I would like to create a set of all group owners so that I can enable only those users to see the "Security Groups" navigation and home page components without having to manage that manually. Can anyone think of how to do this?

Here's an XPath query that works through the web service, but it won't let me manually add it to the filter through the GUI. /Person[ObjectID = /Group/Owner] Maybe someone else has an idea on how to do that. MarkMark Creekmore - Blue Chip Consulting Group

The key to how to do this is NOT via a set definition, but by setting up a GRANTS RIGHTS (read access) MPR to Security Group objects using the "Relative To Resource" field on the second tab of the MPR (i.e. instead of say "All People" specify "Owner"). That should be all you need to do ...Bob Bradley, www.unifysolutions.net (FIMBob?)

The key to how to do this is NOT via a set definition, but by setting up a GRANTS RIGHTS (read access) MPR to Security Group objects using the "Relative To Resource" field on the second tab of the MPR (i.e. instead of say "All People" specify "Owner"). That should be all you need to do ... Bob Bradley, www.unifysolutions.net (FIMBob?) Hi, It does not seem to do the trick. In our case Group Managers can only see the groups they own if we use in "Requestors and operators" Specific Set of Requestors and assign "static" set into it. If we put Owner as the value to the "Relative to resource" resource picker, Group Managers cannot see any groups. BR, Snendis

When you set the "Relative to resource" attribute to "Owner", and your BEFORE set to say "All groups with owners" ... a better option than "All groups", so you can set up rights to a static set of "All groups with no owner specified" to take care of the others ... then as long as you've got the READ check box selected this will definitely work. Bob Bradley, www.unifysolutions.net (FIMBob?)

When you set the "Relative to resource" attribute to "Owner", and your BEFORE set to say "All groups with owners" ... a better option than "All groups", so you can set up rights to a static set of "All groups with no owner specified" to take care of the others ... then as long as you've got the READ check box selected this will definitely work. Bob Bradley, www.unifysolutions.net (FIMBob?) Hi, Sorry I kinda lost in here. Could you iterate this scenario bit more? I'm not sure about all steps what needs to be configured, because we didn't manage to get this working. BR, -Snendis

A bit hard for me as I don't have a FIM instance to refer to, but first you will need to create a set "All groups with owners specified" (or a name to that effect) with the xpath as follows (you can use * as owners can be individuals or groups): /Group[Owner = /*] Then from memory the MPR looks like this (numbers representing the top tabs from left to right): Enter name/desc and select the default "request" based option Select the "Relative to resource" option and enter Owner as your attribute, and select the "Grants Rights" checkbox Specify the set "All groups with owners specified" for both the BEFORE and AFTER set, and turn on ALL the checkboxes applicable (basically READ plus any other rights you wish to grant) No need to specify any workflows Submit Try that.Bob Bradley, www.unifysolutions.net (FIMBob?)

A bit hard for me as I don't have a FIM instance to refer to, but first you will need to create a set "All groups with owners specified" (or a name to that effect) with the xpath as follows (you can use * as owners can be individuals or groups): /Group[Owner = /*] Hi, I tried to create this kind of set but I couldn't find the way to do it. I even tried to open Advanced View of the set and write that into "Filter" section, but Edit Set failed. Seems there is lot to study in FIM side. :) BR, -Snendis

A bit hard for me as I don't have a FIM instance to refer to, but first you will need to create a set "All groups with owners specified" (or a name to that effect) with the xpath as follows (you can use * as owners can be individuals or groups): /Group[Owner = /*] Hi, I tried to create this kind of set but I couldn't find the way to do it. I even tried to open Advanced View of the set and write that into "Filter" section, but Edit Set failed. Seems there is lot to study in FIM side. :) BR, -Snendis Hi, You obviously are talking about Search Scopes. :) . We made multiple tests unsuccessfully. One we used was like this: /Group [Type='Security' and (Owner='%LoginID%' or Owner=/Group[ComputedMember ='%LoginID%'])] We also tried to define this "/Group[Owner = /*]" to My Security Groups/My SG Memberships -search scopes and then create MPR using Requestor as "relative to resource", but user can't see any groups after that modification, only when "specific set of requestors" is selected. One thing what I would need to say is, that we have two customized views, one for Group Managers and on for End Users. The MPR we are creating is targeted on Group Managers. This configuration brings extra troubles for defining all the settings correctly. Thanks for your assistance so far! BR, -Snendis

No - I am NOT talking about creating a search scope - definitely a set. The "/Group[Owner = /*]" xpath is definitely a valid set definition. Yes - you appear to have much to learn, but this particular bit isn't really an advanced idea. Again, I'm not looking at a FIM instance right now, and I believe that this xpath will "visualize" for you when you subsequently edit the definition. However, for now, build your set like this: Create a new set with the display name "All groups with owners specified" and click Next Select the object class as "group" and click Finish/Submit Locate and edit the set definition which you have just created, and click on the Advanced button Click on the second tab and locate the Filter attribute ... the xpath embedded in the Filter xml should look like this: "/Group" Change the xpath to "/Group[Owner = /*]" and hit Save/Submit. Presuming the save works, edit the set definition again and click on the second tab ... and see how the xpath definition is "visualized" ... something like "all groups matching ALL the following conditions ... Owner in All Resources" Good luck - didn't digest your comments about "views", but stick to the task at hand and you should have some success.Bob Bradley, www.unifysolutions.net (FIMBob?)

If you still have trouble saving your set definition, look up the GUID for the "All Resources" set and then try saving the following set definition instead: /Group[Owner = /Set[ObjectID = 'xxx...xxxx']/ComputedMember] Note that the 'xxx...xxxx' is my crude representation of your guid. This will definitely work ... I have a feeling that the /* (which means the same thing) may not - welcome to the frustrations of xpath that is valid for search scopes but not sets or groups :(.Bob Bradley, www.unifysolutions.net (FIMBob?)

If you still have trouble saving your set definition, look up the GUID for the "All Resources" set and then try saving the following set definition instead: /Group[Owner = /Set[ObjectID = 'xxx...xxxx']/ComputedMember] Note that the 'xxx...xxxx' is my crude representation of your guid. This will definitely work ... I have a feeling that the /* (which means the same thing) may not - welcome to the frustrations of xpath that is valid for search scopes but not sets or groups :(. Bob Bradley, www.unifysolutions.net (FIMBob?) Hi, The reason I started to play with Search Scopes putting xpaths there, was because I wasn't able save the definition you defined in steps 4 and 5, so I was in the track after your suggestion :) Thank for this quoted advice, I'll definitely start looking at it. BR, -Snendis .

Cool - you should be able to build this set without having to resort to the advanced tab, but it's a bit hard to explain in terms other than xpath :)Bob Bradley, www.unifysolutions.net (FIMBob?)