Only allow membership to one security group at a time

Question

We have RBAC groups inside an OU. We would like to restrict users from being added to multiple RBAC groups at a time. For example:

RBAC Roles OU
    Sales RBAC Group
    Marketing RBAC Group
    Dev RBAC Group

If a user is in the Sales RBAC Group and they get added to Marketing, I would like to either remove the Sales group membership or get prompted to select one at a time.

Users would still be members of security groups outside of this OU structure though.

What's the best way to achieve this?

Thanks

Comments

Hello,

There are two possible solutions:

• Remove the user from other RBAC group when added to one of them
• Cancel the operation with the corresponding message

For us to provide you with detailed instructions, please, specify which approach meets your needs.

---

Hello,

I think the first method would be better - removing them from the first group when added to another.

Thanks

Answer 1

Hello,

Thank you for the confirmation. To achieve the desired, create a business rule triggering After adding a member to a group. The rule will execute the below script. In the script:

• $groupDNs - Specifies distinguished names (DNs) of the RBAC groups. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
• $pipelined - Specifies whether the updates made by the script will be passed through the Adaxes pipeline to trigger corresponding business rules, create log records, etc.

$groupDNs = @("CN=Sales RBAC Group,OU=Groups,DC=domain,DC=com", "CN=Marketing RBAC Group,OU=Groups,DC=domain,DC=com", "CN=Dev RBAC Group,OU=Groups,DC=domain,DC=com") # TODO: modify me
$pipelined = $True # TODO: modify me

foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDNEx($groupDN, $pipelined)
    if (($group.IsMember("Adaxes://%member%") -and ($groupDN -ne "%distinguishedName%")))
    {
        $group.Remove("Adaxes://%member%")
    }
}

In the Activity Scope of the rule, add all the RBAC groups specified in the $groupDNs variable. Make sure to add the groups themselves (This object only), not their members. Finally, the rule will look like the following: