Thursday, September 13, 2012

Minimum set of search scope attributes to allow users to read other users

This one took me a while to track down.  I created a search scope for managers (and their assistants) to read their direct reports and their direct reports' direct reports in the FIM portal.  (I.e. a user may be read by her manager and her manager's manager; as well as an assistant of either said manager.)  Then I created an MPR to grant permissions for the managers to see these reports.  The trouble is, if you don't want to select All Attributes for Target Resources - Resource Attributes, what is the minimum set of attributes that you have to use in order for this search scope to work?

In fact, I never did find the answer in any official documentation.  Instead, I stumbled upon the answer in a forum answer that came from Brad Turner's impressive tribal knowledge of the product.  Here's Brad's answer:
"Correct, users will need rights to Read the scope and any object returned in the scope including the attributes you list in the ColumnsToDisplay as well as the ObjectID and ObjectType even though it may not be displayed. It's typically ColumnsToDisplay + any attributes in the query filter."
 Also, in case you're wondering, here's the XPath that I used for the search scope:

/Person[Manager = '%LoginID%'] |
/Person[Manager = /Person[Manager ='%LoginID%']] |
/Person[Manager = /Person[Assistant = '%LoginID%']] |
/Person[Manager = /Person[Manager = /Person[Assistant = '%LoginID%']]]