Hi All, I am trying to get a manger own a dynamically created security group and also being able to administrate this group from his own portal login/view. So far I have: - Created the security group ( used the manager choice) and assigned the manger as the owner. - Logged in as the manager to the portal - Played around a bit with the security group MPRs. The problem I have is that I can't even see the security group when i log on as the manger. Any suggestions would be welcome and if this is a simple and allready solved problem I would appreciate a link to the solution. Thanks //Patrik

Hi Patrik! To solve this you'll have to... 1. Add your Manager to a set, lets call it the ManagerSet. 2. Add the group to a set, lets call it the GroupSet. 3. Create an MPR with the following settings: Display Name: Grant manager right to security group Grants permission: True Requestors: ManagerSet (Requestors = the ones that are granted rights here) Operation: This depends on what you want your manager to be able to do to the group but lets say he/she should only be able to add or remove members to groups in the GroupSet then select Add and Remove values to multi-valued attributes on the group. Target Resource Definition Before: GroupSet (This is the set before any operations are made on the group) Target Resource Definition After: GroupSet (This is the set after any operations are made on the group - the same set) Resource attributes: If you only want him to be able to add/remove members then select the "Manually-managed membership" (Explicit member) attribute here. If you want the manager to be able to edit single-valued attributes, add modify as operation and select all or any of the attributes available on groups as Resource attributes. Edit: There is a possibility to simply enable the MPR called: Security group management: "Owners can update and delete groups they own" //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Henrik,Just curious, can you set a criteria such that anyone who isan owner of a security group may edit the group in FIM?Thanks.Anu

Anu, Check out the "Owners can update and delete groups they own" MPR and you'll see how... It pretty simple just use the Owner attribute as a relative to resource requestor. Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Hi Henrik, Thank you for your quick reply. I have tried: "Edit: There is a possibility to simply enable the MPR called: Security group management: "Owners can update and delete groups they own"" before and I am sure it gives the manager some administrative capabilities but it is hard to use them since there seems to be no link on his portal page to any group management, only the usual distribution lists. I will try your suggestion but I'm not convinced that it will give me the gui possibility I need. I am using an altered scenario with an AD and a HR file as in the getting started section on technet. And I am after the same thing as anu mentioned, Basically reflecting the organizations authorization capabilities into the it resources. So it would seem like that MPR would be a perfect fit. //Patrik

Ok... So there's no "My SG's" in the navigation bar either?Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

I suddenly remember that non admin users might need the value "BasicUI" as usage keyword in the navbar item and homepage resource item in order for them to be visible, this could solve your problem if the links are not available on the portal. //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Yes that is correct, No SG's are visable when I log on as the manager

From that I gather that I need to do some research into what the navbar and homepage resource items are and try that out.

It's not that advanced... Navbar items are the links found on the left side of the portal home page and homepage resources the links in the main frame of the portal... You can find them directly under Administration (when logged in as admin). All you need to do is to add the word BasicUI to the usage keyword multi-value textbox for the "link". //HenrikHenrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Ok, I have now tried to apply all links with BasicUI and that yielded views of security groups but they where empty and had no possibility of searching, ergo I can still not find my managers group when logged on as him. I have also tried your suggested MPR and applied a MPR that lets users see other users. The result is still pretty much the same, I have a (manager based) security group SG1 which can be administrated by the administrator but not by the owner. //Patrik

I forgot about the Search scope... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4efaeac9-af3c-4694-9a6e-e2644892a80d/ 1) Navigate to "Administration" page 2) Click "Search Scopes" and add BasicUI in the usage keyword list for following search scopes - All Security Groups, My Security Groups, My SG Memberships Edit: Since I found the link I recommend you to use that and skip the MPR I suggested... Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Thank you, That did it. To bad that the group is a dynamic so removing/adding members won't work but the result i wanted was to have a report of sorts of which resources a manager is responsible for in an it environment so he/she/it can compare it to "reality". So I am pleased so far, ty again Henrik.