Tuesday, September 13, 2011

Find Permission Granting MPRs

When troubleshooting sometimes I need to find the MPR that grants permission to an attribute.  The script below just issues a query to FIM to find the MPRs that grant access to the attribute.

‘ActionParameter’ is an interesting case because on the surface it looks like it should be a reference, because the UI provides a dialog that resembles the identity picker.  The attribute is not a reference though, as you can see in the output below it comes out as a string.  Compare this to the other attributes in the MPR that are indeed references, such as Creator and PrincipalSet.

In the sample below I use an extra variable to stretch out the XPath filter.  I find this much easier to read, instead of cramming the filter into a one-liner.

001
002
003
004
005
006
007
008
009
010

$filter = @"
/ManagementPolicyRule
[
  ActionParameter = 'HasAccessToStuff'
  and
  GrantRight = 'True'
]
"@

Export-FIMConfig -Only -CustomConfig $filter |
 
  
Convert-FimExportToPSObject

ObjectID                 : urn:uuid:7a797e38-ad64-4001-8c24-9a872826c2d4
ActionParameter          : {AccountName, HasAccessToStuff, HoofHearted}
ActionType               : {Modify}
CreatedTime              : 9/8/2011 4:35:26 PM
Creator                  : urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Description              : This MPRS grants permission to IceMelted
DisplayName              : HoofHearted can Modify Access to stuff and things
GrantRight               : True
ObjectType               : ManagementPolicyRule
PrincipalSet             : urn:uuid:25a42597-1b6b-4221-b7d4-63a0a8b6a2b0
ResourceCurrentSet       : urn:uuid:8887df8e-6e84-49f2-a794-f9e9802077e0
ResourceFinalSet         : urn:uuid:8887df8e-6e84-49f2-a794-f9e9802077e0
ManagementPolicyRuleType : Request

No comments: