• State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 5223 views
  • Users 0 members are here
Options
Related

Audit Changes to Dynamic Group Membership Rules through Workflow

sander.martijn
over 4 years ago

Hi,

I would like to know if it is possible to have a workflow which detects if someone has made a change to the Dynamic Group Membership rules, for example an admin, and that based on that change a notification is sent.

Sander.

Top Replies

  • 0 over 3 years ago in reply to craig mcfarlane

    It's alarming to me that you would make Domain Admins a dynamic group!  I strongly advise against this sort of thing.  If you want to protect membership of Domain Admins, there are better ways.

  • 0 over 3 years ago in reply to craig mcfarlane
    craig mcfarlane said:
    view the change history you see whats been done. Is there no way of tapping  in to that at all? 

    As Terrance indicated, some custom scripting would be needed to acquire those details and store them in a way that the notification template could get to them.  I've done something similar by taking the value I need and putting into a virtual attribute on the target object which you can then reference using a token in your notification.

  • 0 over 3 years ago in reply to JohnnyQuest

    Hi mate. This might be your view and your point might be valid. However when we had a security incident the fact our DA was Dynamic saved us. I am not saying there are not better ways of securing this group and this is only one level that we use. 

  • 0 over 3 years ago in reply to craig mcfarlane
    craig mcfarlane said:
    Is there no way of tapping  in to that at all? 

    BTW, if you want to mine change history programmatically, take a look at the Quest PoSh cmdlet Get-QARSOperation.  You can filter on operation, object and so on.  Very useful for your use case should you choose to pursue it.

    If you're not handy with PoSh, talk to your Quest / OneIdentity rep about finding an integration Partner to write that bit for you... there are some out there that will take on small tasks like this.

  • 0 over 3 years ago in reply to craig mcfarlane

    if you want a simple update to the actual notification. you can customize that notification in the "Configure Notification Message" 

    Personally, im not very good at html scripting but i have known some of my customers who customized this heavily. for my purposes and for your's you can customize it simply to show what the change was especially if you are triggering the notification on a Group Add or removed. On of the Summaries either Activity - Notification Summary or the Operations summary would provide this info out of the box. 

    now i havent played with this in a while. you can do some nice work with just this and no scripting.