Grant access to help desk users to add members to distribution and security groups

Hello,

I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users.  We want it to bypass owner approval and essentially allow this group to add or remove members in the FIM Portal and flow it down to ADS.

This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins.  We have added the help desk team to the  Security Group Users and Group Users set as well as MPR "Security group management: Users can read selected attributes of group resources".

The help desk users can update users in the Portal with no issue.  The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".

Any help is greatly appreciated.

Thanks!

March 16th, 2011 1:52am

You should create new MPRs for this function, particularly as you don't want the approval workflow to be called.
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2011 6:18pm

Thanks Carol,

Here is what I have done based on your suggestion, but I am still getting the same access denied error message which is "The request included members which the requestor is not authorized to add and/or remove from this group"

1.  Create new MPR
2.  Policy Disabled is NOT checked
3.  Specific Set of Requestors="My_Company_HelpDesk"
4.  Operation=Delete Resource, Add/Remove value from multivalued attribute and modify a single-valued attribute
5.  Grant Permissions=Checked
5.  Target Resource Definition Before Request=All Security Groups
6.  Target Resource Definition After Request=All Security Groups
7.  Resource Attributes=All Attributes
8.  Policy Workflows=Authentication Workflows (Password Reset and System Workflow appear but are not checked)
9.  No Authorization Workflows selected

On the plus side, the sample helpdesk user can updte the group description without issue.  I will research the manually added members attribute to see if I can find a difference.

Thanks again!

March 16th, 2011 7:22pm

That does sound correct to me. Is the error still access denied? Have a look in the "Forefront Identity Manager" Application event log and see what errors are logged at the time the operation is attempted. The other thing to do is to look at the Request object (in Search Requests) and confirm you are seeing the expected MPR on the Applied Policy tab.
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 12:48pm

same problem :(

I want to delegate some technical support users to join another users to group

but I can configure Join to group user itself

When join another user I got error:

"The request included members which the requestor is not authorized to add and/or remove from this group."

 

How can configure MPR for allow users join to groups another users?

August 29th, 2011 3:11pm

I collect more information about problem:

1. Create SG with manual membership and owner approval. Technical support users can successfull add group membership - and approval process started! Everything work!

but!

2. Create SG with manual membership and 'Any user can become a member of the group'. Technical support get error when add another user to group with error "The request included members which the requestor is not authorized to add and/or remove from this group."

When technical support users add members itselfs - everything work!

any solutions?

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 8:22am

I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user which was added a minute ago) he gets Access Denied:

The request included members which the requestor is not authorized to add and/or remove from this group."

It is caused by default MPR:

Group management workflow: Validate requestor on remove member

Question is how this activity validates this request - any insight?

 

September 9th, 2011 9:53am

Hi,

I know this is an old article but I wanted to post a resolution.

I resolved the issue by modifing the membership of the all non-administrators set to ensure that my helpdesk users are not in its scope. This will fix the issue when the workflow Group management workflow: Validate requestor on add on open group is run. This is because your helpdesk users are classified as non-administrators and the General workflow: Filter attribute validation for non-administrators MPR is being trggered.

So as long as your helpdesk users have rights over the group objects they will be able to add/remove members from groups.

JP

Free Windows Admin Tool Kit Click here and download it now
April 10th, 2015 12:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics