FIM 2010 R2 BHold: How to create and use Supervisor Role
Introduction
A supervisor role is a special role in BHold. It allows users who have this role to view other BHold objects, and if given appropriate permissions, they can modify those objects. In this post, we are interested in two things:
- How to allow a user with a supervisor role to manage other users' roles?
- How to allow a user to delegate his supervisor role?
For more information about supervisor role, please visit the following link: http://technet.microsoft.com/en-us/library/jj134937%28v=ws.10%29.aspx#svrolesperms
Creating a Supervisor Role
When installing BHold Core, a default supervisor role will be created, and linked to all Organizational Units. You can also create your own supervisor role/s depending on your implementation. The link above has some recommendations from Microsoft regarding Supervisor Roles. To create supervisor role, you need to login to BHold Core Components, and follow the following steps:
On the left hand side, click on Roles
Click on Add
http://2.bp.blogspot.com/-nwoQYyi7W6M/UxCnHag3qMI/AAAAAAAAAHs/0nLMj2P-9Yw/s1600/NewBHoldRole.png
Fill in the Description, and check the box for supervisor role
http://1.bp.blogspot.com/-WLkSSXpV8J0/UxCn6ilGGPI/AAAAAAAAAH0/1L7ksEz5ErY/s1600/NewBHoldRole2.png
As I have mentioned earlier, the default supervisor role can manage all objects, therefore by default it will be linked to this object we are creating.
Click OK
Linking Supervisor Roles to Organizational Units
We would like to allow Ellen (our test user) to manage other users. Right now, using the self-service portal, she can only request roles for herself and view her own roles.
http://3.bp.blogspot.com/-YZ8dpMoSA-o/UxCpYRi6rwI/AAAAAAAAAIA/-l5hFBm82fE/s1600/BHoldNormalUser.png
Below are the steps you can take to allow Ellen to manage other users' roles:
Create a new OU under the root "MySupervisorOU"
http://3.bp.blogspot.com/-hX9J51ZfTiE/UxCshlR3pSI/AAAAAAAAAI0/z_2_al8HHSw/s1600/BholdNewOU.png
After the OU has been created, expand Roles, and click Modify
http://2.bp.blogspot.com/-6OY6NqjEY_A/UxCsgsQNvvI/AAAAAAAAAIg/_l-_coZdJDA/s1600/BHoldLinkRole.png
Search for, and add "MyFirstSupervisor" to "MySupervisorOU"
http://4.bp.blogspot.com/-Jod0QAGHFTs/UxCshaSaiKI/AAAAAAAAAIw/Dy-oVnext1A/s1600/BHoldSearchRole.png
Click Add to proceed
Expand users, and click Modify to Add Ellen to this OU, which will automatically give her "MyFirstSupervisor"
http://1.bp.blogspot.com/-bua2RueihZ0/UxCsgjbgz2I/AAAAAAAAAIs/urot3ALtN1I/s1600/BHoldAddUserToOU.png
Let us select the OU/s "MyFirstSupervisor" will manage. For that, I created another OU, called "TheSupervisedOU" and I will add "MyFirstSupervisor" to it
Now, Ellen will see a new tab called "Manage Users", and she should be able to add/revoke roles for those users http://2.bp.blogspot.com/-_DpnlQ30p2o/UxCshuOPJPI/AAAAAAAAAJE/BBiu16ZyP_g/s1600/BHoldSupervisorView.png
Allow users to delegate their supervisor role
Delegation is basically assigning user's role to someone else to perform his/her job. In the example above, we linked "MyFirstSupervisor" to "MySupervisorOU" as an effective role, therefore, Ellen will not be able to delegate it.
For that, we will need to change the link between "MyFirstSupervisor" and "MySupervisorOU" to be proposed. We have to go back to step 3 and 4 above, remove "MyFirstSupervisor", and Add it again. However, this time we will choose it to be proposed.
After you click Add, you should be able to expand the roles, and activate it
Now, Ellen should be able to go to the self-service portal and delegate the role to someone else. As a result, whoever she delegates the role to, should be able to add/revoke roles for those users in "TheSupervisedOU".
