OVERVIEW / PURPOSE
|
Recently, I worked on an issue where a customer wanted to allow Group Administrators to be able to update Group Membership to a group that they did not own without being a FIM Administrator. The goal of this article is to provide the steps necessary to
make this possible. |
|
STEPS
|
ADD MEMBERS TO GROUP ADMINISTRATORS SET
|
- Navigate to the FIM Portal as a FIM Administrator
- Select Sets from the menu on the left
- Search for "Group Administrators" using the Search box in the upper right of the Sets page
-
- Select Group Administrators to open the Properties
to the Group Administrators Set
- Select the last tab "Manually-Managed Members"
-
- In the Members to Add box, type the name of a FIM User that you want to be a Group Administrator
-
- Click Ok
- Click Submit
|
MPRs TO ENABLE
|
- Navigate to the FIM Portal as a FIM Administrator
- Select Management Policy Rules from the menu on the left
- Search for Group Administrators using the Search box in the upper right
-
- You should return three Management Policy Rules by default. (*NOTE: If you have created other sets in relation to Group Administrators, they might appear as well.
- Ensure that the following Management Policy Rules are
Enabled
- Group management: Group Administrators can create and delete group resources
- Group management: Group Administrators can read attributes of group resources
- Group management: Group Administrators can update group resources
|
MODIFY ALL NON-ADMINISTRATORS SET
We are modifying this Set because this Set because it is a "Specific Set of Requestors" for the following two Management Policy Rules (MPRs).
- Group management workflow: Validate requestor on add member to open group
- Group management workflow: Validate requestor on remove member
if this Set is not modified to include Group Administrators, then it is very possible that you will receive an "Access Denied" when subi>Group management: Group Administrators can create and delete group resources Group management: Group Administrators can read attributes of group resources
Group management: Group Administrators can update group resources
|
MODIFY ALL NON-ADMINISTRATORS SET
We are modifying this Set because this Set because it is a "Specific Set of Requestors" for the following two Management Policy Rules (MPRs).
- Group management workflow: Validate requestor on mitting the request.
|
- Navigate to the FIM Portal as a FIM Administrator
- Select Sets from the menu on the left
- Search for Non-Administrators using the Search box in the upper right
-
- You should have one Set returned (All Non-Administrators)
- Click on All Non-Administrators to view the Properties of the Set
- Click on Criteria-Based Members
- Click Add Statement to add a new condition
- Click <click to select attribute> and from the drop down, select
Resource ID
- Click is and change to not in
- Click the text box and type: Group Administrators
-
- Click Ok and then Submit
|
|
ADDITIONAL INFORMATION
|
|
|
SEE ALSO
|
|