Share via


FIM 2010: How to Allow Group Administrators to Add/Remove Members to a Group they do not own

 OVERVIEW / PURPOSE

Recently, I worked on an issue where a customer wanted to allow Group Administrators to be able to update Group Membership to a group that they did not own without being a FIM Administrator.  The goal of this article is to provide the steps necessary to make this possible.
 

STEPS

ADD MEMBERS TO GROUP ADMINISTRATORS SET

    1.  Navigate to the FIM Portal as a FIM Administrator
    2. Select Sets from the menu on the left
    3. Search for "Group Administrators" using the Search box in the upper right of the Sets page
    4. Select Group Administrators to open the Properties to the Group Administrators Set
    5. Select the last tab "Manually-Managed Members"
    6. In the Members to Add box, type the name of a FIM User that you want to be a Group Administrator
    7. Click Ok
    8. Click Submit

MPRs TO ENABLE

    1. Navigate to the FIM Portal as a FIM Administrator
    2. Select Management Policy Rules from the menu on the left
    3. Search for Group Administrators using the Search box in the upper right
    4. You should return three Management Policy Rules by default.  (*NOTE: If you have created other sets in relation to Group Administrators, they might appear as well.
    5. Ensure that the following Management Policy Rules are Enabled
      1. Group management: Group Administrators can create and delete group resources
      2. Group management: Group Administrators can read attributes of group resources
      3. Group management: Group Administrators can update group resources

MODIFY ALL NON-ADMINISTRATORS SET

We are modifying this Set because this Set because it is a "Specific Set of Requestors" for the following two Management Policy Rules (MPRs).

  • Group management workflow: Validate requestor on add member to open group
  • Group management workflow: Validate requestor on remove member

if this Set is not modified to include Group Administrators, then it is very possible that you will receive an "Access Denied" when submitting the request.

    1. Navigate to the FIM Portal as a FIM Administrator
    2. Select Sets from the menu on the left
    3. Search for Non-Administrators using the Search box in the upper right
    4. You should have one Set returned (All Non-Administrators)
    5. Click on All Non-Administrators to view the Properties of the Set
    6. Click on Criteria-Based Members
    7. Click Add Statement to add a new condition
    8. Click <click to select attribute> and from the drop down, select Resource ID
    9. Click is and change to not in
    10. Click the text box and type: Group Administrators
    11. Click Ok and then Submit
 

ADDITIONAL INFORMATION

 

SEE ALSO