Find Permission Granting MPRs

When troubleshooting sometimes I need to find the MPR that grants permission to an attribute.  The script below just issues a query to FIM to find the MPRs that grant access to the attribute.

‘ActionParameter’ is an interesting case because on the surface it looks like it should be a reference, because the UI provides a dialog that resembles the identity picker.  The attribute is not a reference though, as you can see in the output below it comes out as a string.  Compare this to the other attributes in the MPR that are indeed references, such as Creator and PrincipalSet.

In the sample below I use an extra variable to stretch out the XPath filter.  I find this much easier to read, instead of cramming the filter into a one-liner.

001 002 003 004 005 006 007 008 009 010

$filter = @" /ManagementPolicyRule [   ActionParameter = 'HasAccessToStuff'   and   GrantRight = 'True' ] "@ Export-FIMConfig -Only -CustomConfig $filter |     Convert-FimExportToPSObject

ObjectID                 : urn:uuid:7a797e38-ad64-4001-8c24-9a872826c2d4 ActionParameter          : {AccountName, HasAccessToStuff, HoofHearted} ActionType               : {Modify} CreatedTime              : 9/8/2011 4:35:26 PM Creator                  : urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4 Description              : This MPRS grants permission to IceMelted DisplayName              : HoofHearted can Modify Access to stuff and things GrantRight               : True ObjectType               : ManagementPolicyRule PrincipalSet             : urn:uuid:25a42597-1b6b-4221-b7d4-63a0a8b6a2b0 ResourceCurrentSet       : urn:uuid:8887df8e-6e84-49f2-a794-f9e9802077e0 ResourceFinalSet         : urn:uuid:8887df8e-6e84-49f2-a794-f9e9802077e0 ManagementPolicyRuleType : Request