Top Voted Ideas: Last 30 Days
IG Archive Cleanup
6
IG Archive Advanced Options
6
Idea ID: 2872644

AD Access Reviews using the AD group owner as the Reviewer

NY NY
Status : New Idea

Review AD Groups using the Group owner as of the reviewer:

Allow a review to use a custom attribute; in this case, it will be the managedBy as a reviewer.

In this Use Case, we will need to review AD Groups permissions, and the reviewers should be the AD group owners that are represented by the managedBy attribute.

Could you please provide a review that allows performing the use case above?

Parents

  • We use this mapping and ECMA script to populate the permission owner from the AD managedBy attribute.  

    We have AD groups that do not have an owner defined, so we had to put the input attribute in the collector attribute mapping in quotes and brackets, otherwise null value input would not be processed by ECMA script.  For AD groups without an owner, we decided to assign a default owner.

    It uses the 'AD Account DN' attribute (the  'distinguishedName', which is also used in the ECMA script to assign the default owner)


    Script Name:
    Populate Permission Owner from AD ManagedBy
    Description:
    collects AD group owner as permission owner, and uses dedicated user when source is blank/null value

    /* start of generated script to extract variables from inputValue */
    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */

    var vals = {};

    // inputValue is string, we need to parse it to convert it into a javascript object
    var inputValueParsed = JSON.parse(inputValue);

    vals.managedBy = inputValueParsed.managedBy ? inputValueParsed.managedBy : 'CN=John Doe,OU=Accounts,DC=corp,DC=net'; /* value for managedBy */

    // enable debug by uncommenting lines below

    //var logger = org.slf4j.LoggerFactory.getLogger("debug");
    //logger.info("**********");
    //logger.info("inputValue is: " + JSON.stringify(inputValue));
    //logger.info("extracted vals are " + JSON.stringify(vals));
    //logger.info("**********");

    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */
    /* end of generated script */
    outputValue = vals.managedBy;

Comment

  • We use this mapping and ECMA script to populate the permission owner from the AD managedBy attribute.  

    We have AD groups that do not have an owner defined, so we had to put the input attribute in the collector attribute mapping in quotes and brackets, otherwise null value input would not be processed by ECMA script.  For AD groups without an owner, we decided to assign a default owner.

    It uses the 'AD Account DN' attribute (the  'distinguishedName', which is also used in the ECMA script to assign the default owner)


    Script Name:
    Populate Permission Owner from AD ManagedBy
    Description:
    collects AD group owner as permission owner, and uses dedicated user when source is blank/null value

    /* start of generated script to extract variables from inputValue */
    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */

    var vals = {};

    // inputValue is string, we need to parse it to convert it into a javascript object
    var inputValueParsed = JSON.parse(inputValue);

    vals.managedBy = inputValueParsed.managedBy ? inputValueParsed.managedBy : 'CN=John Doe,OU=Accounts,DC=corp,DC=net'; /* value for managedBy */

    // enable debug by uncommenting lines below

    //var logger = org.slf4j.LoggerFactory.getLogger("debug");
    //logger.info("**********");
    //logger.info("inputValue is: " + JSON.stringify(inputValue));
    //logger.info("extracted vals are " + JSON.stringify(vals));
    //logger.info("**********");

    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */
    /* end of generated script */
    outputValue = vals.managedBy;

Children
No Data

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.