• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 61 subscribers
  • Views 2983 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restrict object types to be added to groups

bezibaerchen
over 5 years ago

Hi all,

we are currently planning to roll-out SelfServicePortal for group management purposes.

However, we've got some requirements when it comes to objects that can be added to groups. Types are split by OU.

We have distribution lists, which can have user accounts and contacts as members but we also have security lists which should only have user objects but no contacts as possible members.

How could that be achieved? I was thinking about a policy but I think it wouldn't kick in e.g. for existing objects.

Any hints highly appreciated

  • 0 over 5 years ago

    This is possible to achieve this in one of two ways.

    The first option will require the use of two Active Roles Workflows.

    Before continuing, as an explanation: granting the permission to modify "Members" doesn't restrict the type of object that you can add. The Active Directory schema dictates that, and it's valid to have a contact be a group member, so it will be allowed.

    To control changes made by Active Roles clients, you can have a Change Workflow which is triggered by a Add Group Member change in that specific Group. The Workflow contains an If/Else Branch. In the first branch, there is a check to see if the objectClass of the Added Member is equal to "contact". If it is, have the branch throw a Stop/Break activity with a custom error message denying the operation.

    The second Workflow would be an Automation Workflow. This periodically searches the target group and checks the objectClass of all members, removing any which are not the desired class. This is necessary to account for operations made in native Active Directory tools.

    A better, more refined and secure option would be to make this group an Active Roles Dynamic Group based off of an Active Roles Virtual Attribute. Have the Virtual Attribute be linked to only the User object class. The Self-Service site can be customized so that delegated users can add a member to the Group by populating a value to the Virtual Attribute. This would be more complicated to set up, but much less moving parts and would offer a more robust solution.

  • 0 over 5 years ago

    The script outlined in this topic would allow you to restrict group members (to either Users, Groups, Contacts, Computers, or a combination):

    https://www.quest.com/community/one-identity/active-roles/f/active-roles-forum/9365/group-membership-restrictions-policy---members-count-restriction-not-functional