DESCRIPTION
This script policy sample demonstrates a permission propagation (aka Sync permission to Active Roles) prohibition.
This policy should be applied to the ATLinks container (CN=AT Links,CN=Configuration)
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
'***********************************************************************************
'** CUSTOMIZABLE SETTINGS
'***********************************************************************************
Const strScriptName = "Permission Propagation Policy"
Const strErrorMessage = "Permission propagation to AD is prohibited!"
Const strInterestingClass = "edsACE"
'***********************************************************************************
'** SUBROUTINES
'***********************************************************************************
'===========================================================================
' The IsAttributeModified checks if attribute in request is modified
'===========================================================================
Function IsAttributeModified (Request, strAttribute)
Dim objEntry, nControlCode, boolResult
Set objEntry = Request.GetPropertyItem(strAttribute, ADSTYPE_CASE_IGNORE_STRING)
boolResult = False
If Not (objEntry Is Nothing) Then
nControlCode = objEntry.ControlCode
Select Case nControlCode
Case ADS_PROPERTY_CLEAR, ADS_PROPERTY_UPDATE, ADS_PROPERTY_APPEND
boolResult = True
End Select
End If
IsAttributeModified = boolResult
End Function ' IsAttributeModified
'===========================================================================
' The GetAttributeDirObj gets attribute value from object.
' If teh object doesn't have value, gets it from DirObj
'===========================================================================
Function GetAttributeDirObj (objObject, strAttribute)
Dim Value
On Error Resume Next
Value = objObject.Get(strAttribute)
On Error GoTo 0
If (IsEmpty(Value)) Then
On Error Resume Next
Value = DirObj.Get(strAttribute)
On Error GoTo 0
End If
GetAttributeDirObj = Value
End Function ' GetAttributeDirObj
'===========================================================================
' The IsOperationAllowed checks if propagattion is allowed
' It return TRUE if allowed, and returns FALSE if not
'===========================================================================
Function IsOperationAllowed(Request)
IsOperationAllowed = True ' allowed by-default
If ((IsAttributeModified(Request, "edsaAccessTemplateGUID") Or _
(IsAttributeModified(Request, "edsaSecObjectGUID") Or _
(IsAttributeModified(Request, "edsaTrusteeSID") Or _
(IsAttributeModified(Request, "edsaIsSynchronizedWithAD")) Then Exit Sub
Dim guidAccessTemplate, guidSecurableObject, sidTrustee, nSyncronized
' get values from request or DirObj
guidAccessTemplate = GetAttributeDirObj(Request, "edsaAccessTemplateGUID")
guidSecurableObject = GetAttributeDirObj(Request, "edsaSecObjectGUID")
sidTrustee = GetAttributeDirObj(Request, "edsaTrusteeSID")
nSyncronized = GetAttributeDirObj(Request, "edsaIsSynchronizedWithAD")
Dim objOctetString
Set objOctetString = CreateObject("AelitaEDM.EDMOctetString")
Dim strAccessTemplateGUID, strSecurableObjectGUID, strTrusteeSID, boolSyncronized
' convert binary values to strings
objOctetString.Set(guidAccessTemplate)
strAccessTemplateGUID = objOctetString.GetGuidString()
objOctetString.Set(guidSecurableObject)
strSecurableObjectGUID = objOctetString.GetGuidString()
objOctetString.Set(sidTrustee)
strTrusteeSID = objOctetString.GetSidString()
'convert numeric value to boolean
boolSyncronized = (nSyncronized > 0)
Dim objAccessTemplate, objSecurableObject, objTrustee
' bind to objects by their Guids & Sids
Set objAccessTemplate = GetObject("EDMS://<GUID=" & strAccessTemplateGUID & ">")
Set objSecurableObject = GetObject("EDMS://<GUID=" & strSecurableObjectGUID & ">")
Set objTrustee = GetObject("EDMS://<SID=" & strTrusteeSID & ">") '!!! BE AWARE OF WELL-KNOWN SIDS
'--------------------------
' Change the following code to fit your conditions. Current code always prohibit permissions propagations to AD
If (boolSyncronized) IsOperationAllowed = False
End Function ' IsOperationAllowed
'***************************************************************************
' EVENT HANDLERS
'***************************************************************************
'===========================================================================
' onPreCreate
'===========================================================================
Sub onPreCreate(Request)
' skip all classes but ATELink
If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub
' skip allowed propagation
If (IsOperationAllowed (Request)) Then Exit Sub
Call Err.Raise (1, strScriptName, strErrorMessage)
End Sub
'===========================================================================
' onPreModify
'===========================================================================
Sub onPreModify(Request)
' skip all classes but ATELink
If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub
' skip allowed propagation
If (IsOperationAllowed (Request)) Then Exit Sub
Call Err.Raise (1, strScriptName, strErrorMessage)
End Sub
'===========================================================================
' onCheckPropertyValues
'===========================================================================
Sub onCheckPropertyValues(Request)
' skip all classes but AT Link
If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub
' skip allowed propagation
If (IsOperationAllowed (Request)) Then Exit Sub
Call Request.SetPolicyComplianceInfo("cn", EDS_POLICY_COMPLIANCE_ERROR, strErrorMessage)
End Sub
'***** END OF CODE ***************************************************************