• State Not Answered
  • Replies 5 replies
  • Subscribers 63 subscribers
  • Views 535 views
  • Users 0 members are here
Options
Related

onGetEffectivePolicy not working or not understanding

Mamen.Marco
2 months ago

Hello,

I am really new with Active Roles and perhaps I am not understanding well the basics. I have a "Provisioning Policy", I want to check the members for a group when creating the group and when modifying the members.

I am able to to do it on creating with a Powershell script, but it does not check it on modification and I should do it, as fas a I Know.

This is the script:

function onInit($context){
}

function onGetEffectivePolicy($Request)
{


if($Request.Class -ne "group"){return}

$Request.SetEffectivePolicyInfo("member", $Constants.EDS_EPI_UI_DISPLAY_NOTE, "Los mienmbros posibles son usuarios y grupos. Los grupos deben empezar por GD_")

}

function onCheckPropertyValues($Request)
{


$member = $Request.get("member")


foreach($i in $member)
{
$Type = get-qadobject -identity $i -proxy | Select-Object -expandproperty Type

if (($Type -ne 'group') -and ($Type -ne 'user'))

{

$Request.SetPolicyComplianceInfo("Member", $Constants.EDS_POLICY_COMPLIANCE_ERROR, "El miembre del grupo debe ser un usuario o un grupo", $true)

}
else
{
if ($Type -eq 'group')
{
$CN = get-qadgroup -identity $i -proxy | Select-Object -ExpandProperty name
if($CN -notlike 'Prueba*')

{
$Request.SetPolicyComplianceInfo("Member", $Constants.EDS_POLICY_COMPLIANCE_ERROR, "El nombre del grupo debe comenzar por GR_", $true)

}
}


}


}


}

Could you please help me?

  • 0 2 months ago

    If I do it with other attribute it works, but with "member" attribute it does not check the policy. Perhaps it is because it is a muti-valued attribute?

  • 0 2 months ago in reply to Mamen.Marco

    Have you seen the following script from the VBScript samples, it can be used for validating group members:

    Script Policy to check group members when they are added to or removed from a group - Wiki - Active Roles Community - One Identity Community

    It needs to be converted to PowerShell, but I think the following should do the trick:

    function onPreModify($Request) {
    if ($Request.Class -ne "group") { return }
    if ($null -eq $Request.Get("member")) { return }
    foreach ($userDN in $Request.Get("member")) {
        #validate member
    }
}

  • 0 2 months ago in reply to jody gilbert

    Jody, I really appreciate your answer.

    I see that you suggest checking the properties using the onPreModify function. I will test it.

    Reading the SDK of Active Roles I understand that using onGetEffectivePolicy function should check members not only when creating the group but also when modifying the group membership. The think is that on modification it seems not to enter into onGetEffectivePolicy function

    In the documentation of onGetEffectivePolicy there is an example that says: The following code snippets illustrate how to check a value of the user's department property that you supply when creating or modifying a user account. 

    In the example only uses onGetEffectivePolicy.

    I have checked that with other attributes (mail for example), it works fine. Perhaps there is something with the "member" attribute? It is a multi-value attribute.....

    Thanks.

  • 0 2 months ago in reply to Mamen.Marco

    Hi,

    I had been testing this from the Active Roles console and the behaviour was the described one. I have tested it in the Web Interface and it works fine. Is this normal? Should it work the same way in the Active Roles console and in the Web interface?

    Regards,

  • 0 2 months ago in reply to Mamen.Marco

    I can only assume it relates to the attribute being a multi value attribute, it's worth testing with another multi value attribute.

    There is another example in the SDK that show you how to stop people removing members from groups:

    function onPreModify($Request)
{
  if($Request.Class -ne "group"){return}
  for($i = 0; $i -lt $Request.PropertyCount; $i++)
   {
     $item = $Request.Item($i)
     if($item.Name -eq "member")
      {
        $Operation = $item.ControlCode
        if(($Operation -eq $Constants.ADS_PROPERTY_CLEAR) -or ($Operation -eq $Constants.ADS_PROPERTY_DELETE))
         {
           throw ("Administrative Policy:" + [System.Environment]::NewLine + "Removing members from this group is denied by policy.")
         }
      }
   }
}

    We have tweaked this slightly so that people cannot add members unless the account is under a certain OU.  We do this for our sensitive groups so that only admin accounts can be added as members.