• State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7289 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ARS Workflow - Deny Adding user to group

squaddie1
over 7 years ago

Hi, would anyone be able to help out with this conundrum?

We have 2 x security groups that provide access to resources.

However, we want to prevent a user being a member of both groups at any one time.

So if a user is a member of Group A they are to be denied being added to Group B.

Any ideas and help greatly appreciated.

Thanks

Steve

  • 0 over 7 years ago
    At first glance, perhaps if they were Dynamic Groups, you could achieve this via rules, e.g.

    Group A: "Exclude Group Members from Group B"
    Group B: "Exclude Group Members from Group A"

    It's just a quick thought for your consideration.
  • 0 over 7 years ago
    Like the idea but the use of dynamic groups wouldnt work in the scenario we are needing.

    Thankyou
  • 0 over 7 years ago
    This would have to be implemented as a scripted solution.

    The "Members" attribute of a Group is multi-valued and contains DN's of all of the Users. This attribute would have to be parsed in order to perform the operation which you desired.

    The tricky part is, the $Request object which is passed when Group Memberships change would be the target Group object, not the User or Group object going into the target Group.

    Your script will have to retrieve the "members" attribute of the $DirObj object and the "members" attribute of the $Request object, then compare them to figure out what is different. The difference will be the new User or Group which is added. Then, you can use the "-Match" conditional operator to see if that User or Group already exists in the other Group of interest.

    It's possible, but complicated.
  • 0 over 7 years ago
    Terrance is right. This is tricky.

    My algorithm would look like this:

    Setup an OnPreModify script handler

    Grab the proposed members from $Request

    Store the proposed members in a temporary array - e.g. $ProposedMembers

    Iterate through the members in $ProposedMembers

    Is this person already a member of the 'opposite' group?

    If yes, remove them from the $ProposedMembers array and log this

    If no, move on to the next member

    When done iterating, substitute your new $ProposedMembers for the original members array in the $Request.

    The section in the SDK about "Getting In-Process Property Values" will be helpful to you.
  • 0 over 7 years ago
    I like JohnnyQuest's method better than mine. His would add a redundancy check for all Users every single time a User was added. Mine only checks upon addition, for that specific User.
  • 0 over 7 years ago
    Thanks for the above advice.

    I knew this would not be an easy solution.