Understanding the MPR Explorer

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Jun 01, 2015

Explore Management Policy Rules


The MPR Explorer is a feature in the FIM Portal that provides a method to find out what MPRs apply to a specific requestor or applied to a specific target resource. Additionally you can use the MPR explorer to search for MPR's that are configured to use a specific SET either the Requestor Set or Target Resource Set. For example, if someone is unable to access or read specific attributes of a specific object, you could use the MPR Explorer to verify that a permission-granting MPR exists for that user. If no MPR is granting permission to the requested operation, you will need to review the existing MPR configuration and consider changing it to allow that request.


Lets first navigate to the Management Policy Rule Administration Page


From the Administrators Page in the FIM Portal click on the link for Management Policy Rules.


When the MPR Administration Page loads



Towards the top you should see an icon marked Explore, click on the Explore Icon to open the MPR Explorer



Once the MPR Explorer opens you will be presented with the Find TAB



The Second Tab is the Criteria Tab which depending on what option you select within the FIND Tab would determine what options are available to be defined within the Criteria Tab.


For example by selecting:


A requestor or target resource



Set



Workflow



and finally by selecting Dynamically defined requestors




Exploring MPR's that are configured for a specific Requestor


Navigate to the MPR Explorer and select Find Management Policy Rules that apply to " A requestor or a target resource "


For Requestor type administrator (this would look up all MPR's configured to use the administrator resource within the FIM Portal.)



Click on Next or you could add additional criteria to narrow your results by defining specific operation(s) that the MPR can perform but for this example we want to see a complete list.


Notice there are 31 MPR's that are currently configured for the administrator resource which allow the administrator account to perform specific functions.





Now lets say we want to find out what MPR's give permissions to read, modify or even delete a specific resource.


From the Find Tab for the MPR Explorer


Find Management Policy Rules that apply to


" A requestor or a target resource "


Click on Next


In the Search box for Target Resource type in or select a user



Click on Next


In the Show Criteria TAB you are presented with a list of all the MPR's that are given permission to perform a specific operation against the target you entered earlier. we could have narrowed the results by adding additional criteria from the Criteria TAB.









REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.