DESCRIPTION
This script only allows the manager or indirect managers to manage objects. This is a sample script, not ready for production but could be used for demos.
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Set best = ScriptLib.Load("Script Modules/My Scripts/BestPractice")
'====================================================
'= EVENT HANDLER
'====================================================
Sub onPreModify(Request)
'--- process user account only ----
If (Not best.IsObjectClassRequested("user", Request)) Then Exit Sub
Dim strTargetDN, strInitiatorDN
'--- get target object DN & request initiator DN ---
strTargetDN = Mid(Request.ADsPath,8) '--- strip leading "EDMS://"
strInitiatorDN = GetInitiatorDN(Request)
'--- is a request initiator appropriate ? ----
If (Not IsAppropriateInitiator(strInitiatorDN, strTargetDN)) Then
'--- report an error message ----
Err.Raise 1, "Sorry, you are not permitted to update this user account"
End If
End Sub
'====================================================
'= Check if an request initiator is appropriate
'====================================================
Function IsAppropriateInitiator(ByVal strInitiatorDN, ByVal strTargetDN)
Dim objTarget, strManagerDN
Set objTarget = GetObject("EDMS://" & strTargetDN)
objTarget.GetInfoEx Array("manager"),0
strManagerDN = best.GetAttribute("manager", objTarget)
'--- if a target user account has no manager specified ----
If (IsEmpty(strManagerDN)) Then
'--- fail ----
IsAppropriateInitiator = False
'--- if a target user account manager is a request initiator ----
ElseIf (LCase(strManagerDN) = LCase(strInitiatorDN)) Then
'--- success ----
IsAppropriateInitiator = True
'--- elsewise ----
Else
'--- check more ----
IsAppropriateInitiator = IsAppropriateInitiator(strInitiatorDN, strManagerDN)
End If
End Function
'====================================================
'= Get request initiator DN
'====================================================
Function GetInitiatorDN(ByRef Request)
Dim strSan, strDn
Request.WhoamI strSan,strDn
GetInitiatorDN = strDn
End Function
'===========================================================================
' Log
'===========================================================================
' This function logs stuff into a log file
Const strLogFile="C:\temp\ARS.log"
Sub Log(msg)
Dim fso, File
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set File = fso.OpenTextFile(strLogFile, 8, True)
File.WriteLine (CStr(Now()) + vbTab + msg)
File.Close
End Sub
'***** END OF CODE ***************************************************************