This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.First published on MSDN on Jun 01, 2015
Explore Management Policy Rules
The MPR Explorer is a feature in the FIM Portal that provides a method to find out what MPRs apply to a specific requestor or applied to a specific target resource. Additionally you can use the MPR explorer to search for MPR's that are configured to use a specific SET either the Requestor Set or Target Resource Set. For example, if someone is unable to access or read specific attributes of a specific object, you could use the MPR Explorer to verify that a permission-granting MPR exists for that user. If no MPR is granting permission to the requested operation, you will need to review the existing MPR configuration and consider changing it to allow that request.
Lets first navigate to the Management Policy Rule Administration Page
From the Administrators Page in the FIM Portal click on the link for Management Policy Rules.
When the MPR Administration Page loads
Towards the top you should see an icon marked Explore, click on the Explore Icon to open the MPR Explorer
Once the MPR Explorer opens you will be presented with the Find TAB
The Second Tab is the Criteria Tab which depending on what option you select within the FIND Tab would determine what options are available to be defined within the Criteria Tab.
For example by selecting:
A requestor or target resource
and finally by selecting Dynamically defined requestors
Exploring MPR's that are configured for a specific Requestor
Navigate to the MPR Explorer and select Find Management Policy Rules that apply to " A requestor or a target resource "
For Requestor type administrator (this would look up all MPR's configured to use the administrator resource within the FIM Portal.)
Click on Next or you could add additional criteria to narrow your results by defining specific operation(s) that the MPR can perform but for this example we want to see a complete list.
Notice there are 31 MPR's that are currently configured for the administrator resource which allow the administrator account to perform specific functions.
Now lets say we want to find out what MPR's give permissions to read, modify or even delete a specific resource.
From the Find Tab for the MPR Explorer
Find Management Policy Rules that apply to
" A requestor or a target resource "
Click on Next
In the Search box for Target Resource type in or select a user
Click on Next
In the Show Criteria TAB you are presented with a list of all the MPR's that are given permission to perform a specific operation against the target you entered earlier. we could have narrowed the results by adding additional criteria from the Criteria TAB.