cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Automatically Enforce Expiring Group Memberships?

Jump to solution

Is there some way within ARM to set polices on certain resources (Specifically Active Directory groups in this case) whereby that resource can only be requested for a finite amount of time.  As it stands today when a user goes to request membership in an AD group they have the option to set an expiration date on the resource.

pastedImage_0.png

This is currently dependent on the requestor of the resource selecting this option however.  Is there some way to set a policy to have access automatically expire on these groups?

0 Kudos
1 Solution
Product Manager
Product Manager

Currently it is not possible to set a corresponding policy.

However, administrators can enable approvers to set or change an expiration date by allowing them to change order details.

Please refer to the Administrator Guide on page 443 for details.

Thanks,
Sven

View solution in original post

3 Replies
Product Manager
Product Manager

Currently it is not possible to set a corresponding policy.

However, administrators can enable approvers to set or change an expiration date by allowing them to change order details.

Please refer to the Administrator Guide on page 443 for details.

Thanks,
Sven

View solution in original post

Would it be possible to create a powershell script that gets called when users request access to certain groups that then marks that group membership as temporary?

0 Kudos

Hi Eric,

there is currently no way to execute a script after group membership assignment. It would be possible if you would use an Opentemplate for the request, those allow a script execution to be attached in which you could check if a date has been selected and if not set the default expiration. The relevant controls for this case would be "GroupAccountSearchTextField" and "DatePicker".

Regards

Paul

0 Kudos