OVERVIEW / PURPOSE

The purpose of this article is to explain the problem / cause / resolution of why we might get an Access Denied when a Group Administrator attempts to Add/Remove a member from a group they do not own.
 

PROBLEM STATEMENT 

You are attempting to setup the FIM Portal so that Group Administrators have the ability to Add/Remove Members to a group that they do not own.  In testing the process you receive an Access denied







You click [Details] to explore more information on the error message.  You notice that the Request Workflow Remarks produces a more detailed message.



Request Workflow Remarks: The request included members which the requestor is not authorized to add and/or remove from this group.





 

CAUSE

The reason this happens, is because the request fires an Authorization Workflow that is controlled by 1 or 2 Management Policy Rules (MPRs).
  • Group management workflow: Validate requestor on add member to open group
  • Group management workflow: Validate requestor on remove member

If you investigate these MPRs you will see that the Requestor is the All Non-Administrators Set.  The All Non-Administrators Set is All FIM Users that are not a FIM Administrator.  This would include Group Administrators. 

 

RESOLUTION

 To resolve the issue, you will need to update the All Non-Administrators Set.  You can find the steps to do this here.
 

SEE ALSO