The purpose of this article is to explain the problem / cause / resolution of why we might get an Access Denied when a Group Administrator attempts to Add/Remove a member from a group they do not own.


You are attempting to setup the FIM Portal so that Group Administrators have the ability to Add/Remove Members to a group that they do not own.  In testing the process you receive an Access denied

You click [Details] to explore more information on the error message.  You notice that the Request Workflow Remarks produces a more detailed message.

Request Workflow Remarks: The request included members which the requestor is not authorized to add and/or remove from this group.


The reason this happens, is because the request fires an Authorization Workflow that is controlled by 1 or 2 Management Policy Rules (MPRs).

  • Group management workflow: Validate requestor on add member to open group
  • Group management workflow: Validate requestor on remove member

If you investigate these MPRs you will see that the Requestor is the All Non-Administrators Set.  The All Non-Administrators Set is All FIM Users that are not a FIM Administrator.  This would include Group Administrators. 


 To resolve the issue, you will need to update the All Non-Administrators Set.  You can find the steps to do this here.