Whilst the SSPR Unlock Delegation configuration is explained quit accurate in the TechNet article I referenced in my previous post, the UI configuration is completely left aside. Out of the box the Helpdesk group in this scenario is not part of the administrator set. Why else would you delegate then? Hence they don’t have the “Unlock Users” links. This post will explain how to create the necessary sets and Management Policy Rules (MPRs) so that people who are in the Helpdesk set can unlock users from SSPR.

1. All UI elements, like Home Page configurations and Navigation Bar resources, can be combined in a set by adding a specific keyword to these resources. This keyword is called the “Usage Keyword”. Out of the box you have several UI resources. By adding you keyword of choice to a subset of these resources, you can create a dynamic set which contain the resources of these subset.

   • Usage Keyword of choice: helpdeskUI

2. Now it’s time to configure the necessary Home Page configurations with the chosen Usage Keyword. In the Administration section of the portal you can find the Home Page Configurations section, for each of the referenced configurations, add the keyword helpdeskUI to the Usage Keyword (first tab of the properties) .

   1. Administration
   2. Unlock Users

3. The previous step will show the Unlock Users shortcut below the Administration in the right hand side of the Portal homepage. If you want to add this shortcut to the navigation bar on the left side, follow the following steps:

   1. Go to Administration
   2. Choose Navigation Bar Resources
   3. Click New to Create a new Navigation Bar Resource and use the following parameters:
      • Display Name: Unlock Users
      • Usage Keyword: helpdeskUI
      • Parent Order: 3 (So it’s shown below the Users Navigation resource)
      • Order: 4
      • Navigation Url: ~/IdentityManagement/aspx/authnadmin/AllAuthNUsers.aspx
      • Localization: if you got Language Packs installed, you can copy these values from the Home Page Configuration “Unlock Users”

4. Create the necessary sets: to be able to see something in the portal, you have to be granted permissions to the UI elements. To be able to grant permissions, you need sets: one to define who you are granting permissions to, and one to define who/which the permissions will apply for.

   • Helpdesk
     • Manually managed, contains users which are part of the Helpdesk team
   • All Helpdesk Home Page Configurations
     • Criteria-based membership
     • All Home Page Configurations that match All of the following :
     • Usage Keyword contains helpdeskUI
   • All Helpdesk Navigation Bar Configurations
     • Criteria-based membership
     • All Navigation Bar Resources that match All of the following :
     • Usage Keyword contains helpdeskUI
   • All Helpdesk Configuration Objects:
     • Criteria-based membership
     • All Resources that match Any of the following:
     • Resource ID in All Helpdesk Home Page Configurations
     • Resource ID in All Helpdesk Navigation Bar Configurations
   • These sets are constructed just like the FIM out of the box UI for regular users:

5. Now we have created the base elements for configuring the UI elements and the MPRs. Although the sets are populated, we still have to configure the actual granting of permissions:

• Go to Management Policy Rules
• Choose New and use the following parameters:
• Type: request
• Specific Set of Requestors: Helpdesk
• Operation:Read resource
• Permissions: Grants permission
• Target Resource Definition After Request: All Helpdesk Configuration Objects
• Resource attributes: All attributes
6. Execute IISRESET on your portal server

If we want to test the above scenario, all we have to do is add a user to the set Helpdesk. After logging on to the portal this user will have the required UI elements to search for users and unlock them if necessary.