Adaxes

Group Membership Audit Workflow

0 votes

Would it be possible to utilize Adaxes' out of the box approval workflow functionality to accomplish the following audit process?

On a periodic basis, each group member's manager is emailed to confirm that their membership in that group is still valid. Ideally a non-response would count as an approval, but a reject would remove the user's group membership. Ultimately the goal is to help with maintaining least privileged principles as access is often granted, but rarely revoked.

by (540 points)

1 Answer

0 votes
by (272k points)
selected by
Best answer

Hello,

Unfortunately, there is no such possibility.

As a solution, you can use the following scenario:

  1. A Scheduled Task will attempt to remove all members from the group.
  2. A Business Rule triggering Before Removing a member from a Group will send an approval request to the user being removed from the group by executing a PowerShell script.
  3. If the user denies the request, they will remain in the group. If the user approves the request, they will be removed from the group.
0

Hi yourpp - we have a similar situation and I was wondering if you discovered any other options for your use case?

Regards,
Bernie

by (310 points)
moved by
0

No, not yet. The method proposed by Adaxes isn't trivial because they do not appear to have a native option to specify the affected user's manager for approval, only the requester's manager or owner of the group, etc. Ideally you would be able to use a template for the list of approvers, but cannot at this time, hence the need for a powershell script. To keep it simple, we will probably just use a scheduled task to email the manager with a list of each of their direct reports in the specified group and if they reply, a ticket will be generated in our help desk system and our staff will manually remove the membership.

by (540 points)
edited by

Related questions

0 votes
1 answer
Report to audit rule-based group query attributes

We would like to be able to, possibly through a script or report, search for attributes that equal specific values and find all rule-based groups that used those rules. An ... and being able to list all rule-based groups that use that in their query set.

asked Oct 5, 2022 by wesmcmillan (20 points)
0 votes
1 answer
Self Service - Join a Group - Workflow does not initate

Hi all I want to create a workflow on the Self Service portal. The choice is the default Join a group or possibly a new action. A normal user should be able to ... by" of the group has the permission (Write membership) as described in the guide. Micael

asked Jan 21, 2019 by ecit (100 points)
0 votes
1 answer
Workflow approval when group owner is a group

I've noticed the following behavior: 1. I have a group (say "group1"). The "owner" (managedby) is set to another group (distribution group) (say "group2"). 2. I ... send a message to "group2" outside of ADAxes, it works fine. Is this expected behavior? Thanks

asked Mar 1, 2012 by BradG (950 points)
0 votes
1 answer
Group membership management for group managers

We are looking for a way to allow AD users to manage group memberships of groups they have been set as Manager for - and would like to know if we can achieve this with Adaxes? We are thinking a easy to use web portal.

asked 2 days ago by Nicolaj Rasmussen (20 points)
0 votes
1 answer
How to implement script to monitor group membership changes.

I'm trying to implement the script on https://www.adaxes.com/script-repository/changes-in-group-membership-including-changes-made-by-3rd-party-tools-s289.htm. I added my ... is set to run hourly on Domain Admins, and Exchange Admin "group" objects. Thanks

asked Feb 26 by stevehalvorson (110 points)
3,346 questions
3,047 answers
7,779 comments
544,979 users