Adaxes

Segregation of Duties for Compliance

0 votes

Does anyone have any experience or thoughts about implementing some form of Segregation of Duties checking function within Adexes?

We are using AD group management as the primary method to control access to a number of systems/applications/functions and need to build some model that allows us to prevent certain 'toxic combinations' of access rights as defined by our compliance folk.

Whilst I could build ad-hoc checks into business rules for each group that could get rather messy and hard to maintain.

So, I was thinking about building some kind of access matrix that could then be called for a 'yes'/'no' response whenever a group addition request is processed.

So I was wondering if anyone tried this kind of thing before and might share some ideas please?

Thanks,
Bernie

by (310 points)

1 Answer

0 votes
by (272k points)
selected by
Best answer

Hello Bernie,
As a solution, you can use a Business Rule triggering After adding or removing a member from a group and assign it over all the groups you need. In the rule, you can use a PowerShell script that will check the current membership of the member and add/remove them from other groups if required. The following script from our repository might be helpful: https://www.adaxes.com/script-repositor ... p-s469.htm.

If that is not exactly what you need, please, describe the desired scenario in all the possible details. A live example would be very helpful.

Related questions

0 votes
1 answer
How would I connect to Microsoft 365 Security & Compliance via PowerShell?

Is it possible to connect to the Microsoft 365 Security & Compliance center through a PowerShell script? We are trying to configure users that belong to a ... department for a retention policy through the use of the Set-RetentionCompliancePolicy command.

asked Jan 3, 2022 by scoutcor (120 points)
0 votes
1 answer
Compliance Reporting

I am trying to get a security role report similar to that in the post Security Role - Report I have also read up on the post at http://www.adaxes.com ... ,CN=Builtin,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes

asked Aug 5, 2015 by jakesomething (190 points)
0 votes
1 answer
Is there a way for Adaxes to use Microsoft 365 user profile pictures instead of having to select a file per user?

Is there a way for Adaxes to use a user's Microsoft 365 profile pictures instead of having to select a file on a per user basis?

asked Feb 1 by keneth.figueroa (20 points)
0 votes
1 answer
Copy group membership from already existing user except for a couple of groups

Is it possible using PowerShell to copy group memberships from an already existing user without copying 2 specific groups named for example test and test 1 ? We are currently ... groups are not included. I can share the PowerShell script if needed. KR, Cas

asked Oct 30, 2023 by Cas (150 points)
0 votes
1 answer
Disabling the user account for a specific local time zone of the user object.

On the last working day of a user I should always lock (disable) his account at 5pm local time. Since our company is worldwide, I need a good idea how to easily find out when it is 5pm for this user (always local time). Is there a simple solution in adaxes ?

asked Jun 13, 2023 by Beat Ott (40 points)
3,346 questions
3,047 answers
7,782 comments
544,989 users