Hi all, I would like to configure ILM so that certain users can modify an attribute (say the Office Phone) of all users. I achieved this with a management policy that grants this permission to a set with static membership (just for testing). My problem is that I would like these "certain users" to be the members of an Active Directory security group. Is it possible, with ILM, to grant permissions based on Active Directory group membership? Or to define in ILM a set consisting of the people that belong to a certain AD group? Thanks, Paolo

Hi Paolo!I'm not sure if it's gonna work if you simplyadd the group as member of the Set but that would be fairly simple to test. If it doesn't workyou could use an XPath pointing the Set membership to the groups ComputedMember attribute like this... '/Group[DisplayName="GroupName"]/ComputedMember'.Anyhow, it requires that the group exists within ILM.//Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

'/Group[DisplayName="GroupName"]/ComputedMember'. That was my first thought as well; however, I've been informed that this query is disabled for performance reasons. The workaround is to define an MPR with a workflow that adds and removes members from your set whenever a change occurs in the security groups of interest.

Whilst we're on this subject (possibly should be another thread, sorry Mods, please move if you prefer) - how could we restrict the ability to update certain attributes to (for example) the user's manager? We can't do this with sets & MPRs, can we? We need to be able to query the target to see if the requestor is the UID in their manager (or other) field - is this possible? It seems like a pretty reasonable thing to want to do. We might also want to restrict it to someone who has a different relationship with the target, based on organizational hierarchy, for example. So the MPR has to be able to tell if the requestor is the person marked as the "updater" for the user's department. Do all these cases need to be dealt with by custom AuthZ workflows? DaveDave Nesbitt | Architect | Oxford Computer Group

Henrik, Joe, thanks for your answers! Actually I discovered that it's possible to define a set like this: Select "people" that match "all" of the following conditions: "Object ID" "is member of" "the group" Cheers, Paolo

@Dave: You can grant a manager a permission with an MPR like this: General Information: - display name "Managers can modify names" - check "Grants permissions" Requestors and Operations: - Requestors: select "Relative to Resource" and in the attribute box type "Manager", then validate and resolve. - Operation: check "Read resource" and "Modify Resource Attributes" Target resources: before request: all people after request: all people Reqource attributes: select "select specific attributes" and type in the box firstname and lastname, then click validate and resolve. Policy Workflows: nothing to configure. Hope this helps, Paolo

Hi Paulo,Yes, you're right - that was a bad example. Where the target holds an attribute that refers back to the requestor directly (as the manager case) it's possible. But what I was reallyreferring to (rather clumsily perhaps) was the "second-level" logic whereby neither the requestor nor the target holds an attribute that directly links one to the other. Instead, they both share an attribute in common (such as department) and one of them needs permissions to modify a collection of attributes to all users within that department. These sort of hierarchical-based rules are very common within organizations (hence why directories and most IAM systems are hierarchical) and requested by customers. I can't see how we can do this simply using MPRs and sets. I can see we could do with a custom AuthZ workflowbut this feels too complex an answer for a reasonably simple request. I'm hoping that I've just missed something and that with the right Xpath filter we could potentially do it through Sets and MPRs after all.DaveDave Nesbitt | Architect | Oxford Computer Group

Hi Dave, I'd like to discuss this further, what about starting a new thread? Cheers, Paolo

Hi, Does anyone know if a future release of FIM will allow a members of a group that is a member of a set to have the permissions to the site? In other words, Set A has the member Group B. Group B contains User1 and User2. Ideally, this would mean that User1 and User2 have the permissions of Set A even if they aren't in Set A's membership explicitly. I appreciate any insight. Thanks, Sami