Deny all requests adding users from domain B to Security Groups in domain A RRS feed

  • Question

  • We have two domains in our forest, CORP and PARTNER. CORP-users are allowed to access PARTNER-resources, but PARTNER-users are not allowed to access CORP-resources. Also, most Security Groups in CORP are of scope "Global", so trying to add any PARTNER-users in them would fail.

    We are managing Security Groups for both domains in the MIM Portal with full self-service for group owners. But I need to get a fail-safe switch in place to stop any owners/requestors from adding (or requesting to add) PARTNER-users to CORP-groups:

    • If the request target is a CORP-group, deny request if trying to add PARTNER-members
    • If the request target is a PARTNER-group, allow requests for both PARTNER and CORP-members

    I guess I should utilize AuthZ somehow, but I'm really not sure how to sort it out. PS: I do have MIMWAL in place.

    Any guidance is much appreciated, thanks!

    • Edited by SasMmn Tuesday, September 27, 2016 5:28 PM Typos
    Tuesday, September 27, 2016 5:26 PM

All replies

  • Set of users in Partners domain

    Set of Corp groups

    Set of Corp groups that have Partner members

    Create a request based MPR that fires when an object starts in the Set of Corp groups and would go into the Set of Corp groups that have Partner members. Then have an AuthZ workflow that simply rejects the activity. A custom workflow could certainly do it. But you might be able to use the Verify Request Activity from MIMWAL Specify the Activity Execution Condition: Eq(false,true)

    Now any request that would add a partner user to a Corp group should get rejected.

    David Lundell, Get your copy of FIM Best Practices Volume 1

    • Proposed as answer by Borys Majewski Thursday, October 27, 2016 8:10 PM
    Tuesday, September 27, 2016 8:27 PM