, but this is the easiest option.  Your secondary farm administrator will automatically be granted rights to the FIM Portal, but you won't be able to get them to log into the FIM Portal unless you do BOTH of the following:

    1. Add them to a set of users associated with MPRs which grant access rights - the Administrators set is one such set, albeit with full privileges which may not be what you want to give; and
    2. Update the Domain, AccountName and ObjectSID properties on the FIM user record from the account in the corresponding domain.  Using FIM Sync to do this is the most common way, but there are others that you may want to use, for example in script using the FIM PowerShell libraries.

    I think that's all you need, but if you still can't log ion search for several other articles on this forum which go into more depth on this subject.

    Bob Bradley (FIMBob @ ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 11:57 AM
    Thursday, November 07, 2013 3:37 PM