I'm trying to create a set of "All Managers". Using the FIM Query Tool, I use the XPath Filter "/Person/Manager" which seems to return the correct results. However, when I try to enter that into the filter attribute of the set, it gives me a "Request Failed". Any Ideas?

I haven't found the exact query to help yet. I am interested myself because there should be an easy way to do this.. I have had alot of companies in the past need something like this. Not being able to do it... is not an option. I did find out today that if you do a custom XPath Filter, there is a bug that will make the transitionIN mpr not work.. So use a normal mpr instead and it should work, once you get the filter working. Based upon here:http://msdn.microsoft.com/en-us/library/ff393652.aspx You should be able to do: /Person[Manager = /Person] I know when I tested, it gave me the access denied error, that usually means the query is incorrect. I'll try somethings to get it worked out and report back. HTH Joe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com

Thanks for your response Joe. According to Nima in this thread , "Filters used in Sets and Groups cannot contain a location path expression (xpath starting with '/') as the right-hand term in an equality expression, except when referencing the ComputedMember of a Set or Group resource." which is probably the cause of the access denied error.

That would likely do it.. Not really sure why they didn't add that.. Should be there. Going to have to see if there is another way possible.Joe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com

I think it was allowed originally, but was removed for the sake of performance.

To get around this problem, I created a custom workflow activity which updates the membership of the All Managers set whenever the manager of anyone changes. I would consider this a workaround, and probably not the best solution, but it works nonetheless.

What has changed is killing me, I have ran into quite a bit of this and really extends the time I have to put in to workaround the issue. The workflow activity is definitely a good idea and seems to be answer for many workarounds needed. When I get sometime this weekend, I will see if I can figure out another way. Great Topic by the way.Joe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com

I found that the technet document on Designing Business Policy Rules http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx explains it (I too am disappointed with some of the limitations): Understanding set limitations This section covers unsupported filter definitions and set transition limitations for system resources. Unsupported filter definitions Double negation in set filters is unsupported. If a filter contains any condition of the form not(Attribute != Value) (for example, /Person[not(DisplayName != ‘value’)], an exception is returned notifying the client that the server cannot process the filter as requested, and that the use of double negation is unsupported. Multiple conditions nested inside a not() statement in set filters is unsupported. If a filter contains multiple conditions inside a not() statement, the filter will be rejected. For example: /Person[not(JobTitle = ‘Developer’ or JobTitle = ‘Tester’)] The creation of filters that reference the membership of a temporal set is not supported. If a set/group filter is created with a filter that dynamically nests a temporal set, the request is rejected with the following error message: “A temporal set cannot be dynamically nested in other sets.” The creation of filters in temporal sets that reference the membership of other sets is not supported. If a set/group filter is created with a Datetime-based filter condition, the set’s filter is not permitted to reference the membership of other sets. The creation of filters that include relational conditions based on multivalued Datetime or multivalued Integer attributes is not supported. If a set/group filter is created with a filter that contains a relational condition on a multivalued Datetime or integer, the request is rejected with the following error message: “Relational conditions cannot be defined on multivalued DateTime and multivalued Integer attributes in a set filter.” The unsupported operators consist of: >, >=, <, <= The creation of filters that include the != operator with a multivalued attributes is not supported. Such a condition is not supported by the FIM 2010 xpath filter dialect. The contains() xpath function is not supported in set filters. Multiple location steps are not supported, except when referencing the membership of a set. The following filter is unsupported in sets: /Person/Manager. The following filter is supported, because the multiple levels of dereferencing is to reference the membership of a set: /Person[Manager = /Set[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember] Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember]. David Lundell www.ilmBestPractices.com