• State Suggested Answer
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 64 subscribers
  • Views 3849 views
  • Users 0 members are here
Options
Related

Dynamic Group - Temp Membership

craig mcfarlane
over 1 year ago

Hi Team. 

Just looking for some suggestions or ideas. We use Dynamic groups based on a VA being set. Our Service Desk select this from the WI. 

We have a couple of Dynamic groups where we want the membership to be removed after 48 hours after the account was added to the group. Now i know i could use a standard group and use the temp membership route but we then loose the ability of our Service Desk team just ticking a box. 

So what i was thinking was that i could have a script that checks the group every few hours and then set the VA back to false. But is there any attribute that tracks when the user was added? or is there a way i could add a time stamp attribute?

Open to other suggestions or ideas?

Parents
  • 0 over 1 year ago

    I would start with something like this and then modify it to meet your needs:

    Solution Title: Triggering the Automatic Deletion of Microsoft Exchange Mailbox X days after Deprovisioning
    Solution Number: 4341083
    Solution URL: https://support.oneidentity.com/kb/4341083

    "Step 1" would be the same, just use a more relevant name - for example, edsvaDynamicGroupEndDate

    Your "Step 2" would be different. You would create a custom Virtual Attribute of Boolean syntax and expose that in the Web Interface. Also, create a Change Workflow that is triggered by setting this Boolean Virtual Attribute to TRUE and have it stamp edsvaDynamicGroupEndDatewith the current date/time plus 48 hours.

    Your Scheduled Workflow in "Step 3" would compare the current date/time to the edsvaDynamicGroupEndDate date/time, and clear it if edsvaDynamicGroupEndDate is greater.

    The Dynamic Groups would be populated by users with any value in edsvaDynamicGroupEndDate.

  • 0 over 1 year ago in reply to Terrance.Crombie

    Thank you. I will look at this further. I really appreciate you taking the time to reply. 

  • 0 over 1 year ago in reply to Richard.Lambert

    Thank you. Yes at the moment it is just a single group but if we expanded this out we will use another VA. I have changed the  work flow to reflect the group. Jesus simple when you know how. I now have this set on a test group and will check tomorrow to see if the account is removed. Will confirm back that its all working. Thank you for the help so far 

  • 0 over 1 year ago in reply to craig mcfarlane

    So my time limit has passed but it has not removed the value  edsvaDynamicGroupEndDate or set my other VA from True to False. I am not 100% sure its actually finding my user account in the security group i asked it to check even though i am the only account in there  

  • 0 over 1 year ago in reply to craig mcfarlane

    I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions? 

  • 0 over 1 year ago in reply to craig mcfarlane

    Post some screenshots and maybe we can see the issue. Edit or blur out anything from your environment.

  • 0 over 1 year ago in reply to Terrance.Crombie

    Here is my work first workflow. When the VA McTest1 is set to TRUE this will fire off an approval notification. Once approved the account is automatically added to the Dynamic group and the VA McTest2 is stamped with the date and time +1 for this test

    McTest2 VA Date and time settings. I have tried pretty much any combination here

    Here i have the second workflow. Searching AD



    I am searching for any users inside a security group

     

    So if any users are found then set McTest1 to False as this will remove them from the Dynamic Group and then clear McTest2 VA which was the time

    My If Else 



  • 0 over 1 year ago in reply to craig mcfarlane

    The problem is in your If/Else branch. You are using the wrong conditional. The timestamp will absolutely never be "equal" to the current timestamp plus 1. Instead, you should be checking to see if the timestamp is "greater than" the current day plus 1.

  • 0 over 1 year ago in reply to craig mcfarlane

    Also, I'd move the conditional check into the filter of your search. It would be much more efficient to simply return the objects that you care about, rather than returning everything and then looping through them, checking each one. You can remove the If/Else entirely. 

  • 0 over 1 year ago in reply to Terrance.Crombie

    Can i just confirm you mean less or equal not greater? Thanks for the heads up on that point though as that was changed in error. When i set to less or equal it now removes the account. I am not sure what else might have changes as yesterday i had that set. Either way thanks for the pointer. 

  • 0 over 1 year ago in reply to craig mcfarlane

    "I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions?"

    Some useful tips, that are not always applicable in all cases, to help verify a Search has been configured properly:

    Using the 'Add Report Section' can sometime be useful for seeing what has been found by a Search activity. Add something like the Display Name (depending on the object type) of the found object to the activity and the Display Name of each found object will appear in the Run History of the Workflow.

    The LDAP query of the Search being conducted is also in the workflow's Run History. Copy this and paste it into the Advanced tab of a Custom Search in the MMC to also see if any results are found.

Reply
  • 0 over 1 year ago in reply to craig mcfarlane

    "I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions?"

    Some useful tips, that are not always applicable in all cases, to help verify a Search has been configured properly:

    Using the 'Add Report Section' can sometime be useful for seeing what has been found by a Search activity. Add something like the Display Name (depending on the object type) of the found object to the activity and the Display Name of each found object will appear in the Run History of the Workflow.

    The LDAP query of the Search being conducted is also in the workflow's Run History. Copy this and paste it into the Advanced tab of a Custom Search in the MMC to also see if any results are found.

Children