Return
-
Title
HOW TO: Prevent nesting Groups within Active Roles -
Description
It is possible to use an Active Roles Workflow to prevent the nesting of Groups within other Groups.
The below Workflow will interrupt such an operation and display an error message if any initiator attempts to add members to a Group and any of those members is a Group.
It is also possible to parse all of the members of a Group membership change and strip out only Groups while allowing other object types, but this is only possible using a custom scripted solution. For assistance with implementing a custom script, please contact Professional Services or One Identity Sales.
-
Resolution
- Using the Active Roles Console, navigate to Configuration/Policies/Workflow and create a new Workflow.
- During the creation, choose an appropriate name and be sure to select that the Workflow starts Upon a request to change data in the directory (change workflow)
- Click on the Configure button at the top and set the Operation Conditions. Set the Target Object Type to be a Group and choose Change Membership | Add member to group as the operation trigger.
- Optionally, also set an Initiator Condition and/or Filtering Condition to change the scope of the Workflow. Otherwise, it will triggered by changes to all Groups in Active Roles.
- Click OK and then drag in an If-Else activity into the Workflow, above the operation execution.
- Double-click on the first If-Else Branch and click the green plus to add a new conditional check.
- Click the Configure condition to evaluate... dropdown and choose the Property of added group member...
- Click on the Click to choose dropdown and select groupType then click OK
- Click on the equals dropdown and change it to is not empty
- Click OK
- Drag a Stop/Break activity into the first If-Else branch where it is labeled Drop activities here
- Click Save Changes. The Workflow is active immediately.