none
Simple user can see items not supposed to (BasicUI has been removed) RRS feed

  • Question

  • I have MIM 2016 SP1. I have removed keyword from things like Administration and yet a simple user can still see them.
    I had it working fine, I am pretty sure and now somehow it is not working. 

    Any idea? maybe I am doing something real stupid?


    Nosh Mernacaj, Identity Management Specialist

    Thursday, June 8, 2017 12:21 AM

Answers

All replies

  • Missing IISRESET?
    Friday, June 9, 2017 7:46 AM
  • Thanks but thats not it.  Did it many tines. Even reboot.

    Nosh Mernacaj, Identity Management Specialist

    Friday, June 9, 2017 11:05 AM
  • Hi Nosh,

    in generell users don't see the "Administration" link, so I think you are trying to revert some changes.

    I would bet that there maybe a mistake in some permission MPR granting Access to navigation bar objects.
    After removing the Keywords that is the only Option that came to my mind.

    Maybe all or unwanted navigation bar elements are member of a set used by an MPR.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, June 9, 2017 5:01 PM
  • Thanks Peter,

    Did not think about that, administration is not available to them anyways. 

    Just cant think of what and where.  Looked for obvious sets of admins and those, but Maybe It will come out eventually


    Nosh Mernacaj, Identity Management Specialist


    Friday, June 9, 2017 5:04 PM
  • Are you really sure that your modifications (remove keyword) has been saved? I have faced some times that modifications has not been saved. Also are you really sure that the user is not Administrator?

    Like Peter said Administration is not supposed to be visible for normal users. Also, are there any other keywords defined?

    Tuesday, June 13, 2017 7:20 AM
  • @2xTsei,

    Thanks for your effoerts,

    I am REALLY SURE I removed BasicUI (But as peter mentioned, simple user should not see Administration Links anyways). Saved, rebooted, and rechecked. 

    I am not really sure it is not an admin, but I checked the Administrators Set and its not a member.

    I don't really know what else gives this permission.  I cant think of what did happen.

    I have not spend enough time lately on it, but I will be sure to let everyone know what I find.


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, June 13, 2017 2:52 PM
  • You can use the MPR Explorer to find the MPR that might give the permission to read that objects:

    https://blogs.msdn.microsoft.com/connector_space/2015/06/01/understanding-the-mpr-explorer/

    A tool most guys don't thnik about or sometimes even know ;-)

    Maybe that helps if you find some time.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Nosh Mernacaj Wednesday, June 14, 2017 7:02 PM
    Tuesday, June 13, 2017 3:33 PM
  • Thanks Peter,

    I actually do use the tool a lot and thought about it, but I stopped short of seeing how it will help me. I always used it in the context of Workflows and Sets.

    I missed the part that it does allow to see requestor as well.

    I will let you see how it goes.


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, June 13, 2017 3:40 PM
  • First of all, many thanks to all of you who took the time to help me.

    I think Peter came closer to getting me on the right path, so I gave him the cudos.

    Issues was that I have an MPR that grants access to all users to create a new object (Custom Object)

    I had picked "All Objects" as the set "before request"  and the relevant set for after.

    When I looked for MPRs that applies to a simple user, as per Peter's suggestion, I was able to immediately spot the issue.

    Another fun day with a stupid mistake. 


    Nosh Mernacaj, Identity Management Specialist

    Wednesday, June 14, 2017 7:07 PM