Restricting Commands with Access Rules/Access Templates?

Greetings!

So I was looking for some feedback/suggestions on how to implement the following scenario: I have a command on the web interface that is associated with groups, however, I only ever want this command to show if the user is NOT a member of said group. I had originally looked at the VBSFilter, but I am not sure on how to pass user and group information to said filter in the code to return true/false.

Any idea if this is possible to do with an Access Rule? I know you can do a condition with user groups, but that looks like it requires a "hard coded value" and not something that is generated/dynamic. 

Or is this not possible?

Thank you kindly for any feedback!! Slight smile

Parents
  • The safest way to control command visibility is by using the properties dialog below that is part of your command:



    You could combine this with a script policy that fires OnGet to set a flag on the group (i.e. leveraging the above "Properties of the selected object..." ) when the user is a member of the group.

    So for example, when you select the group, your script policy would populate "edsvaIsGroupMember" (just made up that name) and then look for that property in your rule.

    The problem with Access Rules is that while you can look at some properties of a target object (in this case, a group) - you cannot look at its members.  You can look at the logged in user's group memberships but only statically (so not context sensitive to the selected group).

  • Thank you so much for your response Johnny! My only question regarding the OnPreGet script is how you would reference the user group membership with the group that is being "viewed/selected"? Would you use the DirObj with the Request object in this case? 

    Thank you kindly.

  • That should be the most efficient way but I am not 100% sure if the membership is part of that default cached property set - one would think so as AR uses it so much for checking access.

Reply Children
No Data