Hello,

I am trying to figure out a way where I can have owners of a security group to add and delete users. I created a Management Policy Rule, I can do it this way right?

I believe that is default behavior. Have you tested it?

I would have to test using a non-admin login, since I am an admin for my test server.

Not only that, user has to be the owner of the group.

Nosh's belief is correct -- this is the default behavior for groups that are manually managed. Whether or not they require owner approval, any of the owners can modify the group membership.

1) users must have been imported into the Portal with their domain, accountname and objectSID attributes populated correctly

2) non-admin users must have been enabled for login

3) The user must be one of the owners of the group

4) the group must not be criteria based or manager based

There should be no need to change or create any MPRs (Aside from those for user login) unless the default MPR for this was deleted or disabled.

I actually tried this and although the user can see the selection to delete or add a member, but when you do it, it says access denied.

Please send us some screen shots of this group, so we can find out where is the disconnect.

According to MS Literature, https://technet.microsoft.com/en-us/library/ee534915(v=ws.10).aspx

Owner and displayed owner: In FIM 2010, the owners of a group have the rights to make changes to the group; to delete it; and, if the group requires owner approval for joining, to approve requests to join the group. You can load-balance the management of distribution lists by assigning multiple owners, and, more importantly, you can ensure continuity in the management of the group if one of the owners leaves the organization or otherwise happens to no longer be an owner. However, because some external systems only support ownership of a group as single-valued, each group must have one of the owners designated as the Displayed owner so that ownership can be indicated correctly in those connected data sources that require Owner to be single-valued.

This user is a non-admin and owns that security group, but when you click to remove the member it says access denied. 

2 things.

1. Is the user in both Owner and Member tab

2. Click on View Details and send the details. 

Yes the user is both Owner and Member, this is the message I get when I click on view details: 

Have you made any changes to the Configuration, like migrated a configuration from another system?

Have you played with the MPRs at all?  Has any change been made from Out of the box installation to MPRs?

Here are the options.

1. You have messed with the MPRs and now access is lost

I cant remember the names, but there are some MPRs that grant the access, look for something like "Security Group: Owner can manage their group" , make sure to enable it.  Do the same for DLs.

2. You have found a bug.

Amreena,

Check on these two MPRs:

Security group management: Owners can update and delete groups they own

Distribution list management: Owners can update and delete groups they own

Are they disabled? If so enable them.

In looking at my lab I see these as disabled which I think could be the default with FIM 2010 R2.

David, that was it! I had Security group management: Owners can update and delete groups they own disabled so I enabled it. Now the owner is able to remove members. So by enabling this MPR I can remove and add, but the problem is I only want the Owner to be able to remove a member, not add any.

The 2 MPRs you enabled, do this.

1. Open to edit

2. Click the "Requestors and Operators" tab

3. Uncheck the box next to "Add a value to a multivalued attribute"

4. Submit and Save

That worked, now it's set up to exactly how I want it! Thank you all so much!

Awesome.