FIM 2010 Portal: Allow users to view membership of Dynamic or criteria Security Groups

I discovered that users cannot view the membership of dynamic security groups. When they click the members button for groups it comes up with nothing. It works fine for me. I tested with SG Owners of dynamic groups and the same issue, they can’t see the membership of groups they own. lets take a closer look.

The set called “Group Administrators” is embedded in the FIM Portal code as the sole group that can manage or read  Dynamic groups. This is to safeguard the FIM Portal from being affected by an excess amount of Dynamic groups being created, this affects the performance of the FIM Portal. Even in Microsoft Exchange, it is advised to limit the number and size of your Dynamic groups.

You have to be a member of the Group Administrators group to see the membership of Dynamic groups. The issue though is that the Group Administrators group has rights to create and modify all security groups. The requirements we want are

  1. IT Support should be able to Manage all groups
  2. Group Owners should be able to manage their own groups including see the membership of dynamic SGs.
  3. Users can see the membership of Dynamic SGs


  1. Create a new Set that contains all the IT Support staff.
  2. Create a new Set called “My Group Administrators”. Under criteria, add

User meets any

  • Resource ID in IT Support
  • Add the FIM Portal service account to the manual-managed members, if you use the FIM portal service account to run some SG related workflows.
  1. Click ok, submit
  2. Under sets open Group Administrators, add the criteria
  • Resource ID in All People.

Remove all other Groups or people.

  1. Edit the following existing MPRs, replace Group Administrators with “My Group Administrators”

Group management: Group administrators can read attributes of group resources

Group management: Group administrators can create and delete group resources

Group management: Group administrators can update group resources

  1. Create a new MPR “My Users can read Dynamic group membership”, Requestor is Group Administrators, grant permission, check read, target resource is “All Dynamic Groups”. Resource attributes is all attributes.
  2. If you want Owners to be able to amend dynamic SG criteria, Create a new MPR “Security Group Management: Owners can read Dynamic group membership, requestor is Owner, grant permission, check modify attribute, target resource is “All Dynamic Groups”. Resource attributes is “Filter;MembershipLocked”
  3. For Users to successfully see the membership they must have read rights to the attributes selected for the SG Filter criteria. So go to the MPR, Users can see selected attributes of Others and make sure the attributes are added.

An update: If you give users read rights to “MembershipLocked” attribute of the SG and read  rights to all the criteria attributes, it should work. Regular users can view criteria membership. A lot depends on the criteria and the complexity, so take each case carefully. Now you have two solutions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s