First published on MSDN on Dec 05, 2014
In this post we will discuss what needs to be completed after you have successfully created a new attribute and bound the attribute to an MPR. This is a follow up post to Schema Management - Creating a new attribute and Schema Management - Binding a New Attribute which walk through the steps of creating and binding the Attribute " Employee Status " to the User Resource. Once an attribute has been bound to a resource before it can be "managed" permissions need to be applied for this attribute by updating the MPR's (Management Policy Rules). Additionally if you intend on using your new attribute to assist in the Criteria Definition of a Set or a Group we will also need to modify Filter Permissions.
Lets first Set Permissions to allow users that are a member of the Administrators Set to be able to Add or Delete a value for the Employee Status Attribute for a User Resource.
1. When installing BHOLD this MPR is modified to manage All Attributes
2. Previous one of the FIM Administrators changed this MPR to All Attributes for ease of FIM Portal Management.
One of the reasons I try to keep this MPR set to require all new attributes to be managed to manually be added is it helps remind me to add the attribute to all other MPR's to apply permissions for other process to be completed such as syncing from the Synchronization Service into the Portal or Non-Administrators to update this attribute for specified users or even as simple as self user management.
Lets now Set Permissions to allow the Synchronization Service which is controlled by the Built-in Synchronization Account to modify the value for the Employee Status Attribute for a User Resource. If Permissions are not granted to allow the Built-in Synchronization Account to manage this attribute if you try to run an Export on the FIM MA and a user Resource is expecting a modification to the "Employee Status" attribute than the Export will error "Fail" for the particular user. This is essentially a Denied permissions same as if we didn't apply permissions for other resources to modify this attribute. Just like what we did for the "Administration: Administrators can read and update Users" MPR lets make the same modification to the Synchronization: Synchronization account controls users it synchronizes MPR. Follow the Steps that were just outlined for the "Administration: Administrators can read and update Users" MPR.
It is important to note that if the attribute was only ever to be set within the FIM Portal and would never be synced out to other data sources than it would not be necessary to modify the Synchronization: Synchronization account controls users it synchronizes MPR. You only need to modify MPR's that are need to apply permissions for a specific Resource to Manage this attribute.
After all the necessary MPR's have been updated in your environment allowing for proper management of the "Employee Status" attribute we can update the Filter Permissions within the FIM Portal.
1. Administrator Filter Permission
2. Non-Administrator Filter Permission
Depending on what you need to do with this attribute and what resources need to be able to manage it, will determine your next steps. Below are just a few things that you may need to accomplish.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.