none
"Unable to process your request" when returning to the General tab on an Approval RRS feed

  • Question

  • Having a very weird issue here on build 4.1.3441.0

    A user opens one of the approvals waiting in their "Approve Requests" page. They see the General tab just fine. They click through to the Details tab - no problem. They click through to the Applied Policy tab - still fine. They click the General tab again and they get the nasty "Unable to process your request" error.

    This happens to all end users. It does not happen to Administrators. If I put an end user in the Administrators set the problem goes away, and comes back again as soon as I remove them.

    So - permissions, right? Wish I could figure out what. The only way I can make it reliably go away is to give All People read rights to all attributes of All Objects.

    The following have NOT worked:

    - Giving All People read to all attributes of All Requests and All Approval Related Objects

    - Giving All People read to ObjectID,ObjectType and DisplayName of All Objects

    I'm really stuck now - what on earth does it want? And why can the user see the General tab on opening, but not on navigating back from the Applied policy tab? What is it doing there?

    I've also tried turning on the verbose logging but there were no errors relating to this.


    http://www.wapshere.com/missmiis

    Thursday, August 15, 2013 10:19 PM

Answers

  • Carol,

    Please specify what the 'target attributes' tab for the following MPR shows;

    Request Management: Request participants can read their request resource

    I had a customer who had this exact scenario before and the above MPR was at first thought be responsible for this; it is meant to allow the proper permissions for a user being able to read a request meant for them.  I ultimately found out that in this situation there was a MPR that was not OOB that had the 'All Attributes' radio button selected for the 'target attributes' tab. Disabling the non-OOB MPR fixed the issue in my case but verify that the above MPR does not show 'Management Policy Rule' for one of the target attributes. This attribute, which has system name of 'ManagementPolicy', is a reference attribute for what policies applied to a request.

    This is how the 'Applied Policy' tab works for admins. In my customer's case, this attribute was allowed to be viewed by 'normal' (not FIM admin) users but of course there was not an MPR to actually allow them to see the MPRs themselves, hence the error. Normal users can't see the 'Applied Policy' tab in default FIM install, so if yours can, I would think having a MPR that is too permissive is the issue.

    You can also view what MPRs allow access specifically to this specific attribute using the following query in SQL:

    Select [ObjectKey],[ActionParameterKey] FROM [FIMService].[fim].[ManagementPolicyRuleReadInternalAttribute] Where ActionParameterKey = 118

    Friday, August 16, 2013 3:58 AM

All replies

  • Carol,

    Please specify what the 'target attributes' tab for the following MPR shows;

    Request Management: Request participants can read their request resource

    I had a customer who had this exact scenario before and the above MPR was at first thought be responsible for this; it is meant to allow the proper permissions for a user being able to read a request meant for them.  I ultimately found out that in this situation there was a MPR that was not OOB that had the 'All Attributes' radio button selected for the 'target attributes' tab. Disabling the non-OOB MPR fixed the issue in my case but verify that the above MPR does not show 'Management Policy Rule' for one of the target attributes. This attribute, which has system name of 'ManagementPolicy', is a reference attribute for what policies applied to a request.

    This is how the 'Applied Policy' tab works for admins. In my customer's case, this attribute was allowed to be viewed by 'normal' (not FIM admin) users but of course there was not an MPR to actually allow them to see the MPRs themselves, hence the error. Normal users can't see the 'Applied Policy' tab in default FIM install, so if yours can, I would think having a MPR that is too permissive is the issue.

    You can also view what MPRs allow access specifically to this specific attribute using the following query in SQL:

    Select [ObjectKey],[ActionParameterKey] FROM [FIMService].[fim].[ManagementPolicyRuleReadInternalAttribute] Where ActionParameterKey = 118

    Friday, August 16, 2013 3:58 AM
  • Thank you Glenn you got it in one! I had not changed the OOB MPR (I never do) but had added an extra MPR for a set of Portal administrators who are not full administrators. They do all the day to day support and need to be able to see all requests. I'd given their MPR "all attributes". I've now copied the attribute list from that MPR you mention and the Applied Policy tab has disappeared.


    http://www.wapshere.com/missmiis

    Friday, August 16, 2013 4:20 AM