DESCRIPTION
Allows you to selectively define who can disable users while allowing free access to enable. The group defining who should be denied access to disable is stored as a parameter of the policy entry called 'Disable User Group', and should be stored in distinguishedName format.
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
Sub onPreModify(Request)
If Request.Class <> "user" Then Exit Sub
' If the user disabled state is not one of the attributes being modified, exit the function
If IsEmpty(Request.Get("edsaAccountIsDisabled")) Then Exit Sub
' If the user is being enabled, exit the function
If Request.Get("edsaAccountIsDisabled") = False Then Exit Sub
Dim strDeniedGrp
Dim objDeniedGrp
Dim strInteractiveUsrSAN
Dim strInteractiveUsrDN
Dim blnDenied
Dim objGroupList
' The group defining who is permitted to disable users is defined by the policy entry parameter called
' "Disable User Group". It should be specified in distinguishedName syntax.
strDeniedGrp = PolicyEntry.Parameter("Disable User Group")
'Set objDeniedGrp = GetObject("EDMS://" & strDeniedGrp)
' Retrieve the name of the user making the request, and find out if they are a member of the allowed
' users group.
Request.WhoAmI strInteractiveUsrSAN, strInteractiveUsrDN
' This dictionary object is used by the IsMember function to prevent checking membership of the
' same group twice. Otherwise you run the risk of entering an infinite loop if there is any circular
' group memberships.
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare
blnDenied = IsMember(strDeniedGrp, strInteractiveUsrDN, objGroupList)
' If they requesting user is not in the allowed list, record an event to the EDM event log and
' display an error message to the user. The Err.Raise method will abort execution before any change to
' the user is made. If they are permitted, then execution continues normally, allowing any and all
' changes.
If blnDenied Then
EventLog.ReportEvent EDS_EVENTLOG_AUDIT_FAILURE, strMeSAN & " attempted to enable '" & Request.Name & "'."
Err.Raise -1, "Access Denied", vbCRLF & vbCRLF & "You are not permitted to disable this user object. Please contact your network administrator."
End If
End Sub
Private Function IsMember(strGroupDN, strUserDN, ByRef objGroupList)
' This recursive group membership check function needs to exist since the IsMember method is, by
' itself, not recursive. Moreover, please be aware that this function does NOT work on your primary
' group (i.e., Domain Users in most cases).
Dim objGroup
Dim objMember
Dim strMemberDN
Set objGroup = GetObject("EDMS://" & strGroupDN)
IsMember = objGroup.IsMember("EDMS://" & strUserDN)
If IsMember Then Exit Function
For Each objMember In objGroup.Members
If objMember.Class = "group" Then
strMemberDN = objMember.Get("distinguishedName")
If Not objGroupList.Exists(strMemberDN) Then
objGroupList.Add strMemberDN, strMemberDN
IsMember = IsMember(strMemberDN, strUserDN, objGroupList)
If IsMember Then Exit Function
End If
End If
Next
End Function
'***** END OF CODE ***************************************************************