For users to be able to log in to the MIM portal and authenticate to MIM Service, we need three attributes populated for the user: AccountName
, Domain
, and ObjectSID
.
But even if we have populated these attributes in MIM Service, and a standard user tries to log in to the portal (https://MIMPortal/IdentityManagement
), the person will get the message shown in the following screenshot:
Why? Well, because there is no MPR enabled by default to allow users to access MIM Portal and/or MIM Service. The MPRs required to allow access to users are disabled by default. We just need to enable them in order for users to have access.
The MPRs we need to enable are as follows:
Moreover, if you look back, you might recall that we had some options during installation talking about user access as well. There was a checkbox that said Grant Authenticated Users access to the MIM Portal Site. If you forgot to allow that during setup, don't panic. This setting is only to allow SharePoint access, and we can fix this now if we forgot to do so earlier.
If you start MIM Portal as the administrator, you will find Site Actions in the upper-right corner, and from there you can access Site Settings. In Site Settings, below Users and Permissions, you have Site permissions:
Follow that link into Permissions and add Authenticated Users with Read permissions, as shown in the following screenshot:
After fixing the MPRs and verifying that users have SharePoint permissions, the user will be able to access Portal:
Compared to the view that the administrator has, the user's view is quite limited. If the user tries to do something, they will find that they are unable to do anything except look at some of their own attributes. They cannot modify anything, or see any other users. For that to be possible, we need to enable some other MPRs, and maybe configure new ones in order for the user to be able to work in the portal.
Let's walk through the creation of a new MPR allowing managers to read information about their direct reports:
Another typical scenario is that we want users to manage some attributes of their own. This could, for example, be information such as a mobile phone number.
In order for this to work, we need to create a new MPR that gives the users permission to change selected attributes. This MPR is of type Request. If you are going to use MIM for self-service, you will likely end up with quite a few MPRs:
For some scenarios, you might want to also kick off some workflows as the request is made. It could, for example, be an authorization workflow requesting that the change be approved by a manager before being applied, or maybe an action workflow sending a notification to the user about the change.
The authors suggest avoiding the use of the Use equal precedence setting. Checking that box would mean the last writer wins, meaning multiple systems associated with the attribute can overwrite one another within the Metaverse. From an operational perspective, if you were to use an equal precedence attribute to trigger a workflow, and the systems had different values, you would see the workflow re-trigger every time a synchronization is performed. Microsoft has announced that equal precedence will eventually be removed from the product, so you might as well not use it.
18.191.44.23