Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
fp_idmworks Honored Contributor.
Honored Contributor.
332 views

3.5 -- Plans for handling fulfilments for dynamic groups

A customer is using dynamic groups to grant RBPM Roles. When they have exceptions they add the user to the excluded members of the dynamic group.

It would be great if the dynamic group could be used in a fulfillment to remove permissions by adding the user to the excluded members. This way custom workflows wouldn't have to always be considered. The customer would still need to clean up data for long term use of the attributes in the filter. You wouldn't want all non-active students at a university added to an excluded list that would accumlate over the years. It would be intended for short term use cases where the rights could be revoked either till the status change comes through on the dynamic filter data that is basing it's rights, or until the user's temporary restrictions can be removed and they are removed from the excluded list. A background job might have to be used to validate if an excluded user could be removed if the ldap filter wouldn't find the user any longer in the group.

Is this a possibility with the current fulfillment architecture to add this as an enhancement request?
If it isn't currently possible, would it be worth to have a worflow template to enable to handle dynamic group exclusions?
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- Plans for handling fulfilments for dynamic groups

On 3/25/19 4:34 PM, fp IDMWORKS wrote:
>
> A customer is using dynamic groups to grant RBPM Roles. When they have
> exceptions they add the user to the excluded members of the dynamic
> group.
>
> It would be great if the dynamic group could be used in a fulfillment to
> remove permissions by adding the user to the excluded members. This way
> custom workflows wouldn't have to always be considered. The customer
> would still need to clean up data for long term use of the attributes in
> the filter. You wouldn't want all non-active students at a university
> added to an excluded list that would accumlate over the years. It would
> be intended for short term use cases where the rights could be revoked
> either till the status change comes through on the dynamic filter data
> that is basing it's rights, or until the user's temporary restrictions
> can be removed and they are removed from the excluded list. A background
> job might have to be used to validate if an excluded user could be
> removed if the ldap filter wouldn't find the user any longer in the
> group.
>
> Is this a possibility with the current fulfillment architecture to add
> this as an enhancement request?
> If it isn't currently possible, would it be worth to have a worflow
> template to enable to handle dynamic group exclusions?
>
>

Greetings,
If your question is if ID Gov currently has a eDirectory
Fulfillment configuration for managing memberships in a Group as
outlined above, we do not. If you do not want to use a custom workflow,
then you could create your own custom Fulfillment by utilizing the SDK
that ships with ID Gov.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.