• State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 4134 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy to block circular nesting of group?

tombstonedigger
over 6 years ago

Hi,

I desire to prevent people from circular nesting groups.

I thought this was a built-in policy but am unable to find it now?  Seems like a very basic task that administrators should be able to be turned on, so I'm hoping there is a supported policy for this already and we don't have to custom make one.

If anyone custom made one and is willing to share their policy also, would much appreciate it.

I'm debating on the best way this should be approached. Policy on edit so that if Group1 is trying to be edited to add Group2 as a member.  Get Group1 recursive membership and ensure Group2 is not listed in the results.

That's about it, right? 

Thanks,

  • 0 over 6 years ago
    Sorry, but I can confirm that there is no built-in policy to accomplish this. I don't believe that it would be possible in a Workflow either. I am fairly certain that it would have to be custom scripted. I'll test a few things in my lab and see if I can come up with a supported option.
  • 0 over 6 years ago
    Since it is possible to add more than one Group in a single transaction, this will need to be scripted. It's not possible to pull apart and parse the requested changes in a Workflow.
  • 0 over 6 years ago
    I would caution that it might not be wise to make this part of a policy script per se as I believe that executing this live for every group change transaction could be performance hampering for the AR service. Rather, I would suggest that it would be better implemented as a scheduled task script to be run periodically against changed groups that would be flagged-for-checking in some way (example, a virtual attribute).
  • 0 over 6 years ago

    You could use something like the following to make sure the check is only running when members are being added:

    function onPreModify($Request)
{
    if($Request.Class -ne "group"){return}
    for($i = 0; $i -lt $Request.PropertyCount; $i++){
        $item = $Request.Item($i)
        if($item.Name -eq "member"){
            $Operation = $item.ControlCode
            if($Operation -eq $Constants.ADS_PROPERTY_APPEND)
            {
                # Member(s) being added; perform checking.
            }
        }
    }
}