Hello, how would I achieve this, if at all possible: some users have "Department = Sales" I have creatad a set called "Sales Managers" which contains some users (not necessarilty with Sales department, can be outside) I have created a group called "Sales project A" to which the "Sales Managers" can change all attributes. This actually means that they can change also the group's membership as well. I would like to restrict the "Sales Managers" so that they only can add new members which have the "Department = Sales". Thank you very much. ondrej.

Hi There, I have to admit, this is a complete swag but from a theoretical perspective it would appear to be valid. Try a "request MPR" with a configuration like: Type -> Request Requestors -> Sales Managers Set (all the managers you would like to have adding the users to the group). Operation Type -> Add/Delete multivalued object members Before Set -> All Sales People (set of people where department = sales) After Set -> Managed Group of People (set of people who are members of the group the managers are allowed to add members to). Selected Attributes -> Manually-managed membership Thanks B

I don't believe this will work. The operation must be performed against group resources. The action parameter is ExplicitMember, therefore the before and after sets must define group resources, not person resources. The correct approach, I'm sorry to say, is an AuthZ WF activity that does something like this (for example): Takes an XPath that defines permitted resources. Takes the name of the attribute in question, e.g. ExplicitMember. Inspects the request parameters (of the current request) for add operations against that attribute. Performs the input XPath and validates whether or not the references defined in the request are present in the EnumerateResourcesActivity result set. Throws an exception if not.

Yep, reread it and it was bad swag... The concept is sound but getting it so it can look at the group resource is not really valid. There is no change on the actual person object. Although the MPR captures the transition, it doesn't actually monitor the correct attribute in the group object as it is looking at person object. I should drink coffee whilst writing these things... slow me down a bit. :) Thanks for the correction. B

thank you! you mean that the AuthZ WF would have to be custom developped? ondrej.