One of the most frequent questions on the FIM forum is ‘How to disable / remove New and Delete icons (buttons) from Users page?’
This question can be expanded to cover Distribution and Security groups’ pages and even your own custom objects like Roles or Applications. It’s obvious that many of FIM implementers want to prevent users who’re not allowed to submit such requests from clicking buttons and do not explain them why their request were denied.
I was thinking: ‘No, you can’t do this out of the box’ and ‘Buttons are not permissions dependant’ until I found this thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/bd43cbae-95bf-43a2-ba5c-9f430a6f7c65 - Bingo!
Digging deeper I realized that FIM portal has 2 universal pages: CustomizedObjects.aspx and GlobalSearchResult.aspx.
The first one (CustomizedObjects) will display a page with ‘New’, ‘Delete’ and ‘Details’ icons for any objects selected in the URL, e.g. https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Application&display=Application&searchtype=e2ec8a98-4e6a-4ee8-a84b-031a4d9cb781 or https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Role&display=Role&searchtype=9acf43b8-9ed3-46a7-b53f-46acb6dbe300. The only differences in the URL as you can see are ‘type' (either custom Application or Role objects) and 'searchtype' (which is objectID of a search scope – one for ‘All Applications’ and another for ‘All Roles’). Sure you can insert type=Group (or Type=Person) in that URL and you will not see ‘Join’ or ‘Leave’ buttons within a list of groups. You also need to include ‘customized’ usage keyword to a search scope definition, e.g. for ‘All Roles’ search scope I have ‘customized, Role and basicUI’ keywords.
The second one (GlobalSearchResult) will display a page with just one icon for ‘Details’: https://portal-fim/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=524ae86b-c903-4141-8746-5505b9dd44d6
Here we have to select a search scope by providing a proper objectID in the ‘searchtype’ variable.
Do not forget to add ‘GlobalSearchResult’ usage keyword to a search scope definition.
Finally add a redirecting URL to the search scope definition: ~/IdentityManagement/aspx/common/GlobalSearchResult.aspx (don’t add ‘?searchtype=<GUID>’ here)
So how all this will help us? Although buttons are still not permissions dependant you can redirect different group of users to the different pages.
Here’s how this can be done (yes, again using Usage Keyword) for Users page:
Step 1. Create a link with buttons:
Now FIM Administrators and users from ‘HR users’ set will see normal link to users page with ‘New’ and ‘Delete' buttons.
Step 2. Create a link without buttons:
Now all users except HR will see a link to GlobalSearchResult page without any buttons.
Thanks’ to Bob Tucker from the OCG for this idea with GlobalSearchResult page.
Maheshkumar S Tiwari edited Revision 4. Comment: Added tags
Eugene Sergeev edited Revision 2. Comment: restoring original authorship of this article
Peter Geelen edited Revision 1. Comment: Updated title as the post is not about FIM forum, but FIM portal buttons
Ed Price MSFT edited Original. Comment: Updated title case.
Should also add to this article that the New and Delete buttons are no longer visible for people not in the User Administrators set.
I have used the GlobalSearchResult usage key word to create custom menus for multiple object classes (specifically users and roles) where I didn't want non-admin users from being able to use the NEW button (i.e. create user/role). The side effect I have found is that the search scopes that I have configured for each menu item appear together in the Search Within dropdown box (i.e. I have a mix of role and user search scopes - presumably because they share the same UsageKeyWord). Is this a configuration error on my part or something we have to live with?
TIA.
Hi,
Thank you for this article.
The 'display' attribute seems to be optional: according to you, what is this used for? I try to hide the results on load (for a customized resource) until the user perform a search (like the AllPerson.aspx page).