Users can't see Membership selection when creating a new Group after i have installed FIM 2010 Update 3
We are deploying FIM 2010 in production for a customer and everything was running like a charm with FIM 2010 RC1 with Update 2.We did a lot of work regarding group management in the portal:1) Creating new attribute and adding it to the group creation wizard through RCDC2) Creating approval workflow and Management Policy Rules (MPR) for group creation, deletion, joining and leaving And as I said everything was working perfectly until I have installed FIM 2010 Update 3For some reason when i want to create a new group with a normal user i can't see Membership Selection where you select if the group is Manual, Manager-Based or Criteria-Based. That happens with both Security Groups and Distribution Lists. Also when creating Distribution List i can't see the Scope attributes even for the administrator account and it assumes that it's a Universal group.Yet with this issue i still can request to create groups and get approval.I tried to create new MPRs and change the current one to give users permissions to read and create but without any result. So what I did in that case i just added some users to the Group Administrators Set and I was able to see the Member Selection Attribute.So what is happening in this case, is it a new FIM Group Management Architecture? or should i do something after installing Update 3?Thanks in advance for any helpEihab Isaac
February 2nd, 2010 6:57am

Hi Eihab,The bahaviour you are observing with respect to "Memberhsip Locked" control is the configuration change which went in Update 3 to constrain permissions for creation of dynamic groups. Users should be part of "Group Administrators set" to be able to create the dynamic groups.With regards to the Scope attributes for Distribution Group, this control is never exposed for Dynamic Group and by default all Distribution Groups created have universal scope. Group Validation workflow ensures that Distribution Lists always have Universal scope.Thanks,Sri
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 8:44am

Sri; Is there is any way to adjust such default behaviors. We architect a solution to give all users the right to create groups with such request go through approval process. I try to find where Group Administrators where given the right to create criteria based groups but was not able to. Thanks Issam Andoni
February 2nd, 2010 3:35pm

Hi Issam, Permissions to view/update MembershipLocked control is controlled by Group Code behind which is not exposed. This control visibility is based on "Group Administrators" set membership. The purpose of this functionality is to prevent untrained users from creating dynamic groups which may potentially include all users and groups in the system(which may have an impact on performance based on number of such groups created).If you want to enable this functionality for all end users, you can acheive this in 2 ways1) Add all users to the "Group Administrators" set. But this will give all users permissions to Create\Edit\Delete any group in the system2) Follow the following steps: a. Create a set which is similar to current "Group Administrators" set and call it say "Group Policy Administrators" b. Edit the current Group Administrators based 2 MPRS requestors set to newly created set - "Group Policy Administrators" i. Group management: Group administrators can create and delete group resources ii.Group management: Group administrators can update group resources c. Create an MPR "Creating Dynamic Groups MPR" with "Group Administrators" as requestors, Create as Operation, All Dynamic Groups set as Target Resource Definition After Request and all attriutes as resource attributes d. Create an MPR "Owners in Group Administrators can edit Dynamic Groups MPR" with owner as requestor, modify as operation, All groups set as Target Resource Definition Before Request and Target Resource Definition After Request , Filter and MembershipLocked as resource attributes e. Now add all users to the "Group Administrators" set. In the second approach all users will be able to create dynamic groups and edit only groups which they own. Per your requirements you can attach approval WF to the creation MPR.Let me know if this is helpful.Thanks,Sri
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2010 12:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics