Group owners can't manage own membership

Similar Messages

• How to track changes made to a group owner for Distribution/Security Group in FIM 20101 R2?

  We have a requirement where we have to send a consolidated email to the new group owner which lists all the groups that are tagged to him/her.
  This requirement is needed so that the new group owner can be notified of the groups that he/she owns. Group owner information can be updated in AD which would then sync with FIM, Bulk updates for groups in FIM.
  So first we would have to basically track the group owner change in FIM, retrieve the owner information, then list all the groups listed under him, consolidate an email and trigger the notification.
  Can someone help me and let me know how this can be achieved?
  Thanks in advance!!

  Hello,
  you can not do with only OOB functions. You will need a custom activity to enumerate all group a specific persons owns.
  First part is easy, create a MPR which triggers a workflow activity on owner attribute changes.
  The custom activity should then search for all groups new owner owns in addition.
  Pass that information through the WorklowDictionary to a notification activity.
  If your are not familar with developing workflow activities you could use PowerShell Activity for example.
  /Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• Define if users or functional owner can self-approve their own requests-OIM

  I have a scenario where in if a user replaces his manager as proxy and makes a request for a resource, the approval task triggered goes to the user itself and the user can approve it. I want to deactivate this functionality.
  I was told that since BP12 has been applied, OIM allows us to define if users or functional owner can self-approve their own requests. Is this possible and if yes then how to go about it??
  Thanks in advance.

  Per BP11 for OIM 10g documentation:
  9649346 A user could approve or update the user's own request. This feature could not be disabled. From this release onward, this feature can be enabled or disabled depending on your requirement. See Section 3.10, "Using the XL.AllowBeneficiaryToApprove System Property" for information about implementing the fix for this item.>
  There is also this in BP11:
  9271449 Requesters could reassign approval tasks to themselves. See Section 3.9, "Using the XL.RequesterCanBeApprover System Property" for information about implementing the fix for this item.>
  System configuration variables in 10g are in the design console. In 11g, they are in the web console.
  -Kevin

• ARQ: Manager/Role Owner can modify request details even after submitting the request???

  Hi All,
  I have noticed that after Submitting (Approving) a request, manager or role owner can still modify the user details (field are editable) like role validity date etc in a request. This is quite weird!
  Although, after submitting a request by a requester, all field are disabled.
  Has any one encountered with this problem? How can I control this?
  Please advise.
  Regards,
  Faisal

  Alessandro,
  Thanks for your reply.
  Yes, I got it and that is why I got confused.
  This EUP I have defined and the desired fields are visible and editable and seems to be working fine.
  However, the problem is, even after submitting a request, manager and role owner is able to edit the values in the fields which is incorrect!
  Actually, once a request is submitted, I believe request should be only display mode!
  You know what, this is working absolutely fine with requester. Meaning, once a requester submits a request, then all fields are disabled and values in them can not be modified any more.
  But I am not sure why this is not happening with managers/role owners.
  Please advise.
  Regards,
  Faisal

• Group Owner unable to see members

  Hello All,
      I posted this question a while back but never got an answer so I thought I'd repost it. I've run into an issue where when a security group owner logs into the FIM portal they see the groups they are managing but are unable to see a list of
  members of the group. However when I log in as an FIM administration and I look at the same group I see all members. How do I allow the group owner to manage his own group by granting him access to read the membership. Is there a specific Search Scope or MPR
  that needs to be enabled besides the following.
  MPR's that are enabled
  Security group management: Owners can read selected attributes of group resources 
  Security group management: Owners can update and delete groups they own 
  Navigation Bar Resources that are enabled as BasicUI
  Security Groups (SG's)
  My SGs
  My SG Memberships
  Home Page Resources that are enabled as BasicUI
  Security Groups (SG's)
  My SGs
  My SG Memberships
  Search Scopes that have BasicUI
  My Security Groups
  My SG Memberships

  Default values here:
  Half-seen attributes are: Manager; MiddleName; Mobile Phone; Time Zone
  Is this user a part of this group as well? If so maybe try to enable MPR named User management: Users can read attributes of their own
  also?
  Another way to check what should be enabled is:
  In Management Policy Rules view, click Explore.
  On Find tab, leave first option selected.
  On Criteria tab, select: Read resource, Only permission granting...; Include disabled ...; Requestor: owner. Target Resource: group
  Check MPRs listed and check which of them are disabled :)
  Security group management: Owners can read selected attributes of group resources
  Security group management: Users can read selected attributes of group resources
  Group management: Group administrators can read attributes of group resources
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• Users and Group Owners are unable to see their groups

  Hello all,
       I have an issue where security group owners are unable see/read any groups that they own. I have enabled the following  MPR's but still nothing please help.
  Group management: Group administrators can create and delete group resources
  Group management: Group administrators can read attributes of group resources
  Group management: Group administrators can update group resources
  Security group management: Owners can read selected attributes of group resources
  Security group management: Owners can update and delete groups they own
  Security group management: Users can read selected attributes of group resources
  Also when a user logs into the portal they are unable to see any Security groups listed under MY SG Membership. However when we check the group membership they are indeed part of the group both in FIM portal
  and AD.

  Reason might be that user's don't have access to group objects at all or are not able to read some of attributes of a group. Also make sure that BasicUI keyword was added to the specific elements of UI used in group management - this includes navbars but
  also search scopes which are used for group filtering. 
  On the MPRs side:
  Make sure that your Security group users set was not modified - maybe people are filtered out from these MPRs.
  Use explore function in MPR  part of a portal to check what actual MPRs are being triggered when user tries to access group object. 
  Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
  Hi Tomek,
  Which attributes must a user be able to read in order for this to work? If possible can you provide me with a full list so I can verify that they do have rights to read them.
  I have added the keywork BasicUI to the following sections 
  Under Home Page Resource
  Join a SG
  Manage my SGs
  Search Scopes
  Security Groups (SGs)
  See my SG memberships
  Under Navigation Bar Resource
  My SG Memberships
  My SGs
  Security Groups (SGs)
  As for the security group users set, I have modified it to allow all domain users to be part of this set. When I click View Members all users are listed. 
  "Use explore function in MPR  part of a portal to check what actual MPRs are being triggered when user tries to access group object. "  How would somebody go about doing this?

• Can I manage more than one iTouch from one PC?

  A family member has an iTouch managed with iTunes on PC. Another family member would like an iTouch but does not have a computer.
  Can one manage more than one iTouch from one PC? How? Does one install separate instances of iTunes somehow on the PC for each device?
  There is also the desire to have separate Apple Store accounts for each device. We don't what synced devices.

  *How to use multiple iPods with one computer*
  The Apple support document How to use multiple iPods with one computer suggests a number of ways. I use method two (Sync with selected playlists) with a slight twist. Rather than regular playlists I set the grouping field to indicate which users should receive which tracks and create smart playlists based on the content of this field.
  e.g.
  "Alice's Tracks" is "Grouping contains Alice" + "Kind contains audio"
  "Bob's Videos" is "Grouping contains Bob" + "Kind does not contain audio"
  Tracks that both Alice & Bob want on their iPods have the grouping set to "Alice/Bob"
  etc.
  I currently manage our family's five iPods using this system, each getting a different selection to suit their tastes and the capacity of their iPod. An advantage of using the grouping field is that it is stored in file tags (for non-wav audio files anyway) so that it is relatively easy to recreate the playlists should the iTunes library get trashed. Also useful if you move files about manually as playlist membership is preserved when you delete & re-import the tracks.
  tt2

• WGM creates new home folders with _unknown user/group, SA can't change it

  A little background:
  In our school we've got an xserve (about 1.5 yrs old), that was having issues last year. (the OD database pretty much ate itself). in august we did a clean install of 10.5, and updated to 10.5.3 (after suffering through the AFP/OD issues in 10.5.2). Because of the corrupt database from the last server, and the fact that a large number of our accounts have migrated through 4-5 iterations of servers from 9.2 on through 10.4.11, we created all new clean accounts by hand in WGM and moved the user files to the new home folders, changed user and permissions with SA to the new accounts and propogated that info to all the files for each home folder. everything has been going fine since then.
  until this week.
  the issue was discovered when we tried to create a new staff account (we created several accounts last week with no issue). in WGM everything looked fine. it created the account, assigned it to the proper group, and sucessfully created a home folder. the problem however was when we went into SA to change the permissions. we don't need everybody seeing everyone else's files, so we change the default group and everyone permissions to something more appropriate (don't even get me started on that gripe). When you navigate to the new home folder you just created in WGM, it shows the owner as _unknown (read/write) and group _unknown (read only... I think), Everyone (read only). Server Admin refuses to change the user or group. doesn't matter whether you use the 'show users/group' dialog and drag the account, or whether you edit it manually and insert the short name or UID. when you hit save, it stubbornly reverts back to unknown/unknown for user and group. we've tried creating accounts with different templates, no template, different account names and UID's, all with the same result.
  The odd part is that nothing in the OS has changed since we first set it up and created all the users. nothing installed, nothing updated...
  We've stayed at 10.5.3 due to the disaster in one of the updates (10.5.5 I think) that many of our other local districts had with network accounts not being able to see their own library folders due to permission issues, as well as the AFP causing 100% CPU use bug reported with 10.5.5
  A second, probably related issue is that when browsing home folders in Server Admin filesharing, any files our network users create seem to end up assignedunknown/unknown for user and group (as far back as October it seems). After searching around the net most of the day I came across a lot of info about the _unknown user issues for folks upgrading from 10.4, but these are all newly created 10.5 network users (not local) logging in and working in home folders on the server. The original owners can read/write/delete these files as normal.
  Any help would be most appreciated.

  ok... I find we were shot in the foot by one of our own.
  The quick answer: DO A GET INFO ON THE VOLUME WITH THE SHAREPOINTS! if the 'ignore permissions on this volume' box is checked... UNCHECK IT!
  Explaination: not sure how the ignore permissions box got checked, but I don't think it was done directly by human hands. we use Carbon Copy Cloner Ver. 3.something (not sure which at this point) to back up both our data (daily) and server (weekly) drives to remote storage. by striking coincidence, things started saving with _unknown user and group about the same time as crash reporter shows that CCC hosed itself. My guess is that CCC temporarily ignores permissions (as shown in the status when you do a clone) and then resets them to their original state. when it crashed, it looks like they were still set to ignore, so it happily set it back to that state every time it ran after that. not sure why the account creation issue suddenly turned up after so long... In any event, it turns out that if you have sharepoints on a server volume, AND you set the OS to ignore permissions on that volume, BAD things happen (I'm not sure it should even be an option on a shared volume, but that's for the engineering folks to figure out.) .... specifically, the symptoms above. if you login as root (yeah, I know that's something you should never do) and uncheck the ignore permissions box on the volume, then log into WGM, as root (yeah, yeah, I know... even worse) and set ALL of the Directory Administrator accounts to 'do not administer this server', and no change rights for the directory, save those settings, and then set them back to 'administer this server', and FULL rights to change the open directory, save again. and then WAIT until the drives stop going nuts... after that everything works fine.

• Extract group owners from group

  How can you extract group owners from a group? ver. 3.0.9.8.5. I want to do two things; extract all groups that a user is the owner of, and find all the owners of a group.
  The code below will extract out all the users of a group, but how do you get the owners? I can't figure out where the group owner flag is being set. There are two deprecated functions (get_list_members, user_in_group), which I've used and is extra coding than what's necessary, but we're also migrating to version 2 soon.
  Thanks,
  Rick
  SELECT b.name,
  a.user_name,
  a.last_name,
  a.first_name
  FROM portal30.wwsec_person$ a,
  portal30.wwsec_group$ b,
  portal30.wwsec_member$ c
  WHERE a.id = c.member_person_id
  AND b.name = 'my_group'

  Sorry, I got timed out and posted this to the wrong forum accidently. Is there a way to delete your own message?

• Changing group owner disables wiki/blog

  For quite some time now the procedure for creating new groups with a single owner/moderator has worked well. I 1) go in to the directory app on the server, 2)create the group, 3) change the owner to the teacher who will manage the wiki/blog, 4) add the teacher to the list of users allowed to create wikis (in web services). Then everything works like a charm. As of a few weeks ago (and I have not run any updates--still on 10.5.6, etc.), as soon as I change the group owner from Directory Administrator the wiki/blog generates a no group with that name is hosted on this server. Changing the owner back to directory admin fixes this but I need the teachers to be owner/moderators. Any suggestions on what might be causing this problem?
  Thanks,

  Is there any solution to this problem? I am trying to set up the group owner but can't. I am set as the group owner in the group list and set as moderator in the list of users allowed to create wikis but when I go into the wiki site I am unable to change settings.

• Memebers of group not appear to Group Owner at FIM portal

  In my distribution groups I have added some member via owner approval and that member appears added to me when i view that group from FIM admin portal but when i look at the same DG from Owner's FIM portal then user does not appear! strange ! 
  Any suggestion pls why is this happening?

  Some MPRs are not enabled or they have non-default configuration.
  Check if you have the following MPRs enabled:
  Distribution list management: Users can read selected attributes of group resources
  Distribution list management: Owners can read attributes of group resources
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• Cluster Group Owner

  Hi Guys,
  I have DAG extended to two sites (Primary and DR).
  I have moved Cluster group owner to DR mailbox server using power shell command.
  Now, when I try to move the cluster group owner back to a mailbox server in the Primary site, It doesn't work.
  It (PAM role of exchange) switches back to DR mailbox node automatically, any idea why is this happening ?
  Platform: Server 2012 with Exchange 2013

  Hi Raghu,
  Please use the below mentioned command on the windows power shell and share me the results.
  Step 1: 
  Import-Module failoverclusters
  Step 2 : 
  Move-ClusterGroup -Node "Any one of the node on production site" -Name "cluster group"
  Step 3 :
  Please run the below mentioned command to check the PAM role and that is the server which is holding the cluster resources.
  Get-DatabaseAvailabilityGroup -Identity "dag name" -Status | fl *pri*
  To confirm that again .Please use the below mentioned command in Exchange management shell.
  Get-ClusterGroup | ft -au
  In addition to that , please share the fail over cluster events which is related the cluster resources move.
  To have deep dig on this case we can do the following.
  From one of the nodes of the cluster, open a Command Prompt with Administrator rights.  The simplest command to create the log is to type “cluster log /g”.  A clusterl.log file will be generated and stored in the %windir%\Cluster\Reports directory
  on each node of the cluster.  Note that with all commands you can use either “cluster … ” or “cluster.exe …” as they have the same functionality.
  Please reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• I have two iPhones associated to the same Apple ID. Can I manage music

  I now have two iPhones (4s & 5s) associated to the same Apple ID. I am
  giving my wife the 4S.   
  We like different music & apps from one another. Can I manage music & apps independently on each device even though they have the same Apple ID Association?
  Thanks

  stereo317 wrote:
  I now have two iPhones (4s & 5s) associated to the same Apple ID. I am giving my wife the 4S.   
  We like different music & apps from one another. Can I manage music & apps independently on each device even though they have the same Apple ID Association?
  Yes, but I highly recommend each have your own, separate AppleID and your own computer login to manage your own data separately.

• I just got my Mac and I used my family Apple ID. It had all of my parent's information, I added my e-mail.I wanted to make my own Apple ID, but I couldn't use the same e-mail address again! How do I delete this information so I can make my own Apple ID?

  I just got my Mac and I used my family Apple ID. It had all of my parent's information, I added my e-mail.I wanted to make my own Apple ID, but I couldn't use the same e-mail address again! How do I delete this information so I can make my own Apple ID?

  Wendy P-G wrote:
  I just got my Mac and I used my family Apple ID. It had all of my parent's information, I added my e-mail.
  It is not clear how or where you "added" your email, but you cannot create an Apple ID using an email address that is already associated with another Apple ID.
  If that is what you did, delete that email address from your family's Apple ID. You should be free to create a new one.
  Do all that by starting here: https://appleid.apple.com/
  Select "Manage your Apple ID". Log in with your family's Apple ID and then delete your own email address wherever it appears.
  Save Changes, log out, and create the new one using the same website. This time select "Create an Apple ID".
  Please don't forget your security questions, and be sure to specify a "rescue email address" that is separate from all other Apple IDs. You will avoid so many problems that way...

• Can I manage my Family Sharing and child's Apple ID from my windows computer?

  I've bought a refurbished iPhone in lieu of new iPod touch for a kid. I've had an iPod classic for some years and have always managed my involvement with apple via iTunes on a windows laptop. I want to set up an "under 13" identity for her and start family sharing, but I've yet to find explicit instructions on exactly how to do this. Any suggestions?
  Thanks.

  This should answer:
  From the family Sharing Page (Family Sharing - Apple Support):
  "You can use Family Sharing on your iPhone, iPad, or iPod touch with iOS 8, your Mac with OS X Yosemite and iTunes 12, or your PC with iCloud for Windows 4.0. To get started, one adult in your household—the family organizer—sets up Family Sharing"
  "iOS 8 and OS X Yosemite are required to set up or join a Family Sharing group and are recommended for full functionality."
  To set it up, go to your iCloud Settings on the iOS 8 device.
  So basically, you can't manage it from your PC; from your PC, you can only access the shared iTunes content and other iCloud shared stuff such as photos, calendar etc.