0 votes

Does anyone have any experience or thoughts about implementing some form of Segregation of Duties checking function within Adexes?

We are using AD group management as the primary method to control access to a number of systems/applications/functions and need to build some model that allows us to prevent certain 'toxic combinations' of access rights as defined by our compliance folk.

Whilst I could build ad-hoc checks into business rules for each group that could get rather messy and hard to maintain.

So, I was thinking about building some kind of access matrix that could then be called for a 'yes'/'no' response whenever a group addition request is processed.

So I was wondering if anyone tried this kind of thing before and might share some ideas please?

Thanks,
Bernie

by (310 points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Bernie,
As a solution, you can use a Business Rule triggering After adding or removing a member from a group and assign it over all the groups you need. In the rule, you can use a PowerShell script that will check the current membership of the member and add/remove them from other groups if required. The following script from our repository might be helpful: https://www.adaxes.com/script-repositor ... p-s469.htm.

If that is not exactly what you need, please, describe the desired scenario in all the possible details. A live example would be very helpful.

Related questions

0 votes
1 answer

Is it possible to connect to the Microsoft 365 Security & Compliance center through a PowerShell script? We are trying to configure users that belong to a ... department for a retention policy through the use of the Set-RetentionCompliancePolicy command.

asked Jan 3, 2022 by scoutcor (120 points)
0 votes
1 answer

I am trying to get a security role report similar to that in the post Security Role - Report I have also read up on the post at http://www.adaxes.com ... ,CN=Builtin,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes

asked Aug 5, 2015 by jakesomething (190 points)
0 votes
1 answer

Is there a way to get an email alert before the Adaxes lisense expires? Ex.: our license expires 13.09.2025 and would like an alert to be sent 14 days before this date.

asked Oct 18 by Handernye (100 points)
0 votes
1 answer

Users are asking if they can change their name to suit preferred names as opposed to birth names? Is this possible?

asked Oct 14 by Charlie.Evans (70 points)
0 votes
1 answer

We need to know specifically for self service password management what level of access in AD do I specifically need.

asked May 9 by justinspring (20 points)
3,589 questions
3,278 answers
8,303 comments
548,131 users