• State Not Answered
  • Replies 2 replies
  • Subscribers 63 subscribers
  • Views 956 views
  • Users 0 members are here
Options
Related

Active Roles Force Temporal Access... button to be Mandatory

geoff cranenburgh
over 3 years ago

I was wondering if anyone could assist. I have read 

 HOW TO: Hiding Temporal Group options by setting "edsva-TemporalGroupMemberships-Disable" to True (87348)

which articulates how to hide the Temporal Access button when adding a member (User)  to a group. I want to do just the opposite, which is to force users to use the Temporal Access.. button by for example disabling the OK button so that the user has no choice but to either click Cancel or Temporal Access...

The reason for needing to do this is that for Auditing purposes I want to design the workflow to mandate that the initiator go through the Temporal Access... button even if the membership request is permanent. That way, when audited it correctly points to the Initiation rather than at Approval. The auditors can see that the onus is on the initiator to ensure that the duration for the membership was initiated by them rather than anyone else.

This is not a functional requirement of the workflow but is a non-functional enhancement that makes sense to implement.

Any thoughts on how to do this?

Thanks in advance

  • 0 4 months ago

    We are looking to implement the same thing.  Force the use of temporal access for an AD group.  Was a solution ever found for this?

  • 0 3 months ago

    We had this same need and ended up finding a script that runs through a policy applied.  It will accept if the person put an end date on  the member up to 1 year.  If they put nothing or enter a date that is  over 1 year, the script changes it to 1 year.  I have a few others for other time frames as we needed.

    function onPostModify($Request)

    {

    Add-Content e:\scripts\TempGroup.txt -value "============onPostModify========"
    # Optimization: check that group object is being updated

    if($Request.Class -ne "group"){return}

    # Optimization: check that attribute member is being updated for a group object

    $isAddMember = $false

    for($i = 0; $i -lt $Request.PropertyCount; $i++)


    {


    $item = $Request.Item($i)

    if($item.Name -eq "member")

    {

    $Operation = $item.ControlCode

    #Add-Content e:\scripts\TempGroup.txt -value "Operation: $Operation"

    if($Operation -eq $Constants.ADS_PROPERTY_APPEND)

    {
    $isAddMember = $true
    }

    }

    }


    if($isAddMember -eq $false){return}


    Start-Sleep -s 60

    $group = $request.GUID

    $groupDN = $Request.Get("distinguishedName")

    $getGroup = get-qadgroup $groupDN

    $groupSam = $getgroup.samAccountName

    Add-Content j:\scripts\tempgroup.txt -value "Group.Sam: $groupSam"

    Add-Content j:\scripts\tempGroup.txt -value "group.DN: $groupDN"

    $member = $request.getex("member")

    Add-Content j:\scripts\TempGroup.txt -value "group.member: $member"

    $memberDN = $member

    Add-Content j:\scripts\TempGroup.txt -value "group.memberDN: $memberDN"

    $arr = $memberDN -split "CN="

    Add-Content j:\scripts\TempGroup.txt -value "memberArray: $arr"

    foreach ( $entry in $arr )
    {

    $entry = $entry.trimstart()

    $NewMemberDN = "CN=" + $entry

    Add-Content j:\scripts\TempGroup.txt -value "group.NewMemberDN: $NewMemberDN"


    Get-QADGroupMember -Identity $groupDN -Proxy -Control @{'ScheduledLink-GetStartEndTime'=1} -IncludedProperties 'edsva-ScheduledLink-EndTime' -sizelimit 0 | where {($_.dn) -eq $NewmemberDN} | Select-Object DN,'edsva-ScheduledLink-EndTime' | Export-Csv j:\scripts\$groupSam.csv -NoTypeInformation

    $CSVFile = "j:\scripts\$GroupSam.csv"

    $import = Import-Csv -Path $CSVFile

    foreach($memberof in $import)
    {

    $DateEntered = $memberof.'edsva-ScheduledLink-EndTime'
    Add-Content j:\scripts\TempGroup.txt -value "DateEntered: $DateEntered"
    if ($DateEntered -ne '')
    {
    $convertedEntered = Get-Date $DateEntered
    Add-Content j:\scripts\TempGroup.txt -value "ConvertedEntered NOT Null: $ConvertedEntered"
    }
    else
    {
    $ConvertedEntered = $null
    Add-Content j:\scripts\TempGroup.txt -value "ConvertedEntered NULL: $ConvertedEntered"
    }

    $Date = Get-Date
    $MaxExpirationDate = $Date.Adddays(+365)
    $convertedMax = Get-Date $MaxExpirationDate
    Add-Content j:\scripts\TempGroup.txt -value "MaxExpirationDate: $MaxExpirationDate"

    if ($convertedEntered -gt $convertedMax)
    {
    Add-Content j:\scripts\TempGroup.txt -value "Date Entered was Greater than Max Date setting Max Date"
    Remove-QADGroupMember -identity $GroupDN -Proxy -Member $NewMemberDN -Control @{'ScheduledOperation-SetTime' = $MaxExpirationDate}
    }
    elseif ($convertedEntered -eq $null)
    {
    Add-Content j:\scripts\TempGroup.txt -value "Date Entered was NULL Setting Max Date"
    Remove-QADGroupMember -identity $GroupDN -Proxy -Member $NewMemberDN -Control @{'ScheduledOperation-SetTime' = $MaxExpirationDate}
    }

    else
    {
    Add-Content j:\scripts\TempGroup.txt -value "Date Entered was Less than Max Date, no action is taken"
    }
    Get-ChildItem "j:\scripts\$GroupSam.csv" -force | Remove-Item
    }

    }
    }