• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 63 subscribers
  • Views 1797 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Modifying users groups based on Role Changes

Storm87
over 5 years ago

I'm very new to Active Roles, so apologies,

I'm not sure the best way to accomplish this, We have a list of Roles (EDS-Application-Setting) that have AD security and distribution groups assigned to it, When a new AD user accounts is created as part of the new user workflow they are forced to select a Role and then all groups are added to the user etc. What i want to accomplish is some way that when we modify that role (a user is moving dept etc) the the groups that were added originally are removed and the new ones are added based on their new role. As i said before i'm very new to Active Roles so as much detail as possible would be great.

Many thanks

Mike

Parents
  • +1 over 5 years ago

    You can use policy scripts for that. You'd create a new script, add the script to a policy and assign the policy to the user's OU.

    in the script, you'd use the onPostModify function to tell it to execute after objects have been changed. Then in that function, you put IF statements to verify that the changed object is a user and the change itself is about those roles you set up. And if all of that is true, you have it re-evaulate the new role and add/remove groups accordingly.

    The script code could look like this:

    function onPostModify($Request)
{
    if($Request.Class -eq "User"){

        $rolechange = $false
        $newrole = $null
        for ($i = 0; $i -lt $Request.PropertyCount; $i++) 
            { 
                if ($Request.Item($i).Name -eq "whatever-stores-your-role-name") {
                    $rolechange = $true
                    $newrole = $Request.item($i).value
                } 
            }
        if($rolechange){
            Remove-QADGroupMember "groupname" -Member $Request.dn
            switch($newrole){
                "RoleName1"{Add-QADGroupMember "groupname" -Member $Request.dn}
                "RoleName2"{Add-QADGroupMember "groupname" -Member $Request.dn}
            }
        }
    }
}

Reply
  • +1 over 5 years ago

    You can use policy scripts for that. You'd create a new script, add the script to a policy and assign the policy to the user's OU.

    in the script, you'd use the onPostModify function to tell it to execute after objects have been changed. Then in that function, you put IF statements to verify that the changed object is a user and the change itself is about those roles you set up. And if all of that is true, you have it re-evaulate the new role and add/remove groups accordingly.

    The script code could look like this:

    function onPostModify($Request)
{
    if($Request.Class -eq "User"){

        $rolechange = $false
        $newrole = $null
        for ($i = 0; $i -lt $Request.PropertyCount; $i++) 
            { 
                if ($Request.Item($i).Name -eq "whatever-stores-your-role-name") {
                    $rolechange = $true
                    $newrole = $Request.item($i).value
                } 
            }
        if($rolechange){
            Remove-QADGroupMember "groupname" -Member $Request.dn
            switch($newrole){
                "RoleName1"{Add-QADGroupMember "groupname" -Member $Request.dn}
                "RoleName2"{Add-QADGroupMember "groupname" -Member $Request.dn}
            }
        }
    }
}

Children