0
Answered

Unable to install Event Broker Changes Activity due to PermissionDeniedException

Shane Day (Chief Technology Officer) 7 years ago • updated by anonymous 3 years ago 7

Unable to to install Event Broker Changes Activity due to PermissionDeniedException.

I am logged in as the FIMService account, which is also an administrator of the FIM Portal.

When I run the ConfigureEventBrokerChangesActivity.ps1 script I get the following error:

Import-FIMConfig : Failure when making web service call.
SourceObjectID = dc42094d-0f86-4035-8a98-38b3520669c9
Error = Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException: Policy prohibits the request from co
mpleting. ---> Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Policy prohibits the request from
 completing.
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody)
   at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()
   at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()
   at Microsoft.ResourceManagement.Automation.ImportConfig.Create(String objectType, List`1 changeList)
   at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()
At C:\Program Files\UNIFY Solutions\Event Broker\Portal Workflow\ConfigureEventBrokerChangesActivity.ps1:67 char:27
+ $fimAIC | Import-FIMConfig <<<<
    + CategoryInfo          : InvalidOperation: (:) [Import-FIMConfig], InvalidOperationException
    + FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automation.ImportConfig

Is there anything that I am missing? My assumption is that the administrator account should have permission to do this. If this is not true, then we should document how to change this permission.


policy workflow general.png
policy workflow policy workflows.png
policy workflow requestors and operations.png
policy workflow target resources.png
request details applied policy.png
request details detailed content.png
request details general.png
search results denial.png

I also tried running PowerShell in Administrator mode - same result.

Attached some screen shots showing the request denial. I think there may be something in the Action Workflows: No to look into.

Attached screenshots of the policy workflow that denied the request to add the workflow action.

I've had a bit of a look at this. FIM Portal is a little different in that being an administrator doesn't necessarily give you full rights to everything by default. The MPR you have selected dealing with having full rights to configuration resources I would imagine should have given you permission to do so. In one of our environments, we also have an MPR called "Web service can create activity information configuration" - it has been quite some time so I am unsure if this was included by default. The target resource definitions only address "All Activity Information Configurations". Will continue investigating, but it may be that Activity Information Configurations are not included in the set you have selected, but I will be sure to check.

Shane,

The All Configuration Resources set defined in that MPR does contain the Activity Information Configurations set, however, I notice that applies to a specific set of attributes - some of which such as Resource ID (strangely) are not included in the specified resources (at least in the default settings I have for this MPR). Could you attempt to add any of the fields that are missing from the "Select Specific Attributes" screen that are being added in the AIC as seen in your "request details detailed content" screenshot, and try again?

Please assign back to me with the outcome of this so I can update the documentation accordingly if this is the issue. The effect of the MPR in our test environment is that an administrator can add any field for an AIC (All Attributes is selected under Target Resources).

The issue is very common in that the default MPRs in a FIM Portal environment do not allow AIC creation. The documentation has been updated in the troubleshooting section and also in the installation guide. Please confirm if appropriate.