Adaxes

Group Membership Audit Workflow

0 votes

Would it be possible to utilize Adaxes' out of the box approval workflow functionality to accomplish the following audit process?

On a periodic basis, each group member's manager is emailed to confirm that their membership in that group is still valid. Ideally a non-response would count as an approval, but a reject would remove the user's group membership. Ultimately the goal is to help with maintaining least privileged principles as access is often granted, but rarely revoked.

by (540 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

Unfortunately, there is no such possibility.

As a solution, you can use the following scenario:

  1. A Scheduled Task will attempt to remove all members from the group.
  2. A Business Rule triggering Before Removing a member from a Group will send an approval request to the user being removed from the group by executing a PowerShell script.
  3. If the user denies the request, they will remain in the group. If the user approves the request, they will be removed from the group.
0

Hi yourpp - we have a similar situation and I was wondering if you discovered any other options for your use case?

Regards,
Bernie

by (310 points)
moved by
0

No, not yet. The method proposed by Adaxes isn't trivial because they do not appear to have a native option to specify the affected user's manager for approval, only the requester's manager or owner of the group, etc. Ideally you would be able to use a template for the list of approvers, but cannot at this time, hence the need for a powershell script. To keep it simple, we will probably just use a scheduled task to email the manager with a list of each of their direct reports in the specified group and if they reply, a ticket will be generated in our help desk system and our staff will manually remove the membership.

by (540 points)
edited by

Related questions

0 votes
1 answer
Report to audit rule-based group query attributes

We would like to be able to, possibly through a script or report, search for attributes that equal specific values and find all rule-based groups that used those rules. An ... and being able to list all rule-based groups that use that in their query set.

asked Oct 5, 2022 by wesmcmillan (20 points)
0 votes
1 answer
Self Service - Join a Group - Workflow does not initate

Hi all I want to create a workflow on the Self Service portal. The choice is the default Join a group or possibly a new action. A normal user should be able to ... by" of the group has the permission (Write membership) as described in the guide. Micael

asked Jan 21, 2019 by ecit (100 points)
0 votes
1 answer
Workflow approval when group owner is a group

I've noticed the following behavior: 1. I have a group (say "group1"). The "owner" (managedby) is set to another group (distribution group) (say "group2"). 2. I ... send a message to "group2" outside of ADAxes, it works fine. Is this expected behavior? Thanks

asked Mar 1, 2012 by BradG (950 points)
0 votes
1 answer
Column specific scripting for Group membership to show only specific group membership

Hi support, We have security groups named like Test-Group--Users, where is different for each group. I have a powershell query which gets a list of those Test-Group--Users" ... only Test-Group-<variable>-User that user is member of but it is an array

asked Oct 31 by Vish539 (460 points)
0 votes
1 answer
How to compare group membership between 2 users

Our helpdesk asked for a solution to easily compare 'member of' details between 2 (or more) users so they can see the differences in group memberships.

asked Oct 28 by ddesmedt (40 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users