Automatically Set Temporal Membership when Adding Member to Group - Update

Hi. 

I could not reply to the original post from 5 years ago. I have included the link below for reference. If you are still on the site, thank you,  , the code you provided is fantastic. I have modified it slightly as I need temp group membership on some groups in terms of hours rather than days.  

Again, thank you, and I hope this helps someone else in the future. 

https://www.oneidentity.com/community/active-roles/f/forum/29153/automatically-set-temporal-membership-when-adding-member-to-group

# BEGIN SCRIPT #
function temporalGroupMembership($Request){
    $users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
    $groupDN = $Request.Get("distinguishedName")

    $time = (Get-Date).AddMinutes(60).ToUniversalTime() # Modify here for the amount of time.
    
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)


    foreach($userDN in $users){
        Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
    }
}
# END SCRIPT #

  • I need something similar to this script.   We need the ability to add temporal memberships to 3 AD groups at once.   I >could< pick one of the groups as the trigger and the add to the other 2 groups.  But... I'm not sure how to do that without hard coding group DNs into the PS.   

    What I'd rather do I think... is setup a workflow where our support team could pick a user (or users) and then pick the group (or groups?) and specify the time amount for the temporal membership.   My concern there is if it's open, would AR enforce permissions? - IE could I pick a group that I really don't have rights to add to?

  • Couple of thoughts here:

    With respect to working with multiple groups, you could create a virtual attribute for users - for example edsvaMyTemporaryGroups.  Set the attribute up to be DN format which would then render an object picker for populating that attribute in the Web UI (i.e. to make it easy to pick groups).  A change workflow could watch for this attribute being set and then some PoSh code could loop through the groups selected and populated in the attribute to set the user's temporal membership in them.  The code would be similar to the above but would use $Request.Get("edsvaMyTemporaryGroups") to get the list of groups to work on for this user.

    As to the access to selecting the groups, that depends on how you currently manage visibility of objects in AR.  If you don't manage it at all then it will come down to whether the Access Template applicable to the selected groups allows the Initiator to manage their memberships or not.