Trigger Powershell script when user added or removed from certain groups

We are trying to do some Role based access and are having issues with the current setup. We have ROLE_ groups that are dynamic and then are memberOf groups. This ends up with the user being an indirect member of groups and some of our external systems do not recognize the AD groups for a user unless they are directly assigned.

Is it possible to setup a powershell script that runs when a user is added to one of the ROLE_ groups and is then added to a specified list of AD groups directly? We'd also need to have one run when a user is removed from one of these groups so their old access is revoked.

  • Hi  

    Yes, it is definitely possible to have a PowerShell script module which adds or removes users from some <Access> group based on their membership of a <Role> group.

    That is not to say this approach isn't without its complexities, as there are a number of use cases to think about or questions you'd need to ask, like:

    • Re-evaluation of <Access> group membership granted by a <Role> group if a
      • a) the user is added to a single <Role> group
      • b) the user is added to additional <Role> groups (is this allowed? Does it need to be controlled)
      • c) the user holds multiple <Role> groups, and is removed from one
      • d) the user is removed from their last <Role> group, does anything else need to happen?
      • e) <Access> groups granted by a <Role Group> are changed
    • A group is added as a member of a <Role> group, should the script ignore the group object, or should it work out the members being granted permissions and add them?
    • Where  will the <Access> groups that are being granted by the <Role> group be stored? external source (like a CSV), on the <Role> group object (IE a virtual attributes, or just the MemberOf)

    Depending on whether a user can be a member of multiple <Role> groups, there any be other OOTB methods to handle your requirements without scripting. It is also possible just to configure the <Access> groups to be Dynamic groups, where you include group members of the required <Role> groups, where if required an <Access> group could have multiple membership rules for each <Role> group that needs to be a member, but also an include explicity rule for any users you as an administrator need to add directly (or a override group).

    Hope this helps, if you have more questions let us know,