FIM Update 3 Dynamic group creation not enable
I have upgraded FIM update 2 to update 3.When I have tried to create a dynamic group as a user member of a set with privilege to create All Distribution group, I have found that I was only able to create a static group.I have follow the solution in the topic http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/475fe47a-61a3-4065-913c-c297b45557c4/ but it has no effect.The only solution I've found for the moment, and not the best, is to make my set a member of the set 'Group Administrators'.I have also search for MPR with the set 'Group administrators' as requestor and change it to 'All People' in the result MPR just for testing, but it doesn't work.
February 11th, 2010 1:56pm
Hi Micheal,Display of membership condition is currently handled in group code behind. It is currently based on membership to "Group Administrators" set. This cannot be configured. This is purely based on membreship to that set.Modifying Group Administrators related MPR's requestors will lead to all people having Create\Read\Update\Delete persmissions on any group in the system. So this should be avoided.What are the issues you are encountering in implementing the second solution suggested in http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/475fe47a-61a3-4065-913c-c297b45557c4/?Thanks,Sri
February 11th, 2010 7:25pm
Hi Michael,I'm not clear on what you're attempting to do, are you: Attempting to delegate the ability for people to create groups by nesting the members of a Group into the Set used to define the requestors of your MPR, OR Do you want to simply want to be able to see which groups a user is a member of? I took the path of creating my own Set and MPR's to delegate the control over DL management. The existing Create and Read MPR's for DL's I left disabled. The only members of my Group Administrators set are the members of the Administrators set.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
February 11th, 2010 10:47pm
ok, I try to be more specific.My customer want the people of his Managers Team to manage group the following way:- Managers Team can create static DGs groups- Managers Team can modify the DisplayName, Owner, Displayed Owner and members of existing DGs- Managers Team can create Dynamic Security Groups and completely manage themSo, in update 2, all I have to done was to create an MPR that gives the Managers Team rights to create DGs,another MPR the rights to modify the selected attributes and a last MPR to create and modify SGs.After installation of update 3, Managers team are no more able to create dynamic groups of any kind.What I don't uderstand is that in the prconfigured MPR in FIM, there is only 3 MPR with the Groups Administrators as the requestor.If I change this MPR and make another set as the requestor, it must work, but it doesn't make the trick.Only when adding the Managers Team in Groups administrators seem to work.But in my case, this is not a valid way.
February 12th, 2010 12:09am
Micheal,Display of the control for selecting the membership type - Manual, Manager-based or criteria-based is done by membership to "Group Administrators" set. This cannot be configured.You can do the following: a. Create a set which is similar to current "Group Administrators" set and call it say "Group Policy Administrators" b. Edit the current Group Administrators based 2 MPRS requestors set to newly created set - "Group Policy Administrators" i. Group management: Group administrators can create and delete group resources ii.Group management: Group administrators can update group resources c. Create an MPR "Creating Dynamic Groups MPR" with "Group Administrators" as requestors, Create as Operation, All Dynamic Groups set as Target Resource Definition After Request and all attriutes as resource attributes d. Create an MPR "Owners in Group Administrators can edit Dynamic Groups MPR" with owner as requestor, modify as operation, All groups set as Target Resource Definition Before Request and Target Resource Definition After Request , Filter and MembershipLocked as resource attributes e. Now add members of the manager team to the "Group Administrators" set.- Sri
February 12th, 2010 1:55am
Thanks for your reply Sri, but as I say in my first question, I have already followed the steps you describe.However, I remark in your step c that you create an MPR with "Group Administrators" as the requestor.In fact, you use the "Group Administrators" to store, in my case, the Managers Team person.I'll give it another try tomorrow and give feedback.
February 12th, 2010 2:58am
OK, I have try exactly the way you describe Sri and it works now.So in Update 3, the group management is really deep in relation with the Group Administrators Set.I wonder if it will still be the case in RTM.Anyway thanks guys for your help.
February 12th, 2010 11:05am
Glad that in works!My intention of changes in step 'C' is neccessary, as otherwise in your case all manager team will have rights on every group in the system to perform create,delete and update which is not desirable for security purposes.This will be the behaviour for RTM as well.Thanks,Sri
February 12th, 2010 7:14pm