none
User Permissions in MIM Portal RRS feed

  • Question

  • We have base functionality in our Proof of Concept MIM portal.  Users can access the portal from other machines in the test domain.  But, right now, it seems to be a flat permission.  ALL account names can create requests for new users.  We are (essentially) a retail operation.  So I want managers of the retail locations to submit the requests.  Since we have no Exchange or SMTP server in our PoC domain, we're fine with the request generating a new user that immediately provisions.

    So I think the base idea is to create a user Set that defines our "store" managers.  Then I use that set to establish authorization to create new users.

    Would I be better off editing the existing workflows and MPR's to assign the rights, or should I set new ones for these users, then disable either the MPR or the workflows that provide "systemwide" access now?

    I'm presuming this is somewhere in an administrator's guide, but have not (yet) located it.  I will keep searching as well.

    Friday, January 12, 2018 6:17 PM

Answers

  • Disable the broader MPR, Create an MPR to grant required permissions for the Set of managers.

    I usually go with a Deny all, Grant what you need approach

    • Proposed as answer by Ian Bassi Friday, January 12, 2018 11:34 PM
    • Marked as answer by Rob J Vargas Monday, January 15, 2018 10:56 PM
    Friday, January 12, 2018 10:12 PM

All replies

  • Disable the broader MPR, Create an MPR to grant required permissions for the Set of managers.

    I usually go with a Deny all, Grant what you need approach

    • Proposed as answer by Ian Bassi Friday, January 12, 2018 11:34 PM
    • Marked as answer by Rob J Vargas Monday, January 15, 2018 10:56 PM
    Friday, January 12, 2018 10:12 PM
  • Implicit deny is my preferred model as well.  I thought I'd ask in case there was a "gotcha" I hadn't considered so far.
    Monday, January 15, 2018 8:34 PM