How to Remove New, Delete, and Other Buttons from FIM Portal Pages

How to Remove New, Delete, and Other Buttons from FIM Portal Pages

One of the most frequent questions on the FIM forum is ‘How to disable / remove New and Delete icons (buttons) from Users page?

This question can be expanded to cover Distribution and Security groups’ pages and even your own custom objects like Roles or Applications. It’s obvious that many of FIM implementers want to prevent users who’re not allowed to submit such requests from clicking buttons and do not explain them why their request were denied.

I was thinking: ‘No, you can’t do this out of the box’ and ‘Buttons are not permissions dependant’ until I found this thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/bd43cbae-95bf-43a2-ba5c-9f430a6f7c65 - Bingo!

Digging deeper I realized that FIM portal has 2 universal pages: CustomizedObjects.aspx and GlobalSearchResult.aspx.

The first one (CustomizedObjects) will display a page with ‘New’, ‘Delete’ and ‘Details’ icons for any objects selected in the URL, e.g. https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Application&display=Application&searchtype=e2ec8a98-4e6a-4ee8-a84b-031a4d9cb781 or https://portal-fim/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=Role&display=Role&searchtype=9acf43b8-9ed3-46a7-b53f-46acb6dbe300

The only differences in the URL as you can see are ‘type' (either custom Application or Role objects) and 'searchtype' (which is objectID of a search scope – one for ‘All Applications’ and another for ‘All Roles’). 

Sure you can insert type=Group (or Type=Person) in that URL and you will not see ‘Join’ or ‘Leave’ buttons within a list of groups. You also need to include ‘customized’ usage keyword to a search scope definition, e.g. for ‘All Roles’ search scope I have ‘customized, Role and basicUI’ keywords.

The second one (GlobalSearchResult) will display a page with just one icon for ‘Details’: https://portal-fim/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=524ae86b-c903-4141-8746-5505b9dd44d6

Here we have to select a search scope by providing a proper objectID in the ‘searchtype’ variable.

Do not forget to add ‘GlobalSearchResult’ usage keyword to a search scope definition.

Finally add a redirecting URL to the search scope definition: ~/IdentityManagement/aspx/common/GlobalSearchResult.aspx (don’t add ‘?searchtype=<GUID>’ here)

So how all this will help us? Although buttons are still not permissions dependant you can redirect different group of users to the different pages.

Here’s how this can be done (yes, again using Usage Keyword) for Users page:

Step 1. Create a link with buttons:

  1. Go to Navigation Bar Resources page and click on Users link to edit it.
  2. Clear all usage keywords (and this link will only appear for FIM Administrators) or specify your own usage keyword, e.g. ‘HR’ – to display this link to HR users only.
  3. Check that Navigation URL points to ~/IdentityManagement/aspx/users/Users.aspx (so ‘New’ and ‘Delete’ buttons will be visible
  4. For Administrators only access stop here, for HR users continue to step 5
  5. Create a set ‘HR users’ with either dynamic or static membership
  6. Create a set ‘All HR Navigation Bar Configurations’ with a criteria-based membership: Select ‘navigation bar resource’ with ‘usage keyword contains HR
  7. Create a set ‘All HR configuration objects’ with a criteria: Resource ID in All HR Navigation Bar Configurations
  8. Create an MPR to read all configuration resources with ‘HR’ usage keyword: specify a ‘HR users’ set to Read Resources (all attributes) in ‘All HR configuration objects’ set.

Now FIM Administrators and users from ‘HR users’ set will see normal link to users page with ‘New’ and ‘Delete' buttons.

 

Step 2. Create a link without buttons:

  1. Go to Navigation Bar Resources page and click on ‘New’ button.
  2. Create another link with ‘Users’ display name and ‘NonHR’ usage keyword.
  3. Put ~/IdentityManagement/aspx/common/GlobalSearchResult.aspx?searchtype=524ae86b-c903-4141-8746-5505b9dd44d6 into Navigation URL, where searchtype contains objectID of the ‘All Users’ search scope.
  4. Create a set ‘NonHR users’ with negative membership to ‘HR users’ set
  5. Create a set for ‘All NonHR Navigation Bar Configurations’ with a criteria-based membership: Select ‘navigation bar resource’ with ‘usage keyword contains NonHR
  6. Create a set ‘All NonHR configuration objects’ with a criteria: Resource ID in All NonHR Navigation Bar Configurations
  7. Create an MPR to read all configuration resources with ‘NonHR’ usage keyword: specify a ‘NonHR users’ set to Read Resources (all attributes) in ‘All NonHR configuration objects’ set.

Now all users except HR will see a link to GlobalSearchResult page without any buttons.

 

Thanks’ to Bob Tucker from the OCG for this idea with GlobalSearchResult page.

Leave a Comment
  • Please add 8 and 6 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Maheshkumar S Tiwari edited Revision 4. Comment: Added tags

  • Eugene Sergeev edited Revision 2. Comment: restoring original authorship of this article

  • Peter Geelen edited Revision 1. Comment: Updated title as the post is not about FIM forum, but FIM portal buttons

  • Ed Price MSFT edited Original. Comment: Updated title case.

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price MSFT edited Original. Comment: Updated title case.

  • Peter Geelen edited Revision 1. Comment: Updated title as the post is not about FIM forum, but FIM portal buttons

  • Eugene Sergeev edited Revision 2. Comment: restoring original authorship of this article

  • Should also add to this article that the New and Delete buttons are no longer visible for people not in the User Administrators set.

  • I have used the GlobalSearchResult usage key word to create custom menus for multiple object classes (specifically users and roles) where I didn't want non-admin users from being able to use the NEW button (i.e. create user/role).  The side effect I have found is that the search scopes that I have configured for each menu item appear together in the Search Within dropdown box (i.e. I have a mix of role and user search scopes - presumably because they share the same UsageKeyWord).  Is this a configuration error on my part or something we have to live with?

    TIA.

  • Hi,

    Thank you for this article.

    The 'display' attribute seems to be optional: according to you, what is this used for? I try to hide the results on load (for a customized resource) until the user perform a search (like the AllPerson.aspx page).

  • Maheshkumar S Tiwari edited Revision 4. Comment: Added tags

Page 1 of 1 (7 items)