One of the most frequent questions on the FIM forum is ‘How to disable / remove New and Delete icons (buttons) from Users page?

This question can be expanded to cover Distribution and Security groups’ pages and even your own custom objects like Roles or Applications. It’s obvious that many of FIM implementers want to prevent users who’re not allowed to submit such requests from clicking buttons and do not explain them why their request were denied.

I was thinking: ‘No, you can’t do this out of the box’ and ‘Buttons are not permissions dependant’ until I found this thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/bd43cbae-95bf-43a2-ba5c-9f430a6f7c65 - Bingo!

Digging deeper I realized that FIM portal has 2 universal pages: CustomizedObjects.aspx and GlobalSearchResult.aspx.

The first one (CustomizedObjects) will display a page with ‘New’, ‘Delete’ and ‘Details’ icons for any objects selected in the URL, e.g. https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Application&display=Application&searchtype=e2ec8a98-4e6a-4ee8-a84b-031a4d9cb781 or https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Role&display=Role&searchtype=9acf43b8-9ed3-46a7-b53f-46acb6dbe300



The only differences in the URL as you can see are ‘type' (either custom Application or Role objects) and 'searchtype' (which is objectID of a search scope – one for ‘All Applications’ and another for ‘All Roles’). 



Sure you can insert type=Group (or Type=Person) in that URL and you will not see ‘Join’ or ‘Leave’ buttons within a list of groups. You also need to include ‘customized’ usage keyword to a search scope definition, e.g. for ‘All Roles’ search scope I have ‘customized, Role and basicUI’ keywords.

The second one (GlobalSearchResult) will display a page with just one icon for ‘Details’: https://portal-fim/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=524ae86b-c903-4141-8746-5505b9dd44d6

Here we have to select a search scope by providing a proper objectID in the ‘searchtype’ variable.

Do not forget to add ‘GlobalSearchResult’ usage keyword to a search scope definition.

Finally add a redirecting URL to the search scope definition: ~/IdentityManagement/aspx/common/GlobalSearchResult.aspx (don’t add ‘?searchtype=<GUID>’ here)

So how all this will help us? Although buttons are still not permissions dependant you can redirect different group of users to the different pages.

Here’s how this can be done (yes, again using Usage Keyword) for Users page:

Step 1. Create a link with buttons:

  1. Go to Navigation Bar Resources page and click on Users link to edit it.
  2. Clear all usage keywords (and this link will only appear for FIM Administrators) or specify your own usage keyword, e.g. ‘HR’ – to display this link to HR users only.
  3. Check that Navigation URL points to ~/IdentityManagement/aspx/users/Users.aspx (so ‘New’ and ‘Delete’ buttons will be visible
  4. For Administrators only access stop here, for HR users continue to step 5
  5. Create a set ‘HR users’ with either dynamic or static membership
  6. Create a set ‘All HR Navigation Bar Configurations’ with a criteria-based membership: Select ‘navigation bar resource’ with ‘usage keyword contains HR
  7. Create a set ‘All HR configuration objects’ with a criteria: Resource ID in All HR Navigation Bar Configurations
  8. Create an MPR to read all configuration resources with ‘HR’ usage keyword: specify a ‘HR users’ set to Read Resources (all attributes) in ‘All HR configuration objects’ set.

Now FIM Administrators and users from ‘HR users’ set will see normal link to users page with ‘New’ and ‘Delete' buttons.

 

Step 2. Create a link without buttons:

  1. Go to Navigation Bar Resources page and click on ‘New’ button.
  2. Create another link with ‘Users’ display name and ‘NonHR’ usage keyword.
  3. Put ~/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=524ae86b-c903-4141-8746-5505b9dd44d6 into Navigation URL, where searchtype contains objectID of the ‘All Users’ search scope.
  4. Create a set ‘NonHR users’ with negative membership to ‘HR users’ set
  5. Create a set for ‘All NonHR Navigation Bar Configurations’ with a criteria-based membership: Select ‘navigation bar resource’ with ‘usage keyword contains NonHR
  6. Create a set ‘All NonHR configuration objects’ with a criteria: Resource ID in All NonHR Navigation Bar Configurations
  7. Create an MPR to read all configuration resources with ‘NonHR’ usage keyword: specify a ‘NonHR users’ set to Read Resources (all attributes) in ‘All NonHR configuration objects’ set.

Now all users except HR will see a link to GlobalSearchResult page without any buttons.

 

Thanks’ to Bob Tucker from the OCG for this idea with GlobalSearchResult page.