Assign edit permission to multiple admins dynamically

I have multiple franchises(>200) in my FIM environment. Each franchise can have multiple admins(User objects) and yes obliviously multiple users.

Now I want to allow franchise admins of a particular franchise to edit each and every user under that franchise. e.g. Suppose there is Franchise "California" which is having two admins (say A and B) and five users (Say C, D, E, F and G). I want admins (A and B) should be allowed to edit users (C,D,E,F and G). 

I know I can create two sets (One having franchise admins and another having franchise users) and then create request MPR which allow admin set to edit users under franchise user set. This is for single franchise. In my case there are 200 franchises that means 400 sets and 200 MPRs. 

Can someone please suggest another neat approach or workaround?

 
April 1st, 2014 1:06pm

I can't think of a workaround for this.

Perhaps use powershell to bulk create your sets and MPRs. If you sets can be criteria based then even better, you can define the critera directly as an XPath filter and let powershell create it for you.

Free Windows Admin Tool Kit Click here and download it now
April 1st, 2014 5:19pm
Yeah it can be done through powershell. But seems like not a good solution. Can someone from microsoft provide a neat approach
April 2nd, 2014 12:26am

Another way could be a new authorization workflow, which would check if requestor has the same value of attribute as target user does - if so, it would allow workflow to continue. Otherwise, it would drop an exception (and requestor would see "Access is denied" error on Portal with additional data if added in workflow).

This could be realized via custom activities for FIMService.

Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2014 1:50am

Hello,

You can also achieve that by using only one MPR of right, if you use the "Relative to Resource" to define requestor on the MPR.

You have to create:

  • An new multivalued reference attribute on Person object to save your admin A and B on users C,D,E,F and G.
  • A new object for your franchises
  • Custom activity to set Admin on user when you change the "franchise" on user
  • Custom activity to set Admin on user when you change the Admin on the franchise object
  • Optionnal: Powershell script to daily reevaluate the Admin on users

This solution is good if you want that all admin have the same right on users, if you to give differents rights, you need to create more MPR and target set per franchise.

Regards,

April 2nd, 2014 5:25am
Thanks Sylvain for you reply. Let me try your approach.
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2014 6:29am
Worked perfect. Used multivalued reference attribute , MPR (Relative to resource) and scheduled a powershell script to reevaluate the Admin on users
April 2nd, 2014 7:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics