• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 6445 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Roles - Validate no last name

thealexjohn
over 7 years ago

Hello, I am trying to create a process for provisioning service accounts, and I want to ensure that there is no last name field specified; I would like to either enforce a null value or disable (grey out) the last name field completely.

Is that possible?

Thanks,

Alex

  • 0 over 7 years ago

    You can certainly create a user provisioning policy on your service accounts OU that, by way of a property validation & generation rule on 'sn' (last name) saying that attribute must be blank.

    You could also manage further this by setting up the logon name (samaccountname) generation rule such that it only looks at the value in givenname (First name) to generate the samaccountname.

    'Hope that helps.

  • 0 over 7 years ago

    The problem that I have is that I can't figure out how to make the last name blank in the validation rules, it seems to require at least 1 character.  I didn't see an option for last name must be blank, or last name should have 0 characters.

    I don't see the option that allows me to blank out the last name in the validation & gen. rules?

    Thanks,

    Alex

  • 0 over 7 years ago

    "Last Name" must not be {*}

    This resolves to: Last Name must not be anything.

    When configuring the Policy:

    1. Check off "Last Name must not be <value>"
    2. Click on <click to add value>
    3. Choose Configure | Add
    4. Select Mask | OK

  • 0 over 7 years ago

    Hello,

    Terrance's solution will work in some cases, but I believe that you will find that it fails if you're attempting to enforce this policy during object (i.e., user) creation.

    In Alex's example, a policy that states "Last Name (sn) must not be {*}" will work great for restricting the ability to edit the Last Name for existing user (service) accounts. The last time I looked at this scenario, however, I found that this solution did not prevent Last Name population when creating a new user object.

    It so happens that I do have some sample code that I put together a while back for restricting which attributes could be edited. Hope you find it useful:

    function onInit($Context) {
  $Param = $Context.AddParameter("Restricted Attributes")
  $Param.Description = "Parameters defined in this list will not be editable."
  $Param.MultiValued = $True
  $Param.Required = $True
}

function onGetEffectivePolicy($Request) {
  if ($Request.Class -ne 'user') { return }
  
  $RestrictedAttributes = @($Context.Parameter("Restricted Attributes"))
  $RestrictedAttributes = @($RestrictedAttributes | ?{$_ -ne $null})
  if ($RestrictedAttributes.Count -lt 1) { return }
  $RestrictedAttributes = @(($RestrictedAttributes[0] -split ';') | ?{$_ -ne ''})
  
  $RestrictedAttributes | %{
    $Request.SetEffectivePolicyInfo($_, $Constants.EDS_EPI_UI_AUTO_GENERATED, $True)
    }
}

    Cheers,
    Shawn.

  • 0 over 7 years ago

    I tested this in ActiveRoles Server 6.9 Patch 3, and the above policy suggestion was enforced properly upon new User creation and when editing existing User accounts.

  • 0 over 7 years ago

    Thanks guys, you guys are the one of the best support orgs I work with.  I think there was a couple parts of this, first I had the wrong character in the mask - {*}.  I was using '()'.  Once I fixed that the policy worked as expected.

    I then created a form on the WI that hid the last name field.

    With the script to hide the fields, we were able to come up with a complete solution for the console as well.  This is exactly what we were trying to do. 

    Thanks for all the help!!

    Alex