When troubleshooting sometimes I need to find the MPR that grants permission to an attribute. The script below just issues a query to FIM to find the MPRs that grant access to the attribute.
‘ActionParameter’ is an interesting case because on the surface it looks like it should be a reference, because the UI provides a dialog that resembles the identity picker. The attribute is not a reference though, as you can see in the output below it comes out as a string. Compare this to the other attributes in the MPR that are indeed references, such as Creator and PrincipalSet.
In the sample below I use an extra variable to stretch out the XPath filter. I find this much easier to read, instead of cramming the filter into a one-liner.
ObjectID : urn:uuid:7a797e38-ad64-4001-8c24-9a872826c2d4