• State Suggested Answer
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 61 subscribers
  • Views 1936 views
  • Users 0 members are here
Options
Related

Is it possible to disable 'temporary access' button on group membership add dialogue

dyannic
over 3 years ago

I want to remove the button from the menu that allows adding temporary membership to a specific group.  We leverage temporal group membership where needed.

In this instance I want to set a value on post modify for the timed removal of the account - lets say 30 days.  no override, no options to choose when or how the user exits this group.

Possible to set a per-group configuration item to prevent display of the 'temporary access' button on that dialogue?

Parents
  • 0 over 3 years ago

    Is it - possible to govern temporal group members 'EndTime' by interrupting the operation via workflow to inform the requestor that the value of the endTime exceeds the allowed value.   

    I have a 21 day exception group - allows temporary use of feature X
    I auto-set the grace period through policy … if the user doesn't override that value - it is set to 21 days.

    but that darn temporal button allows the help desk to override - where I don't want them to have that capability for this specific group.

    I created a library function - which generates a generalized-time formatted date using (get-date).adddays(22).tostring("yyyyMMdd030000.0Z")
    I created a workflow that triggers on change of EndTime and IF EndTime is greater than the value from the function (22 days from 'today'), then interrupt the workflow.

    Isn't working as expected … so before I flog the script … checking in to see if this scenario is doable … if one knows what they are doing when they set it up.

Reply
  • 0 over 3 years ago

    Is it - possible to govern temporal group members 'EndTime' by interrupting the operation via workflow to inform the requestor that the value of the endTime exceeds the allowed value.   

    I have a 21 day exception group - allows temporary use of feature X
    I auto-set the grace period through policy … if the user doesn't override that value - it is set to 21 days.

    but that darn temporal button allows the help desk to override - where I don't want them to have that capability for this specific group.

    I created a library function - which generates a generalized-time formatted date using (get-date).adddays(22).tostring("yyyyMMdd030000.0Z")
    I created a workflow that triggers on change of EndTime and IF EndTime is greater than the value from the function (22 days from 'today'), then interrupt the workflow.

    Isn't working as expected … so before I flog the script … checking in to see if this scenario is doable … if one knows what they are doing when they set it up.

Children
  • 0 over 3 years ago in reply to dyannic

    I don't think that you can use a Workflow to examine a temporal group membership. The "temporality" of that operation is not an attribute of any object, it is a Control on the operation itself - metadata that a Workflow has no visibility into.

    However, it should be possible to pull this apart and examine it in a pure Policy Script. I THINK that you should be able to query the Temporal stamp using something like this:

    $Temporal = $Request.GetInControl("ScheduledOperation-SetTime")

    I'll try to test this out in my lab to confirm.

    Also, your date conversion doesn't look like the sample here:

    Title: Powershell commands for Temporal Group management
    Solution: 315970
    URL: https://support.oneidentity.com/kb/315970 

  • 0 over 3 years ago in reply to Terrance.Crombie

    Yes, this is possible. This policy script worked fine in my lab:

    function onPreModify($Request)
{
    if($Request.DN -ne "CN=Test,OU=Groups,DC=domain,DC=local")
    {
        return
    }
    $Temporal = $Request.GetInControl("ScheduledOperation-SetTime")
    if(!$Temporal)
    {
        return
    }
       
    $Temporal | Out-File c:\temp\temporal.txt
}