I've configured my portal to have a set of HR users. HR users can access the portal, create users and modify certain attributes of existing Contractors and Staff.

To do this I created some MPRs and search scopes, I login as an HR user, click Users and can successfully create a new user. However, if I search for existing users using the default All Users search scope, or using my All Conteactors and All Staff search scopes, the portal returns:

An internal error occurred and your request cannot be processed. Please contact your system
administrator.

Usual objectSid, Domain, AccountName are in place. Am I missing something simple?

Thanks

Create a request MPR that grans all acess to administrators and applied set is a

To administrators or to my HR staff?

Depends who "I" is.  Who is searching, HR personnel or Admin.  If HR, you may want to grant them access, but not full.  So we have to be a little more granular here.

Check the Search Scope access https://technet.microsoft.com/en-us/library/ff393653(v=ws.10).aspx#bkmk_search

Thanks. That's exactly what I've done - I've created several MPRs which grant HR the ability to modify/read some attributes and read only other attributes. I've ensured HR can read every attribute returned in the search scope results but receive this error for some reason - are there particular attributes I am required to give them to search users?

You need to grant them access to the search scope all users. See this:https://technet.microsoft.com/en-us/library/ff393653(v=ws.10).aspx#bkmk_search

To Clarify, you have granted access to the users object, but not to the Search Scope Object.

Understood, thank you. I will be back at work tomorrow and will give it a go then and report back :). Thanks again for your help Nosh

Anytime. This is fun stuff, isn't it?!. :)

I'm not so sure I was born to be a FIM whiz like you!!

Neither was I, but I learned, so will you.

I am not sure about Whiz, but thanks.

No such luck unfortunately.

I think the HR user already had access to the search scope as it appeared in the "Search within:" dropdown, but I created a new MPR which would definitely grant access, same error occurred.

I created another MPR which granted my HR staff the ability to read All Attributes of Staff and Contractors and now it works. It seems I must be missing a particular attribute required for users to view other users in a search.

This isn't vitally important right now so I'll let it lie but when I get some time I'll have a look at figuring out what the minimal requirements are. Thanks for your help :)

• Marked as answer by FIM-EN 23 hours 4 minutes ago

First of, I am glad it is working for you, but will all due respect, this is not right.

You had assured as that the HR personel had the rights to read the attributes through MPRs.  The fact that you mislead us, does not grant you the right to mark your own answer correct.

Secondly, the new MPR may be giving them a lot more then they need (Later this will be a problem), which is misleading to future people looking for an answers to similar question.

Remember, people depend on threads marked as answered.

No such luck unfortunately.

I think the HR user already had access to the search scope as it appeared in the "Search within:" dropdown, but I created a new MPR which would definitely grant access, same error occurred.

I created another MPR which granted my HR staff the ability to read All Attributes of Staff and Contractors and now it works. It seems I must be missing a particular attribute required for users to view other users in a search.

This isn't vitally important right now so I'll let it lie but when I get some time I'll have a look at figuring out what the minimal requirements are. Thanks for your help :)

• Marked as answer by FIM-EN Thursday, August 06, 2015 8:20 AM

No such luck unfortunately.

I think the HR user already had access to the search scope as it appeared in the "Search within:" dropdown, but I created a new MPR which would definitely grant access, same error occurred.

I created another MPR which granted my HR staff the ability to read All Attributes of Staff and Contractors and now it works. It seems I must be missing a particular attribute required for users to view other users in a search.

This isn't vitally important right now so I'll let it lie but when I get some time I'll have a look at figuring out what the minimal requirements are. Thanks for your help :)

• Marked as answer by FIM-EN Thursday, August 06, 2015 8:20 AM

Hi Nosh,

I appreciate that this is not the perfect answer but allowing them to read all attributes has fixed my problem.

The answer is that I was missing an attribute in the grant read MPR. I did not assure you that I had set the correct attributes in the read only; I said:

I've created several MPRs which grant HR the ability to modify/read some attributes and read only other attributes. I've ensured HR can read every attribute returned in the search scope results but receive this error for some reason

Evidently allowing them to read search scope attributes alone was not enough and something else (perhaps resource id? not sure) needed to be readable. Thus by creating an MPR to read all HR attributes of Staff and Contractors - the problem is solved. My answer is not a precise one but it is the answer.

Yes, ResourceID is a must. Not a maybe.  :)

Thanks - so do you think it's resource ID and everything in the search scope results that is required? If so then that's the answer.

I believe the All users search scope grants access to everyone. So nothing was needed there. (The reason I had suggested to check the Search Scope was because (forgive me for bringing this up again) you had assured me the access to the user attributes was granted. 

I know that ResourceID is required. Period. 

Any additional attribute you want to grant access to, you need to explicitly add to the list in the MPR that grants access. 

The ResoourceID is what allows you to search for the resource. Ones the search returns something, then it is the MPR that decides which attributes you can see.

So here is the order of events.

1. When you search, the permission to Search Scope "All Users" is evaluated if you can perform the search. This is an out of the box and usually granted to everyone. So that is OK

2. Since the search returns something, then you need access to see that something, so the ResourceID is the unique identifier and you must have access to it, just to be able to see the items returned by the search scope

3. Now you open a user, then the MPR is evaluated to see what attributes you can see.

I hope this makes it cl