Idea ID: 2872644

AD Access Reviews using the AD group owner as the Reviewer

Status : New Idea

Review AD Groups using the Group owner as of the reviewer:

Allow a review to use a custom attribute; in this case, it will be the managedBy as a reviewer.

In this Use Case, we will need to review AD Groups permissions, and the reviewers should be the AD group owners that are represented by the managedBy attribute.

Could you please provide a review that allows performing the use case above?

Labels:

Access Review and Certification
Parents
  • We use this mapping and ECMA script to populate the permission owner from the AD managedBy attribute.  

    We have AD groups that do not have an owner defined, so we had to put the input attribute in the collector attribute mapping in quotes and brackets, otherwise null value input would not be processed by ECMA script.  For AD groups without an owner, we decided to assign a default owner.

    It uses the 'AD Account DN' attribute (the  'distinguishedName', which is also used in the ECMA script to assign the default owner)


    Script Name:
    Populate Permission Owner from AD ManagedBy
    Description:
    collects AD group owner as permission owner, and uses dedicated user when source is blank/null value

    /* start of generated script to extract variables from inputValue */
    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */

    var vals = {};

    // inputValue is string, we need to parse it to convert it into a javascript object
    var inputValueParsed = JSON.parse(inputValue);

    vals.managedBy = inputValueParsed.managedBy ? inputValueParsed.managedBy : 'CN=John Doe,OU=Accounts,DC=corp,DC=net'; /* value for managedBy */

    // enable debug by uncommenting lines below

    //var logger = org.slf4j.LoggerFactory.getLogger("debug");
    //logger.info("**********");
    //logger.info("inputValue is: " + JSON.stringify(inputValue));
    //logger.info("extracted vals are " + JSON.stringify(vals));
    //logger.info("**********");

    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */
    /* end of generated script */
    outputValue = vals.managedBy;

Comment
  • We use this mapping and ECMA script to populate the permission owner from the AD managedBy attribute.  

    We have AD groups that do not have an owner defined, so we had to put the input attribute in the collector attribute mapping in quotes and brackets, otherwise null value input would not be processed by ECMA script.  For AD groups without an owner, we decided to assign a default owner.

    It uses the 'AD Account DN' attribute (the  'distinguishedName', which is also used in the ECMA script to assign the default owner)


    Script Name:
    Populate Permission Owner from AD ManagedBy
    Description:
    collects AD group owner as permission owner, and uses dedicated user when source is blank/null value

    /* start of generated script to extract variables from inputValue */
    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */

    var vals = {};

    // inputValue is string, we need to parse it to convert it into a javascript object
    var inputValueParsed = JSON.parse(inputValue);

    vals.managedBy = inputValueParsed.managedBy ? inputValueParsed.managedBy : 'CN=John Doe,OU=Accounts,DC=corp,DC=net'; /* value for managedBy */

    // enable debug by uncommenting lines below

    //var logger = org.slf4j.LoggerFactory.getLogger("debug");
    //logger.info("**********");
    //logger.info("inputValue is: " + JSON.stringify(inputValue));
    //logger.info("extracted vals are " + JSON.stringify(vals));
    //logger.info("**********");

    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */
    /* end of generated script */
    outputValue = vals.managedBy;

Children
No Data