tools4everbv / helloid-conn-prov-target-activedirectory Goto Github PK

For example, when the group cannot be found, the script is cancelled without an audit message.

16:37:35.33 Failed to grant permission '{ "PermissionDefinitionId": "ae799ab5-9be9-8e3c-d0cb-cabed9840864", "PermissionIdentification": { "Identification": "62f2a2b5-d1f7-1199-1a97-7c6e1a882906" } }'
16:37:35.33 Failed to grant permission '{ "PermissionDefinitionId": "ae799ab5-9be9-8e3c-d0cb-cabed9840864", "PermissionIdentification": { "Identification": "62f2a2b5-d1f7-1199-1a97-7c6e1a882906" } }', message: Error running script
16:37:33.02 [Error] PowerShell script did not complete successfully
16:37:33.01 [Error] No Group found that matches filter 'Name -eq "140220"'
16:34:12.17 Preparing grant action for processing

Example resource creation logic is not in line with the logic in the group subpermission scripts

(Resource creation uses a key on extensionAttribute1, subpermission looks at displayname for a match)
Also the resource creation script creates title groups, while the subpermission script assigns department script.

I would suggest:

1. we update the resource script to create department groups
2. we update the subpermission script to use extensionAttribute1 as a correlation attribute

possibly hardcode a domain controller through the configuration

add -Server $pdc to all AD commands were -Server is supported

This issue is in all dynamic permission scripts.

HelloID Support Information doesn't show the "throw reason". The HelloID administrator is not able to see if a group doesn't exist or is found multiple times.

The solution should be TRY/CATCH or a different method then Throw.

Example of the problem:
https://github.com/Tools4everBV/HelloID-Conn-Prov-Target-ActiveDirectory/blob/9a4a2aae8fbfcf6b960b1cd663a42993265054fc/dynamicPermission.Groups.title.ps1#L102C1-L130C2

the scripts dynamicPermission.Groups.ReferenceExample.ps1 and resources.Groups.department.ReferenceExample.ps1 both use a function to santize the groupname. The name off the function is not the same in both script and also the end result.
function Get-ADSanitizedGroupName vs function Get-ADSanitizeGroupName.
I resolved the use by changing in both scripts the function as seen in the attached file
function sanitize.txt

Currently the script is waiting for the "Move-Item" command to finish, this shouldn't be waiting it should execute in the background per our script policies