Configuration of Restricted Groups rule
Overview
Cayosoft Administrator allows to manage Active Directory and cloud-based groups (e.g., Entra ID security groups, Teams membership) using the Restricted Groups rules in Cayosoft Administrator. This article covers the setup process and use scenarios for the rules.
Configuring Restricted Groups rule
To start using restricted groups in your environment, create and configure Restricted Groups rule. The rule defines the following settings:
Restricted groups.
Appropriate objects.
Action for users not matching the Allowed members criteria on the Restricted Group rule run.
Enforcement of the time-limited membership.
Publishing a group for self-service join requests.
Enforcement of approval when membership changes.
Create a Restricted Groups rule
NOTE: If the replication group is configured, Restricted Group can be created only on the Publisher service.
You can create a Restricted Group rule for Active Directory groups or Cloud groups - Azure AD security groups, Microsoft Groups, and Teams.
In the Cayosoft Administrator Console, navigate to Home > Restricted Groups.
Click New Restricted Group in the Actions menu.
-
Select Active Directory or Microsoft 365.
Or
on the Home page of the Cayosoft Administrator Console at the upper left corner click +New and select Restricted Group
Select Active Directory or Microsoft 365.
Please see this article for Restricted Group rule configuration: Restricted Groups rule.
NOTE: If a user logged-in to Web Portal using his Active Directory account and this user also has Microsoft 365 account, they will be able to manage not only his AD Membership in My AD Memberships query but their Microsoft 365 membership in the My Cloud Memberships query either. Also, such users will be able to manage approval tasks that are created for change memberships in Active Directory or Microsoft 365 groups.
Processing Temporal Group Membership work items
Each time when Restricted Group rule runs if it has an expiration period specified it checks each member in its group scope and created a Temporal Group Membership Work item (TGM work item) for it. If membership start/end date and time are set on Web Portal , not by the RestrictedGroup rule, a TGM Work item is also created for this member. Each TGM work item has a start/end date and time when a specified object should be added or removed from the group.
To process Temporal Groups Membership work items created by the Restricted Group rule you need to schedule Restricted Groups | Process Memberships Start/End Time rule. This rule enumerates temporal membership work items that are pending execution, checks their scheduled time, and completes work items by adding or removing members.
In the Cayosoft Administrator console, navigate to Home > RULES > Built-in Rules (Pre-configured) > Restricted Groups | Process Memberships Start/End Time.
Schedule this built-in rule to run hourly.
When the Restricted Groups | Process Memberships Start/End Time rule runs by schedule it checks each TGM work item and compares the current date and time with a date and time specified in the TGM work item. If the date and time in the TGM work item are already in the past, the rule will update group membership.
Usage scenarios
NOTE: Each scenario can be applied to either on-premise or cloud groups.
Scenario 1: Enable temporal membership in selected group(s).
Example: In the Web Portal, when adding contractor accounts to a specific group it is possible to Start\End Date for temporal membership.
Configure Restricted Group rule
| Setting name | Value |
|---|---|
| Groups and Members |
|
| Settings |
|
| Time-limited membership |
|
| Schedule Restricted Group rule to run hourly to calculate group scope and its members. | |
| Configure Output to send a report only when group membership has changed. | |
| Check that the Restricted Groups | Process Memberships Start/End Time rule is scheduled. | |
Result
Cayosoft Administrator Console:
When the Restricted Group rule runs it will check the group's scope. The group owner will receive a report with the group scope changes. If the rule completes with the errors, they also will be displayed in the report.
Web Portal:
If delegated administrator opens the ContractorsGroup in the Web Portal using the Membership web action, and adds an Active Directory user, they will be able to set membership Start\End Date.
Scenario 2: Restrict user accounts that can be added to the group.
Example: A VPN access group needs to be restricted to employees only, and should not contain contractors and other non-employee accounts.
Configure Restricted Group rule
| Setting name | Value |
|---|---|
| Groups and Members |
|
| Settings |
|
| Time-limited membership |
|
| Schedule Restricted Group rule to run hourly to calculate group scope and its members. | |
| Configure Output to send a report only when group membership has changed. | |
| Check that the Restricted Groups | Process Memberships Start/End Time rule is scheduled. | |
Result
Cayosoft Administrator Console:
When the Restricted Group rule runs it will check the membership of the VPNGroup group. If there are any AD users with empty EmplyeeID, these users will be removed from the group. The group owner will receive a report with the list of these users. If the rule completes with the errors, they also will be displayed in the report.
Web Portal:
If a delegated administrator opens VPNGroup in the Web Portal using the Membership web action, tries to add an Active Directory user with an empty EmployeeID, they will get a validation error that this user is not in the allowed members' list and this user won't be added. Only users with the value in the EmployeeID attribute can be added to VPNGroup.
Scenario 3: Require approval for members to be added to certain groups.
Example: Require approval for members to be added to groups that grant access to various SharePoint sites.
Configure Restricted Group rule
| Setting name | Value |
|---|---|
| Groups and Members |
|
| Settings |
|
| Time-limited membership |
|
| Schedule Restricted Group rule to run hourly to calculate group scope. | |
| Configure Output to send a report when the rule is completed with an error. | |
| Configure Notification to send a member when he will be added to the group. | |
| Check that the Restricted Groups | Process Memberships Start/End Time rule is scheduled. | |
Result
Cayosoft Administrator Console:
When the Restricted Group rule runs it will publish the SharePointGroupNY and SharePointGroupWA groups for self-service join requests, enable approval for these groups and send Output report to the administrator if the rule is completed with error.
Web Portal:
Two scenarios are possible:
If the end-user tries to join SharePoint groups, they will see the message that approval is required.
A delegated administrator can also change the membership of SharePoint groups. When they try to do it, they will also see the message that approval is required.
In both cases, an approval task will be created and the group owner will receive notification that the user wants to join the group. The group owner can approve or reject the request. After that, the end-user will receive the notification if his request was approved and he is a group member now or if his request was rejected.
Scenario 4: Allow specified users to join/leave the published groups
Example: Allow specified users to join the published groups to get access to various SharePoint sites.
Configure Restricted Group rule
| Setting name | Value |
|---|---|
| Groups and Members |
|
| Settings |
|
| Time-limited membership |
|
| Schedule Restricted Group rule to run hourly to calculate group scope. | |
| Configure Output to send a report only when group membership has changed. | |
| Check that the Restricted Groups | Process Memberships Start/End Time rule is scheduled. | |
| Create delegation rule for Self-Service > My Cloud Memberships > Join Group\Leave Group, so, allowed members will be able to Join\Leave published groups. | |
Result
Cayosoft Administrator Console:
When the Restricted Group rule runs it will publish the SharePoint site groups for self-service join requests. The group owner will receive a report with the group scope changes. If the rule completes with the errors, they also will be displayed in the report.
Web Portal:
Allowed members will be able to join\leave the published groups using Self-Service > My Cloud Memberships.
Scenario 5: Require approval for members to be temporarily added to privileged groups.
Example: Require approval for members to be temporarily added to groups that grant access to account administration actions like password reset, account creation, suspend, etc.
Configure Restricted Group rule
| Setting name | Value |
|---|---|
| Groups and Members |
|
| Settings |
|
| Time-limited membership |
|
| Schedule Restricted Group rule to run hourly to calculate group scope. | |
| Configure Output to send a report only when group membership has changed. | |
| Configure Notification to send a member when he will be added to the group. | |
| Check that the Restricted Groups | Process Memberships Start/End Time rule is scheduled. | |
| Create delegation rule for Self-Service > My Cloud Memberships > Join Group\Leave Group, so, allowed members will be able to Join\Leave published groups. | |
Result
Cayosoft Administrator Console:
When the Restricted Group rule runs it will:
Check the membership of the AdminActionsGroup. If there are any AD users that are not members of the IT and/or HelpDesk groups, these users will be removed from the AdminActionsGroup. The AdminActionsGroup owner will receive a report with the list of these users. If the rule completes with the errors, they also will be displayed in the report.
Check that all current AdminActionsGroup members have a membership end date/time and create a new TGM work item for each member if it does not have it with the expiration time Now + Expiration period.
Publish the AdminActionsGroup for self-service join requests if it's not published yet.
Enable approval for this group if it is not enabled.
Send Output report to the administrator if rule completed with error.
Web Portal:
Two scenarios are possible:
An end-user joins AdminActionsGroup.
Delegated administrator adds a user to AminActionsGroup.
In both cases, a message that approval is required will be displayed. After that approval work item will be created and the owner of AdminActionsGroup will receive notification that a user should be added to the group.
When the group owner approves the work item the initiator (delegated administrator or end-user) will receive notification about it and the user will be added to AdminActionsGroup for 48 hours. The added user will also receive a notification that he was added to the group. After 48 hours the Restricted Groups | Process Memberships Start/End Time rule will run and the user will be removed from the group.
If the group owner rejects the membership change operation a user won't be added to the AdminActionsGroup and the initiator will receive notification about it.
Comments
0 comments
Please sign in to leave a comment.