FIM Troubleshooting: Group Administrator gets Access Denied when attempting to Add/Remove a member from a group they do not own
OVERVIEW / PURPOSE
The purpose of this article is to explain the problem / cause / resolution of why we might get an Access Denied when a Group Administrator attempts to Add/Remove a member from a group they do not own.
PROBLEM STATEMENT
You are attempting to setup the FIM Portal so that Group Administrators have the ability to Add/Remove Members to a group that they do not own. In testing the process you receive an Access denied.
You click [Details] to explore more information on the error message. You notice that the Request Workflow Remarks produces a more detailed message.
Request Workflow Remarks: The request included members which the requestor is not authorized to add and/or remove from this group.
CAUSE
The reason this happens, is because the request fires an Authorization Workflow that is controlled by 1 or 2 Management Policy Rules (MPRs).
- Group management workflow: Validate requestor on add member to open group
- Group management workflow: Validate requestor on remove member
If you investigate these MPRs you will see that the Requestor is the All Non-Administrators Set. The All Non-Administrators Set is All FIM Users that are not a FIM Administrator. This would include Group Administrators.
RESOLUTION
To resolve the issue, you will need to update the All Non-Administrators Set. You can find the steps to do this here.