Hi,
We have some applications that are accessed through Citrix. These applications have their own internal entitlements, which we have created a request form to manage. Access to the Citrix application is managed through an Active Directory group. My goal is to make the request form function by automatically adding a user to to the Citrix AD group whenever the request access to the application. Similarly, I would like to automatically remove the Citrix AD group whenever all internal application entitlements have been removed from a user.
Initially, I looked at the rules module to handle this, but I haven't found a rule type that essentially says "only people with access to this application can be in that AD group". After that, I was able to write a Javascript form control that basically reads the text of an "Entitlement Table with Action" control on the form, and uses the text to determine if a users access is being removed or added. This should work my needs in theory, but I haven't found a good way to trigger the Javascript control. My code is:
The problem I'm encountering is that when the second argument for avform.registerExprSub is set to an Entitlement Table with Actions, the Javascript is not triggered whenever an action is seletected or deselected. Does anyone know of a way to trigger Javascript to run when actions are select on an Entitlement Table with Actions? Or does anyone know of a better way to accomplish my goal of automatically adding/removing these secondary type entitlements?
Thanks,
Kevin
Hi Kevin,
Just a thought here - Have you considered creating an access review which runs on a daily basis that can check for users who does not have access to any of the application set, but having the AD group.? That way, you should be able to revoke the AD group.
Or how about running a custom WF on a daily basis which can check and remove the users from AD groups who does not have access to the set of applications.
Also, you should be able to configure in the provisioning WF for the applications to check if the user has the AD group. If not, provision it using a provisioning command node.
I have not tested this though, hope it works