0 votes

We have RBAC groups inside an OU. We would like to restrict users from being added to multiple RBAC groups at a time. For example:

RBAC Roles OU
    Sales RBAC Group
    Marketing RBAC Group
    Dev RBAC Group

If a user is in the Sales RBAC Group and they get added to Marketing, I would like to either remove the Sales group membership or get prompted to select one at a time.

Users would still be members of security groups outside of this OU structure though.

What's the best way to achieve this?

Thanks

by (250 points)
0

Hello,

There are two possible solutions:

  • Remove the user from other RBAC group when added to one of them
  • Cancel the operation with the corresponding message

For us to provide you with detailed instructions, please, specify which approach meets your needs.

0

Hello,

I think the first method would be better - removing them from the first group when added to another.

Thanks

1 Answer

+1 vote
by (270k points)
selected by
Best answer

Hello,

Thank you for the confirmation. To achieve the desired, create a business rule triggering After adding a member to a group. The rule will execute the below script. In the script:

  • $groupDNs - Specifies distinguished names (DNs) of the RBAC groups. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
  • $pipelined - Specifies whether the updates made by the script will be passed through the Adaxes pipeline to trigger corresponding business rules, create log records, etc.
$groupDNs = @("CN=Sales RBAC Group,OU=Groups,DC=domain,DC=com", "CN=Marketing RBAC Group,OU=Groups,DC=domain,DC=com", "CN=Dev RBAC Group,OU=Groups,DC=domain,DC=com") # TODO: modify me
$pipelined = $True # TODO: modify me

foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDNEx($groupDN, $pipelined)
    if (($group.IsMember("Adaxes://%member%") -and ($groupDN -ne "%distinguishedName%")))
    {
        $group.Remove("Adaxes://%member%")
    }
}

In the Activity Scope of the rule, add all the RBAC groups specified in the $groupDNs variable. Make sure to add the groups themselves (This object only), not their members. Finally, the rule will look like the following: image.png

Related questions

0 votes
1 answer

Hi, I am trying to write a PS script for a business rule, that would cancel operation when user tries to remove the "last" RBAC group. Say the group structure is like that: ... "Main RBAC" - but I can't figure out how to do it properly. Thanks for suggestiong

asked Oct 15, 2018 by KIT (910 points)
0 votes
1 answer

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
1 answer

Hello @All, I have a little question about the parameter -AdaxesService and -Service. In a PowerShell Script I have to define the two parameters every time I run an CmdLet from ... I define the Values one time per Power Shell Script? Thanks for some help ;)

asked Apr 29, 2015 by ATiedemann (360 points)
0 votes
1 answer

Hi All, I was following the following documentation https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm However I cannot work out how to make it ... can only add themselves. Any help would be great. Many Thanks

asked Mar 30, 2020 by antondubek (440 points)
0 votes
1 answer

Hello Back when we first started using Adaxes you created a couple of great scripts which worked together really well, the first one copied one users group membership and put in ... an addition to what groups the second user is already a member of? Thank you.

asked Aug 4, 2015 by CBurn (700 points)
3,326 questions
3,025 answers
7,724 comments
544,678 users