onGetEffectivePolicy not working or not understanding

Hello,

I am really new with Active Roles and perhaps I am not understanding well the basics. I have a "Provisioning Policy", I want to check the members for a group when creating the group and when modifying the members.

I am able to to do it on creating with a Powershell script, but it does not check it on modification and I should do it, as fas a I Know.

This is the script:

function onInit($context){
}

function onGetEffectivePolicy($Request)
{

if($Request.Class -ne "group"){return}

$Request.SetEffectivePolicyInfo("member", $Constants.EDS_EPI_UI_DISPLAY_NOTE, "Los mienmbros posibles son usuarios y grupos. Los grupos deben empezar por GD_")

}

function onCheckPropertyValues($Request)
{

$member = $Request.get("member")

foreach($i in $member)
{
$Type = get-qadobject -identity $i -proxy | Select-Object -expandproperty Type

if (($Type -ne 'group') -and ($Type -ne 'user'))

{

$Request.SetPolicyComplianceInfo("Member", $Constants.EDS_POLICY_COMPLIANCE_ERROR, "El miembre del grupo debe ser un usuario o un grupo", $true)

}
else
{
if ($Type -eq 'group')
{
$CN = get-qadgroup -identity $i -proxy | Select-Object -ExpandProperty name
if($CN -notlike 'Prueba*')

{
$Request.SetPolicyComplianceInfo("Member", $Constants.EDS_POLICY_COMPLIANCE_ERROR, "El nombre del grupo debe comenzar por GR_", $true)

}
}

}

}

}

Could you please help me?

Parents

0 Mamen.Marco 2 months ago

If I do it with other attribute it works, but with "member" attribute it does not check the policy. Perhaps it is because it is a muti-valued attribute?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 jody gilbert 2 months ago in reply to Mamen.Marco
Have you seen the following script from the VBScript samples, it can be used for validating group members:

Script Policy to check group members when they are added to or removed from a group - Wiki - Active Roles Community - One Identity Community

It needs to be converted to PowerShell, but I think the following should do the trick:

function onPreModify($Request) { if ($Request.Class -ne "group") { return } if ($null -eq $Request.Get("member")) { return } foreach ($userDN in $Request.Get("member")) { #validate member } }
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Mamen.Marco 2 months ago in reply to jody gilbert

Jody, I really appreciate your answer.

I see that you suggest checking the properties using the onPreModify function. I will test it.

Reading the SDK of Active Roles I understand that using onGetEffectivePolicy function should check members not only when creating the group but also when modifying the group membership. The think is that on modification it seems not to enter into onGetEffectivePolicy function

In the documentation of onGetEffectivePolicy there is an example that says: The following code snippets illustrate how to check a value of the user's department property that you supply when creating or modifying a user account.

In the example only uses onGetEffectivePolicy.

I have checked that with other attributes (mail for example), it works fine. Perhaps there is something with the "member" attribute? It is a multi-value attribute.....

Thanks.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Mamen.Marco 2 months ago in reply to Mamen.Marco

Hi,

I had been testing this from the Active Roles console and the behaviour was the described one. I have tested it in the Web Interface and it works fine. Is this normal? Should it work the same way in the Active Roles console and in the Web interface?

Regards,
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Mamen.Marco 2 months ago in reply to Mamen.Marco

Hi,

I had been testing this from the Active Roles console and the behaviour was the described one. I have tested it in the Web Interface and it works fine. Is this normal? Should it work the same way in the Active Roles console and in the Web interface?

Regards,
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data