0 votes

Hi,

I am trying to write a PS script for a business rule, that would cancel operation when user tries to remove the "last" RBAC group.

Say the group structure is like that:
Main RBAC
|_Sales RBAC
|_Development RBAC
|___Team A RBAC
...

A user can be assigned to as many RBAC group as necessary but to at least one. Since group owners can change the group membership we need a rule that will stop the action if a user is removed from the "last" group.

As all RBAC groups are members of "Main RBAC" I was thinking of checking simply the presence of "Main RBAC" - but I can't figure out how to do it properly.

Thanks for suggestiong

by (520 points)
0

Hello,

If you want to disallow removing users only from the Main RBAC group, there is no need to use scripts. This can be done using a Business Rule triggering Before Removing a member from a group. The rule will look like the following:

Make sure that the Activity Scope of the Business Rule includes the the group itself, not over its members.

0

Thanks, but that wouldn't work for my scenario as users are never directly in the Main RBAC group, they are always in some sub-groups and I move them around. Better use case -

Main RBAC
|_Sales RBAC
          |_User 1
|_Development RBAC
            |___Team A RBAC
            |           |_User 2
            |___Team B RBAC
                        |_User 1
  • User 1 can be removed from Sales RBAC because he is also in Team B RBAC.

  • User 2 can not be removed from Team A RBAC, because he must be assigned at least one RBAC group. However, he can be added to Sales RBAC and then removed from Team A RBAC.

In other words, after the group change operation, he must stay in one or more RBAC groups.

1 Answer

0 votes
by (226k points)
selected by
Best answer

Hello,

Thank you for the provided details, you need to use a Business Rule triggering Before Removing a member from a group and the below script. The rule will contain a condition checking whether the group contains RBAC in its name and will look like the following:

In the script:
$groupTemplate – Specifies the template for group names to check. You can keep it as is (*RBAC*);
$canceledMessage – Specifies the message that will be displayed when removing a member from a group is cancelled.

$groupTemplate = "*RBAC*" # TODO: modify me
$canceledMessage = "My Message" # TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SizeLimit = 1
    $searcher.VirtualRoot = $True

    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Bind to member
$member = $Context.BindToObject("Adaxes://%member%")
$groupGuidsBytes = $member.GetEx("adm-DirectMemberOfGuid")

# Build search filter
$guidFilter = New-Object System.Text.StringBuilder
$targetGroupGuid = [Guid]$Context.TargetObject.Get("ObjectGuid")
foreach ($guidBytes in $groupGuidsBytes)
{
    $guid = [Guid]$guidBytes
    if ($guid -eq $targetGroupGuid)
    {
        continue
    }

    [void]$guidFilter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guid))
}

# Search groups
$searchResults = SearchObjects "(&(objectCategory=group)(name=$groupTemplate)(|$($guidFilter.ToString())))"
$targetGroupName = $Context.TargetObject.Get("name")
if ($searchResults.Length -eq 0)
{
    # Cancel removing the member from the group
    $Context.Cancel($canceledMessage)
    return
}
0

:shock: Thank you so much! I didn't expect you will do all the work for me - you are just amazing, thank you again!

Related questions

0 votes
1 answer

We have RBAC groups inside an OU. We would like to restrict users from being added to multiple RBAC groups at a time. For example: RBAC Roles OU Sales RBAC Group ... groups outside of this OU structure though. What's the best way to achieve this? Thanks

asked Oct 13, 2021 by bavery (250 points)
0 votes
1 answer

I am trying to create a process where a user can request access to one or more groups via a web form that also prompts for a date/time to ... = "ADS_SCOPE_SUBTREE" $scopeItem.Exclude = $False $scopeItem.SetInfo() $task.ActivityScopeItems.Add($scopeItem)

asked Apr 15, 2016 by adaxes_user (420 points)
0 votes
1 answer

Hello, I have a large number of groups, one for each branch in the company - named BR_%branchname%. We have staff move from branch to branch frequently, and need to ... to start with this request, and any help or insight would be appreciated. Thanks, Dan

asked Dec 7, 2012 by Dbradford (170 points)
0 votes
1 answer

Update group membership based on one property values. I am trying to find a script that resembles "Update group membership based on two property value" but just for one value.

asked Apr 7 by lee_thomas (20 points)
0 votes
1 answer

Hello Back when we first started using Adaxes you created a couple of great scripts which worked together really well, the first one copied one users group membership and put in ... an addition to what groups the second user is already a member of? Thank you.

asked Aug 4, 2015 by CBurn (700 points)
2,779 questions
2,512 answers
6,574 comments
26,286 users