Adaxes

Group Membership Audit Workflow

0 votes

Would it be possible to utilize Adaxes' out of the box approval workflow functionality to accomplish the following audit process?

On a periodic basis, each group member's manager is emailed to confirm that their membership in that group is still valid. Ideally a non-response would count as an approval, but a reject would remove the user's group membership. Ultimately the goal is to help with maintaining least privileged principles as access is often granted, but rarely revoked.

by (540 points)

1 Answer

0 votes
by (301k points)
selected by
Best answer

Hello,

Unfortunately, there is no such possibility.

As a solution, you can use the following scenario:

  1. A Scheduled Task will attempt to remove all members from the group.
  2. A Business Rule triggering Before Removing a member from a Group will send an approval request to the user being removed from the group by executing a PowerShell script.
  3. If the user denies the request, they will remain in the group. If the user approves the request, they will be removed from the group.
0

Hi yourpp - we have a similar situation and I was wondering if you discovered any other options for your use case?

Regards,
Bernie

by (310 points)
moved by
0

No, not yet. The method proposed by Adaxes isn't trivial because they do not appear to have a native option to specify the affected user's manager for approval, only the requester's manager or owner of the group, etc. Ideally you would be able to use a template for the list of approvers, but cannot at this time, hence the need for a powershell script. To keep it simple, we will probably just use a scheduled task to email the manager with a list of each of their direct reports in the specified group and if they reply, a ticket will be generated in our help desk system and our staff will manually remove the membership.

by (540 points)
edited by

Related questions

0 votes
1 answer
Report to audit rule-based group query attributes

We would like to be able to, possibly through a script or report, search for attributes that equal specific values and find all rule-based groups that used those rules. An ... and being able to list all rule-based groups that use that in their query set.

asked Oct 5, 2022 by wesmcmillan (20 points)
0 votes
1 answer
Self Service - Join a Group - Workflow does not initate

Hi all I want to create a workflow on the Self Service portal. The choice is the default Join a group or possibly a new action. A normal user should be able to ... by" of the group has the permission (Write membership) as described in the guide. Micael

asked Jan 21, 2019 by ecit (100 points)
0 votes
1 answer
Workflow approval when group owner is a group

I've noticed the following behavior: 1. I have a group (say "group1"). The "owner" (managedby) is set to another group (distribution group) (say "group2"). 2. I ... send a message to "group2" outside of ADAxes, it works fine. Is this expected behavior? Thanks

asked Mar 1, 2012 by BradG (950 points)
0 votes
1 answer
Approval for Temporary group membership

Hi, I want to add approval for specific groups with temporary membership based on this script: https://www.adaxes.com/script-repository/temporary-group-membrship-s533. ... full script be executed until $Context.SubmitForApproval and then the rest is on hold?

asked Apr 11 by wintec01 (1.8k points)
0 votes
1 answer
Is there a way to update a group membership rule base through my rest API?

I am trying to build a custom command to add a specific user to a rule based group in adaxes and I am curious if it is something we can use the API to complete?

asked Mar 7 by Brian (40 points)
3,679 questions
3,361 answers
8,502 comments
549,345 users