HI,

I am new to FIM. I had a requirement. If suppose, a user in FIM is a owner of the group A, and group A contains certain members. How can i delegate permissions to that group owner so that he can access the FIM portal and be able to view only the user accounts that are members of the Group A. He should be able to view the users who are not part of that group.

Is this is possible, if so please provide me the steps to give specific access to the group owner in order to view only the members in FIM portal.

Note:- The owner and group members had an AD account, ObjectSID, and domain.

Thanks

Prasanthi.

Hello,

that is the Point where you reach one of the limitations of Portal.

To set the permissions for that Scenario the users must be in a set which reflects the Group member of a Group.

There the Limitation came into place you can not have Sets that are based on groupmembership, so the given Scenario will not be possible.

A Workaround could be to feed a set with manuel-Membership by a custom actvity each time a user is added or removed to a Group. Not a very neat solution as you have to had a set for each group.

-Peter

Hi Peter,

Thanks for reply... So, it will not be possible for a user to view/search only members of a group in FIM portal.

And, as you said "A Workaround could be to feed a set with manuel-Membership by a custom actvity each time a user is added or removed to a Group. Not a very neat solution as you have to had a set for each group." 

Could you please tell me in detail what is needed to be done for this Workaround to feed a set with manuel-Membership. 

Thanks 

Prasanthi.

Hello,

i've done something similar for group Management some time ago, you can read my Wiki-Artcle on that.

http://social.technet.microsoft.com/wiki/contents/articles/19615.fim-2010-r2-how-to-manage-group-membership-from-the-user-ui.aspx

With this solution I feed groupmembership with users when the user is added to a group via the user UI.

You can Change this to add member to sets when a user is added on the group form.

Ist based on a powershell activity with a sample script, so should be easy to customize it.

-Peter

Hi Peter,

Thank you.....

I have a doubt, in the wiki-article, the members atttribute is added to the user. Is this user will be able to view only the groups that are part of him or he can view all the groups present in FIM Portal.

Thanks 

Prasanthi.

Hello,

yes, but I dont add a attribute "member" to the user object, instead a reporting of the users groups is done, you can see this in the RCDC XML.Users can see groups they belong to, like memberOf in AD. So no really attribute but a calculation.

I  then added the "FeederAttribute" so that Helpdesk is able to Add the User to groups via the UsersUI, insteadof going to the groupUI.

You can use the feeder part of that solution to capture changes of addiing/removing members to groups and feed the static members of a set via a powershell activity.

So with this you will have a set reflecting you groups and are able to use this in MPRs for permission then.

-Peter