Schema Management - Setting Permissions to manage new attributes.
Published Nov 01 2019 12:42 PM 643 Views

First published on MSDN on Dec 05, 2014

In this post we will discuss what needs to be completed after you have successfully created a new attribute and bound the attribute to an MPR. This is a follow up post to Schema Management - Creating a new attribute and Schema Management - Binding a New Attribute which walk through the steps of creating and binding the Attribute " Employee Status " to the User Resource. Once an attribute has been bound to a resource before it can be "managed" permissions need to be applied for this attribute by updating the MPR's (Management Policy Rules). Additionally if you intend on using your new attribute to assist in the Criteria Definition of a Set or a Group we will also need to modify Filter Permissions.


Lets first Set Permissions to allow users that are a member of the Administrators Set to be able to Add or Delete a value for the Employee Status Attribute for a User Resource.

    • From the Administrator Page Click on Management Policy Rules

    • Search for the MPR Administration: Administrators can read and update Users , this should be found on the First page of your Management Policy Rules Section in the FIM Portal unless you have created a lot of MPRs.

    • Click on the MPR once it has been located

    • Click on Target Resources

    • On the Target Resources Tab at the bottom you will see Select specific attributes , just below that there is a box with a list of all attributes that this MPR gives permissions to the Requestor that is set on the Requestors and Operations Tab to be able to read and modify the set value for all the attributes that have been added within the specific attributes section on the Target Resource Tab. Above the Select specific attributes section there is an option to select All attributes but if that was done than permissions would have been granted for the attribute at the time it was created, but than what fun would this post be. There are several reasons why this MPR would have the All Attributes selected


    • Click on the Browse Option.

1. When installing BHOLD this MPR is modified to manage All Attributes


2. Previous one of the FIM Administrators changed this MPR to All Attributes for ease of FIM Portal Management.


One of the reasons I try to keep this MPR set to require all new attributes to be managed to manually be added is it helps remind me to add the attribute to all other MPR's to apply permissions for other process to be completed such as syncing from the Synchronization Service into the Portal or Non-Administrators to update this attribute for specified users or even as simple as self user                 management.

    • Click on the Browse option to the right of the Validate and resolve option  which is to the right of the box with all the selected attributes.

    • You are now presented with pop up window to search and select attributes.

    • In the Search for box type " Employee Status " than click on the Search button which looks like a Magnifying Glass

    • Click on the Empty check box next to the Employee Status attribute so it now displays a check in the Box.

    • Click on Ok to return to the Target Resource Tab where the selected attribute will be with the Select specific attributes box.

    • Click on Submit


    • You have successfully applied permissions to the "Employee Status" Attribute to be managed by members of the Administrators Set.

Lets now Set Permissions to allow the Synchronization Service which is controlled by the Built-in Synchronization Account to modify the value for the Employee Status Attribute for a User Resource. If Permissions are not granted to allow the Built-in Synchronization Account to manage this attribute if you try to run an Export on the FIM MA and a user Resource is expecting a modification to the "Employee Status" attribute than the Export will error "Fail" for the particular user. This is essentially a Denied permissions same as if we didn't apply permissions for other resources to modify this attribute. Just like what we did for the "Administration: Administrators can read and update Users" MPR lets make the same modification to the Synchronization: Synchronization account controls users it synchronizes MPR. Follow the Steps that were just outlined for the "Administration: Administrators can read and update Users" MPR.


It is important to note that if the attribute was only ever to be set within the FIM Portal and would never be synced out to other data sources than it would not be necessary to modify the Synchronization: Synchronization account controls users it synchronizes MPR. You only need to modify MPR's that are need to apply permissions for a specific Resource to Manage this attribute.


After all the necessary MPR's have been updated in your environment allowing for proper management of the "Employee Status" attribute we can update the Filter Permissions within the FIM Portal.

    • From the Administration Page click on Filter Permissions

    • On the Filter Permission page

    • The Filter Permission Page by default has two predefined Filters

1. Administrator Filter Permission


2. Non-Administrator Filter Permission

    • Select the Administrator Filter Permission option, the Filter Permission Administrator Filter Permission window will now be displayed.

    • Click on the Permitted Filter Attributes Tab

    • The first option the Allowed Attributes section has a box with a list of all attributes given "filter permissions" for this particular Filter all attributes selected here are able to be defined as criteria for a Set or a Group.


    • Click on the Browse button to be presented with the Allow Attribute window

    • In the Search for box type " Employee Status "  (typing all or part of "Employee Status") Click on the Magnifying glass to search for the attribute

    • Place a check in the box next to the Employee Status attribute

    • Click on Ok, to be returned to the Permitted Filter Attributes Tab

    • Click on Ok


    • Review Summary Page and than click on Submit.




Depending on what you need to do with this attribute and what resources need to be able to manage it, will determine your next steps. Below are just a few things that you may need to accomplish.

    1. Update Existing Sync Rules to allow the attribute to be synched with external data sources using the FIM Synchronization Service


    1. Build Workflows to assist in the management of this Attribute and its correlation to other attributes.


    1. Update the RCDC (Resource Control Display Configuration)





## ##

Version history
Last update:
‎Feb 20 2020 12:34 PM
Updated by: