Hello, I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members in the FIM Portal and flow it down to ADS. This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as well as MPR "Security group management: Users can read selected attributes of group resources". The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied". Any help is greatly appreciated. Thanks!

You should create new MPRs for this function, particularly as you don't want the approval workflow to be called.http://www.wapshere.com/missmiis

Thanks Carol, Here is what I have done based on your suggestion, but I am still getting the same access denied error message which is "The request included members which the requestor is not authorized to add and/or remove from this group" 1. Create new MPR 2. Policy Disabled is NOT checked 3. Specific Set of Requestors="My_Company_HelpDesk" 4. Operation=Delete Resource, Add/Remove value from multivalued attribute and modify a single-valued attribute 5. Grant Permissions=Checked 5. Target Resource Definition Before Request=All Security Groups 6. Target Resource Definition After Request=All Security Groups 7. Resource Attributes=All Attributes 8. Policy Workflows=Authentication Workflows (Password Reset and System Workflow appear but are not checked) 9. No Authorization Workflows selected On the plus side, the sample helpdesk user can updte the group description without issue. I will research the manually added members attribute to see if I can find a difference. Thanks again!

That does sound correct to me. Is the error still access denied? Have a look in the "Forefront Identity Manager" Application event log and see what errors are logged at the time the operation is attempted. The other thing to do is to look at the Request object (in Search Requests) and confirm you are seeing the expected MPR on the Applied Policy tab.http://www.wapshere.com/missmiis

same problem :( I want to delegate some technical support users to join another users to group but I can configure Join to group user itself When join another user I got error: "The request included members which the requestor is not authorized to add and/or remove from this group." How can configure MPR for allow users join to groups another users?

I collect more information about problem: 1. Create SG with manual membership and owner approval. Technical support users can successfull add group membership - and approval process started! Everything work! but! 2. Create SG with manual membership and 'Any user can become a member of the group'. Technical support get error when add another user to group with error "The request included members which the requestor is not authorized to add and/or remove from this group." When technical support users add members itselfs - everything work! any solutions?

I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user which was added a minute ago) he gets Access Denied: The request included members which the requestor is not authorized to add and/or remove from this group." It is caused by default MPR: Group management workflow: Validate requestor on remove member Question is how this activity validates this request - any insight?

I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user which was added a minute ago) he gets Access Denied: The request included members which the requestor is not authorized to add and/or remove from this group." It is caused by default MPR: Group management workflow: Validate requestor on remove member Question is how this activity validates this request - any insight?