First published on MSDN on Oct 02, 2014
This is the third in a series of posts we’ll be calling “5 Minute FIM Hacks”. The purpose of these posts will be to provide quick and simple tips and tricks for customizing FIM to make it perform better or be easier to use.
In today’s 5 Minute FIM Hack, we’re going to look at hiding the “New” and “Delete” user buttons from normal (non-administrative) users. The natural question here is “why?”. The answer is if I, as a regular user, access the FIM portal to update my own attributes, I will see buttons for “New” and “Delete”. Being somewhat over-zealous (and tired of waiting on the IT department), I decide I can create an account for one of my new employees/coworkers. I click “New”. I spend a few minutes inputting all of their information. Finally, on the last step, I click “Submit” only to receive the following:
Not understanding what is going on, I click on “View Details” and see:
This spawns a call to my Help Desk to open a ticket. After all, if I don’t have permission to create a new account, why do I have a button that says “New”? After the friendly person on the Help Desk explains that I do not, in fact, have the ability to create and delete users, I’m still left asking the question, “then why do I have the buttons to (seemingly) allow me to do so?”.
Rather, as an administrator, why not hide the buttons, remove the temptation and avoid the whole thing? While there are several ways to do so, much of the documentation available online details creating a custom search scope. However, there is a simpler way of doing this by changing set membership. To begin, navigate to “Sets”:
In the “Search for:” box, type “user” and click the magnifying glass.
Click on the “User Administrators” set to open it. Next, click on the “Criteria-based Members” tab. Here we see the default criteria:
Click on “Add Statement”. In this scenario, I have selected “Resource ID” “in” “Administrators” (where “Administrators” is a set).
Rather than the “Administrators” set, this could be a set you’ve created (such as “HR”, “Help Desk”, etc.).
To finish, click “Submit”.
On the service portal server, open an elevated command prompt and type “iisreset”.
Now, as a regular user (not a member of the chosen set), when we click on “Users” in the portal, we see:
Questions? Comments? Love FIM so much you can't even stand it?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.