Cannot Create Criteria-Based Sets

I cannot create criteria-based sets in either of my FIM Environments.  In production I get a permissions error even though I am a member of the Administrators set.

In the development environment we get the following detailed error description

Error processing your request: The operation was rejected because of access control policies.
Reason: The supplied request content violates system rules.
Attributes:
Correlation Id: c949132e-75a0-474c-9534-de4d1154b39b
Request Id: a7c43448-548b-4fec-a950-fb6c9584596d
Details: The Request contains changes that violate system constraints.

I have looked through everything to do with the sets and Attribute Filters and all seem to be in order.  I have seen similar items before, but they were related to SPNs and AppPool permissions, which are not the case here.  Anything that can be done to point me in the correct direction is greatly appreciated.

Thanks,

DW

June 8th, 2015 6:46pm

David,

The criteria you are using for your filter definition........if you are including a custom attribute, did you add it to the administrative filter configuration? This is located under All Resources->Filter Permission->Administrator Filter Permission.

Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 11:36pm

David,

The criteria you are using for your filter definition........if you are including a custom attribute, did you add it to the administrative filter configuration? This is located under All Resources->Filter Permission->Administrator Filter Permission.

June 9th, 2015 3:35am

David,

The criteria you are using for your filter definition........if you are including a custom attribute, did you add it to the administrative filter configuration? This is located under All Resources->Filter Permission->Administrator Filter Permission.

  • Proposed as answer by Nosh Mernacaj Tuesday, June 09, 2015 3:56 PM
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 3:35am

In addition to Glenn's question can you provide us with the criteria you are trying to implement ?

/Peter

June 9th, 2015 6:58am

David,

The criteria you are using for your filter definition........if you are including a custom attribute, did you add it to the administrative filter configuration? This is located under All Resources->Filter Permission->Administrator Filter Permission.


All custom attributes have been added to the Administrator Filter Permission.  I am only trying the attribute 'Domain" =customerdomain and  "FirstName" = David in my testing to eliminate custom attribute issues.  Great questions, hope that they get you closer.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 9:34am

If you have done what my colegues suggested,

You need to update the MPR "Adminsitration: Administrators can real attributes of users" (The name of this MPR may be slightly different, please check the syntax, because I don't have FIM in front of me and I don't remember the exact name.  Basically, this MPR allows administrators to read the attributes of user. Since your attribute is a custom one, most likely is not included in the read access for admins.

In the attribute list, select the 2 attributes you need. Most likely Firstname is in there, customDomain ma

June 9th, 2015 11:09am
Second, your DEV and PROD are not the same.
CAREFUL: It is not recommended to have DEV and PROD with different configurations. In case you need to migrate from DEV to PROD.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 11:12am

If you have done what my colegues suggested,

You need to update the MPR "Adminsitration: Administrators can real attributes of users" (The name of this MPR may be slightly different, please check the syntax, because I don't have FIM in front of me and I don't remember the exact name.  Basically, this MPR allows administrators to read the attributes of user. Since your attribute is a custom one, most likely is not included in the read access for admins.

In the attribute list, select the 2 attributes you need. Most likely Firstname is in there, customDomain ma

June 9th, 2015 12:14pm
Second, your DEV and PROD are not the same.
CAREFUL: It is not recommended to have DEV and PROD with different configurations. In case you need to migrate from DEV to PROD
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 12:15pm

My bad, Domain is not custom. But I am not sure it is included, though.

Another thing, please do an IISreset because the filter change may not have applied. (NOTE: This is technically not required, but at times it happens)

June 9th, 2015 12:16pm

Just occurred to me, You may not have access to create SETS.

Create a new MPR, where you allow Administrators full access to "All Objects" on all attributes.  That will take care all your issues with access. 

Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 12:22pm

Just occurred to me, You may not have access to create SETS.

Create a new MPR, where you allow Administrators full access to "All Objects" on all attributes.  That will take care all your issues with access.

June 9th, 2015 3:47pm
I assume you will try the other suggestions tomorrow then, and I don't see why it will not work anymore if you have done all of the above.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2015 4:21pm
All suggestions have been tried.  I am going to dig into SharePoint and see if maybe it is the culprit.  I can create sets with manual members only sets with criteria-based members give me this problem.
June 10th, 2015 10:53am

Did you do any restore recently or had any issues?

Can you copy the XOML of an existing SET (Criteria based) and apply it to this set.

I am inclined to say that you have a DB issue.

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 12:31pm

Did you do any restore recently or had any issues?

Can you copy the XOML of an existing SET (Criteria based) and apply it to this set.

I am inclined to say that you have a DB i

June 10th, 2015 1:03pm

1. I would say, try rebooting (Maybe you have already done so)

2. Can you check if the DB Permissions are Ok on the service accounts?

3. Delete and recreate the MPR I mentioned above (Admins have access to all)

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 1:21pm

1. I would say, try rebooting (Maybe you have already done so)

2. Can you check if the DB Permissions are Ok on the service accounts?

3. Delete and recreate the MPR I mentioned above (Admins have access t

June 10th, 2015 1:49pm

One of the general workflows had a couple of AuthN workflows enabled (which should not have been).  After disabling the AuthN workflows (related to password reset) I was able to create sets again.  Posting the answer so that hopefully someone else will figure out to look there.

Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 9:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics