Microsoft Identity Integration Server 2003 graphic

Using security groups

Microsoft Identity Integration Server 2003 creates three groups during installation that control which tasks in Identity Manager that users can perform. The following groups are created by Microsoft Identity Integration Server 2003:

MIISAdmins—Members of this group have full access to everything in Identity Manager.
MIISOperators—Members of this group have access to Operations in the Identity Manager only. MIISOperators can run management agents, view synchronization statistics for each run, and save the run histories to a file. Members of the MIISOperators group must also be members of the MIISBrowse group to open links in synchronization statistics.
MIISJoiners—Members of this group have access to Joiner and Metaverse Search in Identity Manager. MIISJoiners can join or project disconnectors by using Joiner, and they can use Metaverse Search to view object properties and disconnect objects from the metaverse.

Note

During installation and setup, Microsoft Identity Integration Server 2003 adds the user account that is running the installation to the MIISAdmins group, but only if the MIISAdmins group is also created during setup. If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group.

Microsoft Identity Integration Server 2003 also creates two security groups during installation that do not have access to Identity Manager but are used for authentication during password management operations:

MIISBrowse—Members of this group have permission to gather information about a user's lineage when resetting passwords by using Windows Management Instrumentation (WMI) queries.
MIISPasswordSet—Members of this group have permission to perform all operations by using the password management interfaces with WMI. Members in this group inherit all MIISBrowse permissions. For more information about setting passwords by using WMI, see the Microsoft Identity Integration Server 2003 Developer Reference.

The following table lists the rights to the default Microsoft Identity Integration Server 2003 folders that are granted to each group.

Folder	Group	Rights	Group	Rights
Program Files\Microsoft Identity Integration Server	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	Read and Execute List folder Contents Read
Program Files\Microsoft Identity Integration Server\Bin	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	Read and Execute List folder Contents Read
Program Files\Microsoft Identity Integration Server\Data	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	None
Program Files\Microsoft Identity Integration Server\Documentation	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	Read and Execute List folder Contents Read
Program Files\Microsoft Identity Integration Server\Extensions	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	None
Program Files\Microsoft Identity Integration Server\MaData	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	None
Program Files\Microsoft Identity Integration Server\UIShell	MIISAdmins	Full	MIISJoiners MIISOperators MIISBrowse MIISPasswordSet	Read and Execute List folder Contents Read

Important

The local computer administrator account also has full rights to all Microsoft Identity Integration Server 2003 folders.

You can control access to Microsoft Identity Integration Server 2003 functions through membership in these groups. When you need to grant or revoke a user's access to Microsoft Identity Integration Server 2003, these groups provide a simple, single point of administration.

Note

You can view the members of each of the Microsoft Identity Integration Server 2003 security groups by using MIISSecurityGroupInfo in the Resource Tool Kit for Microsoft Identity Integration Server 2003, an unsupported set of tools available on the Microsoft Download Center.

Local computer groups and domain local groups

By default, Microsoft Identity Integration Server 2003 setup creates these groups as local computer groups, rather than domain local groups. Local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain. There might be cases where you need to use domain local groups for these roles. For example, the following situations demonstrate why you might need to use domain local groups:

If you plan to have two servers running Microsoft Identity Integration Server 2003 share a database for the purposes of redundancy, it is recommended that the same users be members of the security groups that you create, and that they be recognized as such by Microsoft Identity Integration Server 2003. You can accomplish this by using domain local groups.
If Microsoft Identity Integration Server 2003 management is distributed across the organization, using domain local groups enables you to grant access to the appropriate people within your organization.
If the Microsoft Identity Integration Server 2003 configuration needs to be moved from one server to another, using domain local groups enables you manage access from a single location.
If your log files from other systems are located on other servers or in folders that are not accessible to Microsoft Identity Integration Server 2003, you can use domain local groups to control access to these folders and remote servers.
If you are enabling password synchronization on Microsoft Identity Integration Server 2003, you must use a domain account for the Microsoft Identity Integration Server 2003 service account.

Important

If you plan to use domain local groups, create the groups before installing Microsoft Identity Integration Server 2003. For more information about creating domain local groups in Active Directory, see Windows Server 2003, Enterprise Edition Help.