Identity and Active Directory Management

[Kirk]

Hey there,

We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group's members via Outlook. I noticed that, in Adaxes Web UIs, this person gets an 'Access Denied' message when attempting to add or remove members.

Basically, I'd like there to be some logic that says 'When looking at a group... If logged in user = Managed By user for this group, then allow them to modify group membership' without any object specific configuration. Is this possible?

Thanks!

[Eugene Pavlov]

Hi Kirk,

In one of the nearest releases we are planning to extend Security Roles to allow delegating permissions to object owners. This will allow you to grant the 'add/remove member' right to group managers.

However there is another way to implement what you need.

In 2011.3 it will be possible to use value references in Business Rule conditions. This will allow you to control access to objects based on the whether the operation initiator is the group manager or not.

managedby.condition.png (5.56 KiB) Viewed 1448 times

What you will need to do:

• With the help of Security Roles allow all users to add/remove members from certain groups (e.g. groups that belong to a Business Unit, or located under an OU).
• Create a Business Rule that is triggered before adding/removing group members. If the operation initiator is not the group manager, this rule will cancel the operation (see screenshot above). Optionally this Business Rule can submit an approval request to the group manager.

[Kirk]

Thank you, Eugene.

Is it possible to modify the approach below to account for situations where 'Managed By' property references a group instead of an individual?

[Eugene Pavlov]

Hello Kirk,

For now, you can do this with the help of a script:

1. Create a Business Rule that is triggered before adding or removing members from a group.
2. Add Run a program or PowerShell script action to the Business Rule.
3. Specify the following PowerShell script for the action:
   

   Code: Select all

   Import-Module Adaxes
$initiatorDN = "%adm-initiatorDN%"
$managedByDN = "%managedBy%";
$domainName = "company.com"; # TODO:
$allowed = $FALSE;

if ($initiatorDN -eq $managedByDN)
{
    $allowed = $TRUE;
}
else
{
    foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
    {
        if ($group.DistinguishedName -eq $managedByDN)
        {
            $allowed = $TRUE;
            break;
        };
    }
}

if (-not $allowed)
{
    $Context.Cancel("Access is denied");
}


[Kirk]

Thank you, sir! Very helpful.

[Eugene Pavlov]

Here is another script that can be used in the If PowerShell script returns true condition.
The script allows group membership modification for group managers and Adaxes service administrators.

Code: Select all

Import-Module Adaxes

$groupDN = "%distinguishedName%"
$initiatorDN = "%adm-initiatorDN%"
$managedByDN = "%managedBy%"
$Context.ConditionIsMet =$True

# Test whether the initiator is a service administrator
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if ($configurationSetSettings.AdministratorManager.AmIAdministrator())
{
    $Context.ConditionIsMet = $False;
}
else
{
    # Test whether the group is managed by the intiator
    if ($initiatorDN -eq $managedByDN)
    {
        $Context.ConditionIsMet = $False
    }
    else
    {
        $domainName = $Context.GetObjectDomain($initiatorDN)
        foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
        {
            if ($group.DistinguishedName -eq $managedByDN)
            {
                $Context.ConditionIsMet = $False
                break
            };
        }
    }
}


To use the script, add the Cancel this operation action to your Business Rule and add the If PowerShell script returns true condition for the action. Use the script in the condition.

business.rule.png (3.75 KiB) Viewed 933 times