• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 6446 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Roles - Validate no last name

thealexjohn
over 7 years ago

Hello, I am trying to create a process for provisioning service accounts, and I want to ensure that there is no last name field specified; I would like to either enforce a null value or disable (grey out) the last name field completely.

Is that possible?

Thanks,

Alex

Parents
  • 0 over 7 years ago

    Hello,

    Terrance's solution will work in some cases, but I believe that you will find that it fails if you're attempting to enforce this policy during object (i.e., user) creation.

    In Alex's example, a policy that states "Last Name (sn) must not be {*}" will work great for restricting the ability to edit the Last Name for existing user (service) accounts. The last time I looked at this scenario, however, I found that this solution did not prevent Last Name population when creating a new user object.

    It so happens that I do have some sample code that I put together a while back for restricting which attributes could be edited. Hope you find it useful:

    function onInit($Context) {
  $Param = $Context.AddParameter("Restricted Attributes")
  $Param.Description = "Parameters defined in this list will not be editable."
  $Param.MultiValued = $True
  $Param.Required = $True
}

function onGetEffectivePolicy($Request) {
  if ($Request.Class -ne 'user') { return }
  
  $RestrictedAttributes = @($Context.Parameter("Restricted Attributes"))
  $RestrictedAttributes = @($RestrictedAttributes | ?{$_ -ne $null})
  if ($RestrictedAttributes.Count -lt 1) { return }
  $RestrictedAttributes = @(($RestrictedAttributes[0] -split ';') | ?{$_ -ne ''})
  
  $RestrictedAttributes | %{
    $Request.SetEffectivePolicyInfo($_, $Constants.EDS_EPI_UI_AUTO_GENERATED, $True)
    }
}

    Cheers,
    Shawn.

Reply
  • 0 over 7 years ago

    Hello,

    Terrance's solution will work in some cases, but I believe that you will find that it fails if you're attempting to enforce this policy during object (i.e., user) creation.

    In Alex's example, a policy that states "Last Name (sn) must not be {*}" will work great for restricting the ability to edit the Last Name for existing user (service) accounts. The last time I looked at this scenario, however, I found that this solution did not prevent Last Name population when creating a new user object.

    It so happens that I do have some sample code that I put together a while back for restricting which attributes could be edited. Hope you find it useful:

    function onInit($Context) {
  $Param = $Context.AddParameter("Restricted Attributes")
  $Param.Description = "Parameters defined in this list will not be editable."
  $Param.MultiValued = $True
  $Param.Required = $True
}

function onGetEffectivePolicy($Request) {
  if ($Request.Class -ne 'user') { return }
  
  $RestrictedAttributes = @($Context.Parameter("Restricted Attributes"))
  $RestrictedAttributes = @($RestrictedAttributes | ?{$_ -ne $null})
  if ($RestrictedAttributes.Count -lt 1) { return }
  $RestrictedAttributes = @(($RestrictedAttributes[0] -split ';') | ?{$_ -ne ''})
  
  $RestrictedAttributes | %{
    $Request.SetEffectivePolicyInfo($_, $Constants.EDS_EPI_UI_AUTO_GENERATED, $True)
    }
}

    Cheers,
    Shawn.

Children
No Data