Hi all! I have a generic question about how (or rather where) to set permission when different AD groups shall have access to different Profile Termplates. Shall all users get permission at most of the permission locations in the above image through one big common FIMCM-group, but not "all the way" to enrollment? Or should I give the specific groups rights at several different locations? If it is the first case, where shall I restrict (ie not give permission) to others than the specific groups? In the Management Policy? On the Profile Template object? On the users/groups? On the certifcate template? My guess is that you give everyone in a generic FIM Subscriber group enroll permissions everywhere except in the Management Policy. This way you only have to use the Portal to set permissions on a new Profile Template. But is it ok to give users enroll permission on a Profile Template Object when they shall not have permission to enroll from that Template (and only restrict it in the Management Policy)? I hope you understand my question?Tom Aafloen, IT-security Consultant Onevinn AB

On Thu, 12 Jan 2012 09:31:56 +0000, Tom Aafloen wrote: But is it ok to give users enroll permission on a Profile Template Object when they shall not have permission to enroll from that Template (and only restrict it in the Management Policy)? I hope you understand my question? The problem with doing it that way is that all profile templates will be visible to all users during the enrollment process and if the user selects a template which they don't have the permissions to use inside of the management policy, they'll get an error when they attempt to enroll against it. IMO it is a much better practice to not even let them see a profile template if they are not going to be allowed to use it. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca SCCS, the source motel! Programs check in and never check out! -- Ken Thompson