Access the basket through SDK

Question

Hello,

Would it be possible to access the content of the basket through the SDK?

My goal would be to use the basket to add many groups to a specific user (with a custom action).

Thank you

Comments

Hello,

If you need to access the Basket of Adaxes Web Interface, this is possible, however the Basket of Adaxes Administration Console cannot be accessed with scripts.

By the way, what do you want to do with the groups in the basket after adding them? Maybe, a better option would be to find the necessary groups and perform the actions you want directly in the script?

---

The idea would be to use the basket to copy group membership from a user to another which is so far not possible.

So, the idea is to add the group a user is member of to the basket, and then add all those groups to another user through a custom action.

Could you provide me the documentation on how to access the web basket?

Thank you

Answer 1

Actually, there was a similar request recently. Take a look at the following forum post for information on how to accomplish this task in a much easier way and without the need to access the Basket: Copy of groups membership from one user to another.

Comments

I have seen that solution, but I have to admit that I don't really like it.

For mainly two reasons:
- It completely bypass the powerfull delegation that allows Adaxes as the script runs with its own credentials, and thus can lead to privilege escalation
- It is not intuitive at all

The basket solution is not better in that perspective

Sadly for us, copying groups from a user to another is the only way we have to migrate a user from a department to another; let's hope that this feature is planned in 2013.2.

---

Hello,

The script in the suggested solution simply copies group memberships from one user to another. In which way would you like to check the delegated permissions? You don't want the user who invokes the copy membership functionality to be able to copy the memberships in the groups that the user cannot view or anything else?

Sadly for us, copying groups from a user to another is the only way we have to migrate a user from a department to another

By the way, if you want to change group memberships for a user when the user's department changes, we have instructions on how to achieve such functionality in the Automatically Add Users to Groups by Department Tutorial. Take a closer look at the solution in the tutorial, may be it suits your needs better than simple copying of group memberships?

If not, can you describe in more detail how you determine in your AD whether a user is an employee of this or that department? May be we find a better solution for your task?

---

Not every employee is able to manage every group.

What I would like is to take advantage of the RBAC.
- A user should not be able to add users to a group if he does not have write access on the members attribute of that group
- A user should not be able to put someone in a group if he does not have write access on the memberof attribute

Our exploitation team is not allowed to manage the domain admin group, and Adaxes is configured to deny that.
If I implement the solution you proposed, a supporter could copy the domain admin group from an admin to its user even without having access to that group, as the script does not run in its context, but in the script's user context.

From a business perspective, we cannot use your department based solution. Our business line is pretty complex and full of exceptions. Even if a user is supposed to be in one department he often needs access to various other ressources.

The new user request usually states that the new user should have access to the same thing as an existing user. For that part we are doing fine, as it is possible to copy a user with Adaxes.

But, quite often, a user needs to change function/department, and in that case he might keep his curent rights, but also get rights "similair to another user". This is the usecase that requires the group membership copy.

Thanks for your support

---

Hello,

Actually, the solution with copy/paste group memberships using Custom Commands already takes advantage of Adaxes Role-Based Access control. The thing is that the script for pasting group memberships uses the $Context.BindToObjectEx method to bind to the group that the user needs to be added to / removed from. When using this method in scripts and setting the second parameter in parentheses to $True, binding to objects is always performed with the credentials of the operation initiator, that is, the user who launched the Custom Command. Thus, since the script binds to the groups with the credentials of the operation initiator, if the initiator does not have the permission to write the Member property of a group, Adaxes access control will not allow the script to add the target user to that group.

The only thing that was missing in the original solution is that the "Paste Membership' script was missing some error handling for the situation when the user does not have the permissions to to write the Member property of a group. Find below a slightly modified version of the script that fixes this issue.

Also, the scripts from the original solution not only add the target user to the groups that the original user is a member of, but also remove the target user from the groups that the original user is not member of. If you do not need this functionality and want the resulting group memberships to be membership in the copied groups plus membership in the groups that the user was a member of before the operation, we can modify the script.

Here's the modified version of the script for 'pasting' group memberships. As for the script for 'copying' group memberships, you can use it from the original solution we provided above.

# Get an array of  group GUIDs
try
{
    $sourceGroupGuids = $Context.Initiator.UserAdsObject.Get("adm-CustomAttributeBinary1")
}
catch
{
    $Context.Cancel("Failed to get group GUIDs.")
}

# Calculate the number of GUIDs
$totalBytes = $sourceGroupGuids.Length
# Make sure that the total number of  bytes is a divisible of 16
$remainder = 0
[System.Math]::DivRem($totalBytes, 16, [ref] $remainder)
if ($remainder -ne 0)
{
    $Context.Cancel("Unexpected data length!")
}
$groupsToAdd = New-Object "System.Collections.Generic.HashSet[System.Guid]"

for ($i = 0; $i -lt ($totalBytes / 16); $i++)
{
    $bytes = [System.Guid]::Empty.ToByteArray()
    [System.Array]::Copy($sourceGroupGuids, $i * 16, $bytes, 0, 16)
    $guid = New-Object "System.Guid" (,$bytes)
    $groupsToAdd.Add($guid)
}

# Get GUIDs of the groups the user is a member of
$targetGroupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")

# Adjust the list of groups to add the user to, and the list of groups to remove the user from
$groupsToRemove = New-Object "System.Collections.Generic.HashSet[System.Guid]"
foreach($targetGroupGuidBytes in $targetGroupGuids)
{
    $guid = New-Object "System.Guid" (,$targetGroupGuidBytes)
    if ($groupsToAdd.Contains($guid))
    {
        $groupsToAdd.Remove($guid) # already a member of the group
    }
    else
    {
        $groupsToRemove.Add($guid)
    }
}

# Remove from groups that are not in the list of copied groups
$unsuccessfullyRemoved = ""
$successfullyRemoved = ""
foreach($groupGuid in $groupsToRemove)
{
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    try
    {
        $group = $Context.BindToObjectEx($groupPath, $True)
        $group.Remove($Context.TargetObject.AdsPath)
    }
    catch
    {
        $group = $Context.BindToObject($groupPath)
        $unsuccessfullyRemoved += $group.Get("Name") + "; "
        continue
    }

    $successfullyRemoved += $group.Get("Name") + "; "
}

# Add to groups
$unsuccessfullyAdded = ""
$successfullyAdded = ""
foreach($groupGuid in $groupsToAdd)
{
    $groupGuid = $groupGuid.ToString("B")
    $groupPath = "Adaxes://<GUID=$groupGuid>"
    try
    {
        $group = $Context.BindToObjectEx($groupPath, $True)
        $group.Add($Context.TargetObject.AdsPath)
    }
    catch
    {
        $group = $Context.BindToObject($groupPath)
        $unsuccessfullyAdded += $group.Get("Name") + "; "
        continue
    }

    $successfullyAdded += $group.Get("Name") + "; "
}

if ($successfullyAdded.Length -ne 0)
{
    $Context.LogMessage("The user was added to the following groups: $successfullyAdded", "Information") # TODO: modify me
}
if ($unsuccessfullyAdded.Length -ne 0)
{
    $Context.LogMessage("The user was not added to the following groups because you do not have sufficient permissions: $unsuccessfullyAdded", "Information") # TODO: modify me
}
if ($successfullyRemoved.Length -ne 0)
{
    $Context.LogMessage("The user was removed from the following groups: $successfullyRemoved", "Information") # TODO: modify me
}
if ($unsuccessfullyRemoved.Length -ne 0)
{
    $Context.LogMessage("The user was not removed from the following groups because you do not have sufficient permissions: $unsuccessfullyRemoved", "Information") # TODO: modify me
}

---

I was not aware about this binding context.

This is just great that way!

Thank you so much for this solution, really!