none
How can we limit an "Administrator" to manage just the Users part of the Portal. RRS feed

  • Question

  • We want a user, not the main FIM Administrator, just an ordinary Joe, to be be able to Maintain Users on the Portal.

    If I add him to User Administrators set, he cant access the Portal... Unless I do something what I dont know.

    If I add him to the Administrators set, he can do everything, such as play with Sets, MPRs, Sync Rules and so on. This is what we dont want!

    What we would like to know (and where to look for it in the documentation) is how to grant this user the ability to add/modify/delete User objects and add/modify/delete any of the attributes of a User object.

    In other words, when he logs on to the Portal he only sees Users on left hand side panel.

    Which of the hundreds of MPRs etc etc do we have to hack?????? 

    I find no such how-tos anywhere in technet and this seems such a basic function. FIM really is frustrating.

    Tuesday, January 29, 2013 12:47 PM

Answers

  • Yup that's about right

    You need a SET and an MPR

    Create a SET named 'Portal Administrator' and manually manage the membership, add your user to that SET.

    Create an MPR named 'Portal Administrator: Portal Administrators can Manage users'

    It would be a request MPR, in the Requestors type in 'Portal Administrators', select all the check boxes, including the 'Grant Permission' check box.

    Next, type in 'All People' in both the boxes in the next screen and select 'All Attributes' and hit finish and submit.

    you are good to go.

    • Marked as answer by HaroldHare Wednesday, January 30, 2013 7:14 AM
    Tuesday, January 29, 2013 6:08 PM
  • You need to create a new set for your User moderators, you can then create MPRs to allow that set to read and modify the users they should have access to. 

    In a recent FIM set-up I wanted to allow the HR department to modify Staff accounts but not Student accounts or any other FIM settings. I created a set called "HR", I added my HR users to this set. I distinguished which accounts HR could view/edit by creating another set called "Staff" and then creating two MPRs, one "HR: HR can read and modify staff attributes" and one "HR: HR can read staff attributes" - I'm not sure how necessary the second one was given they already had the first but haven't tried it without yet. I based these two MPRs on the existing MPRs "Administration: Administrators can read all resources" and "Administration: Administrators can read and update Users ", adjusting selected sets, objects and permissions as I considered necessary.

    The result was a portal where HR staff could login and only have access to specific user accounts and no FIM portal settings. The navigation bar to the left when logged in as a user in the HR set looked like this:

     

    • Edited by FIM-EN Tuesday, January 29, 2013 4:34 PM
    • Proposed as answer by Furqan Asghar Tuesday, January 29, 2013 6:02 PM
    • Marked as answer by HaroldHare Wednesday, January 30, 2013 7:14 AM
    Tuesday, January 29, 2013 4:07 PM

All replies

  • You need to create a new set for your User moderators, you can then create MPRs to allow that set to read and modify the users they should have access to. 

    In a recent FIM set-up I wanted to allow the HR department to modify Staff accounts but not Student accounts or any other FIM settings. I created a set called "HR", I added my HR users to this set. I distinguished which accounts HR could view/edit by creating another set called "Staff" and then creating two MPRs, one "HR: HR can read and modify staff attributes" and one "HR: HR can read staff attributes" - I'm not sure how necessary the second one was given they already had the first but haven't tried it without yet. I based these two MPRs on the existing MPRs "Administration: Administrators can read all resources" and "Administration: Administrators can read and update Users ", adjusting selected sets, objects and permissions as I considered necessary.

    The result was a portal where HR staff could login and only have access to specific user accounts and no FIM portal settings. The navigation bar to the left when logged in as a user in the HR set looked like this:

     

    • Edited by FIM-EN Tuesday, January 29, 2013 4:34 PM
    • Proposed as answer by Furqan Asghar Tuesday, January 29, 2013 6:02 PM
    • Marked as answer by HaroldHare Wednesday, January 30, 2013 7:14 AM
    Tuesday, January 29, 2013 4:07 PM
  • Yup that's about right

    You need a SET and an MPR

    Create a SET named 'Portal Administrator' and manually manage the membership, add your user to that SET.

    Create an MPR named 'Portal Administrator: Portal Administrators can Manage users'

    It would be a request MPR, in the Requestors type in 'Portal Administrators', select all the check boxes, including the 'Grant Permission' check box.

    Next, type in 'All People' in both the boxes in the next screen and select 'All Attributes' and hit finish and submit.

    you are good to go.

    • Marked as answer by HaroldHare Wednesday, January 30, 2013 7:14 AM
    Tuesday, January 29, 2013 6:08 PM
  • Thankyou.

    This seems to work fine for a non-customised FIM.

    What we have done is to Change the Banner and Title text of a FIM installation. 

    Members of the Administrators set see all parts of the form. Center Panel, Left Hand side Panel but our non-admin user who has been granted these special rights does not see the whole form when he logs on. All he sees is "Welcome Harry Salo" and a blank screen.

    If I add him to the Administrators set then he sees ALL parts of the form, Users, MPRS, Sets and Administration on the left hand side. The Center Panel.

    Most odd. Of course the RCDC stuff used for customization was made by a local administartive account. Are there any file permission problems??

    This most strange.

    Wednesday, January 30, 2013 9:36 AM
  • Sorry. My bad.

    It seems that the customised FIM  had the MPR

    General: Users can read non-administrative configuration resources

    Disabled.

    When this was enabled all worked AOK.

    Wednesday, January 30, 2013 10:45 AM
  • You need to use a permissions based request MPR. To achieve that you need:
    * A so called requestor SET. In other words, a SET that contains all the users (statically or dynamically) allowed to do what you want them to do
    * A so called target SET. In other words, a SET that contains all the users (statically or dynamically) allowed to be managed by the people in the requestor SET. If the operation is DELETION, you need a Target Before SET. If the operation is CREATION, you need a Target After SET. If the operation is MODIFY/UPDATE, you need a Target Before SET and you need a Target After SET. The Target Before SET and the Target After SET can be the though
    * An MPR that has the following configured:
        * Requestor SET
        * Operations (Create and/or Delete and/or Read and/or Add Value and/or Remove Value and/or Modify)
        * Target Before SET and/or a Target After SET
        * Specify All Attributes and/or define specific attributes
        * Specify the MPR is used for permission granting
     
     
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "HaroldHare" wrote in message news:e051e9ce-74d5-4402-a6d0-30784f3ad5be@communitybridge.codeplex.com...

    We want a user, not the main FIM Administrator, just an ordinary Joe, to be be able to Maintain Users on the Portal.

    If I add him to User Administrators set, he cant access the Portal... Unless I do something what I dont know.

    If I add him to the Administrators set, he can do everything, such as play with Sets, MPRs, Sync Rules and so on. This is what we dont want!

    What we would like to know (and where to look for it in the documentation) is how to grant this user the ability to add/modify/delete User objects and add/modify/delete any of the attributes of a User object.

    In other words, when he logs on to the Portal he only sees Users on left hand side panel.

    Which of the hundreds of MPRs etc etc do we have to hack??????

    I find no such how-tos anywhere in technet and this seems such a basic function. FIM really is frustrating.


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Thursday, February 7, 2013 3:11 PM