Workflow To Add A User To An Admin Group, Then Automatically ...

• Products
  • View all products
  • Free trials
• Solutions
  • All Solutions
  • All Integrations
  • Compliance
• Resources
  • All Resources
  • Learning Hub
• Trials
• Support
  • Support Portal
  • Contact Support
  • Communities
  • Services
• Partners
  • Partner Ecosystem
  • Become a Partner
  • Partner Portal
  • Find a Partner
  • Success Stories
• Communities
  • Home
  • Blogs
    • Blogs A to Z
    • One Identity Community
    • AD Account Lifecycle Management
    • Cloud
    • Identity Governance & Administration
    • Privileged Access Management
    • syslog-ng Community
  • Forums
    • All Product Forums
    • Active Roles
    • Identity Manager
    • Password Manager
    • Safeguard
    • Unix Access Management
  • Social Networks
    • Facebook
    • LinkedIn
    • Twitter
    • YouTube

One Identity Community

• Site

• Search

• User

• Site
• Search
• User

Active Roles Community Forum Workflow to add a user to an Admin group, then automatically remove them in X days.

• Forum
• Ideas
• Wiki
• More
• Cancel

• New

• State Verified Answer
• Locked Locked
• Replies 14 replies
• Answers 1 answer
• Subscribers 67 subscribers
• Views 16332 views
• Users 0 members are here

• workflows
• workflow
• active roles server

Options

• Share
• More
• Cancel

Related This discussion has been locked. You can no longer post new replies to this discussion. If you have a question you can start a new discussion Workflow to add a user to an Admin group, then automatically remove them in X days. kletourneau over 7 years ago

Management has asked that we limit the time a user is a member of the Enterprise Admins group. I am copying a workflow that we use for approval of membership in the Domain Admins group, however I see no way to add a time component to the workflow. Is there any way a workflow triggered from an AD action can grant temporary group access?

• Cancel

• 0 Nick.Dollimount over 7 years ago Hello, This needs to be done via the 'ScheduledOperation-SetTime' control, however in workflows, there is currently no method to set a calculated time value as configuring controls in a workflow only allows for a static value. You can use the following example to create a script that perform the removal of the user being added to the group after a certain amount of days though. $groupDN = '' #get the group DN from the workflow $member = '' #get the member from the workflow $days = 5 #days to schedule the removal $time = (Get-Date).AddDays($days).ToUniversalTime() $hash = @{} $hash.add("ScheduledOperation-SetTime",$time) Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash Please refer to the SDK, searching for 'Retrieving data from workflow context' to learn how to retrieve the groupDN and member from the workflow. You would place the script in the workflow after the operation of the member being added. I hope this helps.
  • Cancel
  • Up 0 Down
  • Cancel
• +1 JohnnyQuest over 7 years ago

  In your existing workflow, are you using a built-in activity to perform the member-add or a script? You could add a step like this in a script activity to set the expiration of the group membership: Remove-QADGroupMember -proxy -identity $Request.GUID -Member $GroupMember -Control @{'ScheduledOperation-SetTime'="2018-04-13T08:00:00Z"} The latter bit would automatically remove the user from the group at the time specified. I included the time explicitly here so you can see the required format.

  • Cancel
  • Up 0 Down
  • Cancel
• 0 kletourneau over 7 years ago I use a built-in activity. So I would add that line of code as a script? Does it take the user and group from the parameters of the workflow?
  • Cancel
  • Up 0 Down
  • Cancel
• 0 JohnnyQuest over 7 years ago Would depend a bit on what launches the workflow - is it the member-add action?
  • Cancel
  • Up 0 Down
  • Cancel
• 0 kletourneau over 7 years ago I will add the above as a script "as is" because it seems to be exactly what we need. Thank you.
  • Cancel
  • Up 0 Down
  • Cancel
• 0 Nick.Dollimount over 7 years ago If the target group and target members are being specified by a parameter on the workflow, you can retrieve those in the script using the following: $workflow.Parameter(name) Ex. $groupDN = $workflow.Parameter('groupDN') $member = $workflow.Parameter('memberDN')
  • Cancel
  • Up 0 Down
  • Cancel
• 0 kletourneau over 7 years ago yes.
  • Cancel
  • Up 0 Down
  • Cancel
• +1 JohnnyQuest over 7 years ago My use of the $Request.GUID for the Identity assumes that it's the group membership change that is triggering your workflow. You will still need to determine / calculate the name of the added member ($GroupMember) by parsing it out of the attribute change data in the $Request (i.e. the AR transaction).
  • Cancel
  • Up 0 Down
  • Cancel
• 0 kletourneau over 7 years ago This is what I will add to the workflow: function onPostModify($Request) { $groupDN = $workflow.Parameter('groupDN') #get the group DN from the workflow $member = $workflow.Parameter('memberDN') #get the member from the workflow $days = 5 #days to schedule the removal $time = (Get-Date).AddDays($days).ToUniversalTime() $hash = @{} $hash.add("ScheduledOperation-SetTime",$time) Remove-QADGroupMember -Identity $groupDN -Member $member -Control $hash }
  • Cancel
  • Up 0 Down
  • Cancel
• 0 JohnnyQuest over 7 years ago Looks good!
  • Cancel
  • Up 0 Down
  • Cancel

>

• Company
  • About Us
  • Buy
  • Careers
  • Contact Us
  • News
• Resources
  • Blogs
  • Customer Stories
  • Documents
  • Events
  • Videos
• Support
  • Professional Services
  • Renew Support
  • Technical Support
  • One Identity University
  • Support Service
• Social Networks
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

• © One Identity LLC. ALL RIGHTS RESERVED.
• Legal
• Terms of Use
• Privacy
• Community Feedback & Support
• Cookie Preference Center