It is possible to hide all Temporal Group functionality by settings a server-side configuration option and then exposing that configuration option to Users who need to have the Temporal Group functionality blocked.
First, it is necessary to set the edsva-TemporalGroupMemberships-Disable boolean to a true value. This boolean is not editable in the Active Roles Console by any User and needs to be set via a PowerShell script. The following script will set it to a true value when run in the Active Roles Management Shell:
Second, in order to allow Users to read the setting edsva-TemporalGroupMemberships-Disable boolean, create an Access Template that allows Read access to edsva-TemporalGroupMemberships-Disable attribute performing the following steps:
If this new Access Template is used to delegate access to the Active Roles Server Configuration node, any delegated users will find all Temporal Group options removed in the Active Roles Console and the Active Roles Web Interface.
NOTE: Since Active Roles Administrators have access to the entire configuration, they will also be unable to use Temporal Group options in Active Roles clients.
Enhancement ID 302504 has been created to allow this functionality to be set only for some delegates on some groups, instead of have it be controlled by a global configuration.
Product Management will evaluate the request and this feature may become available in a future release of the product. There are no guarantees that this specific enhancement request will be implemented in a future release. For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: https://support.oneidentity.com/essentials/support-guide/