• State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7290 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ARS Workflow - Deny Adding user to group

squaddie1
over 7 years ago

Hi, would anyone be able to help out with this conundrum?

We have 2 x security groups that provide access to resources.

However, we want to prevent a user being a member of both groups at any one time.

So if a user is a member of Group A they are to be denied being added to Group B.

Any ideas and help greatly appreciated.

Thanks

Steve

Parents
  • 0 over 7 years ago
    This would have to be implemented as a scripted solution.

    The "Members" attribute of a Group is multi-valued and contains DN's of all of the Users. This attribute would have to be parsed in order to perform the operation which you desired.

    The tricky part is, the $Request object which is passed when Group Memberships change would be the target Group object, not the User or Group object going into the target Group.

    Your script will have to retrieve the "members" attribute of the $DirObj object and the "members" attribute of the $Request object, then compare them to figure out what is different. The difference will be the new User or Group which is added. Then, you can use the "-Match" conditional operator to see if that User or Group already exists in the other Group of interest.

    It's possible, but complicated.
Reply
  • 0 over 7 years ago
    This would have to be implemented as a scripted solution.

    The "Members" attribute of a Group is multi-valued and contains DN's of all of the Users. This attribute would have to be parsed in order to perform the operation which you desired.

    The tricky part is, the $Request object which is passed when Group Memberships change would be the target Group object, not the User or Group object going into the target Group.

    Your script will have to retrieve the "members" attribute of the $DirObj object and the "members" attribute of the $Request object, then compare them to figure out what is different. The difference will be the new User or Group which is added. Then, you can use the "-Match" conditional operator to see if that User or Group already exists in the other Group of interest.

    It's possible, but complicated.
Children
No Data