We have a FIM SSPR that imports users from active directory to the portal. The goal is to restrict all the users from accessing the fim portal (https://fimserver/identitymanagement/) except for the helpdesk and the administrators so that the implementation supports only SSPR portion. How can we achieve this? I have skimmed through the FIM portal customization part. But is there a way to restrict access to the portal altogether for general users?

Hello HuckleberryFinn.

All users can see any item in portal that has BasicUI in a Keyword. I would restrict BasicUI visibility only to Helpdesk/Admins.

The easiest way is to create two MPRs:

1. General: Administrators can read non-administrative configuration resources
   and here configure Requestors: Administrators
   Operation: Read resource
   Permissions: Grant permission (checked)
   Target resource: All Basic Configuration Objects
   Resource Attributes: All attributes
2. General: Helpdesk can read non-administrative configuration resources
   and here configure Requestors: Helpdesk
   Operation: Read resource
   Permissions: Grant permission (checked)
   Target resource: All Basic Configuration Objects
   Resource Attributes: All attributes

Then simply disable MPR named General: Users can read non-administrative configuration resources

To be sure that users would not be able to do anything on the portal you can also copy "General: Users can read schema related resources" MPR to into two MPRs (for Helpdesk and Admins) and disable this built-in one.

Thank you Dominik! That works. The user gets to log in and but is not shown anything except for "Welcome user".