MIMWAL: Time limited group membership (aka simple PAM solution)


Yes, it’s me again and Yes with MIMWAL again 😉

When talking with people about Privileged Access Management (PAM) scenario of my, I often get asked if the dedicated PAM forest is required. The aswer is yes, this is by design and also a very important security feature of the solution as you can never be sure your current forest is not already compromised. Also you can have the PAM forest more secure and some other benefits.

However having time limited group can also be useful in a one forest/domain scenario. So I played around a bit in my demolab and tried to build a simply PAM like solution with help of the Microsoft Workflow Activity Library (MIM WAL).

Description and benefits of my demo scenario:

  • Having time limited group membership
  • Duration of group membership can be modified
  • Can be initiated by users directly or by admins/helpdesk
  • Users get notified when their group membership expires

Of course we have to create some objects first:

  1. Create a attribute type in portal schema called: Duration
  2. Create a attribute binding in portal schema for resource type: Group and attribute type: Duration
  3. Create a manually managed group (ex. TimeLimitedGroupMembership in this example)
  4. Create a set that contains the above created group
  5. Create a email notification template that looks like this:

PAMlight5

Now it’s time to create the action workflow with the MIMWAL activities that is doeing the “magic”:

First activity we need is the MIMWAL: Add Delay activity, configure it like this:

PAMlight1

This activity reads the Duration attribute of the target object (the time limted group). The most important feature of using this activity instead of an PowerShell is that it unloads the request from memory and reloads it back if the duration timeout elapses. So this activity does not block the workflow threads with are limited by CPU cores.

See MIMWAL documentation on this: https://github.com/Microsoft/MIMWAL/wiki/Add-Delay-Activity

Next activity used is the MIMWAL: Update Resource activity, configure it like this:

PAMlight2

This activity removes the added user from the group after the delay interval reached. You can also see I set back the Duration attribute of the group to a default value. This is useful if users or admins will use the “Add Member” or “Join” button of group insted of editing the group object in a seperate window.

Last activity is a default notification activity but you can also use the MIMWAL notification activity if you want:

PAMlight3

So recipients of the notification mail are the recently added members of the group addressed by [//Delta//ExplicitMember/Added], this works because this is the actual adding member workflow which has just paused for some time. Adding the email template you created above. You can maybe configure it to send a added to group notification if requestor of this member add is not the user itself but instead it was a admin or helpdesk member.

Lets combine the already created objects by creating an Management Policy Rule (MPR) to get things working:

  • PolicyType: Request based
  • Requestor: All People
  • Operation: Add multivalue attribute
  • Target Sets (before and after): The set you created under point 4 above (that one that contains the time limited group)
  • Select specific attributes: Manually-managed membership
  • Policy Workflow: The workflow above with the MIMWAL activities

Now, last thing is to modify the RCDC of group editing to display the custom attribute (Duration) of the group we created before. I added the attribute on an seperate tab, sadly you cannot modify the member tab due to events running behind the scenes. RCDC will throw an error if you do so. Group editing will look like this after editing RCDC:

PAMlight4

Simple add the following XML to the Group Editing RCDC:

<my:Grouping my:Name="Duration" my:Caption="Member Duration">
        <my:Control my:Name="Duration" my:TypeName="UocTextBox" my:Caption="{Binding Source=schema, Path=Duration.DisplayName}" my:RightsLevel="{Binding Source=rights, Path=Duration}">
            <my:Properties>
              <my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=Duration.Required}"/>
              <my:Property my:Name="HintPath" my:Value="Hint"/>
              <my:Property my:Name="Text" my:Value="{Binding Source=object, Path=Duration, Mode=TwoWay}"/>
              <my:Property my:Name="MaxLength" my:Value="128"/>
              <my:Property my:Name="RegularExpression" my:Value="{Binding Source=schema, Path=Duration.StringRegex}"/>
            </my:Properties>
        </my:Control>
</my:Grouping>

Finished, now you can start adding users to the group as an admin or do it as the user itself, in request history (search requests) you will see a “PostProcessing” state of the group editing request, which will stay at this state until the delay has reached, but remember that is no problem since the workflow has been unloaded from memory.

One bad thing on this solution is that to users/admins might request the same group membership at a time, so maybe the get the wrong delay duration if the activity is resetting the default value just in that time. To get around this you can maybe implement a request object type, like in PAM which leads to a group membership so that you have seperate instances. But I guess this solution will work in most circumstances.

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

2 Responses to MIMWAL: Time limited group membership (aka simple PAM solution)

  1. Mike Finazzo says:

    Peter, this is close to something I want to configure. I would like to remove Inactive users from groups using the MIMWAL. How would I change your Delay to something that would use attribute employeeStatus=I then use that in the Update resource section? If you already posted about this sorry I didn’t see it.

    Thanks

  2. Peter Stapf says:

    I thing what you are trying to do is a bit more complicated, I used a timelimit attribute on groups to remove member from the group. So only group attributes used.

    You are working on users that will be deactivated, but there is nothing like a memberOf attribute in the portal. So you need to lookup the users group membership and remove the user from the groups.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: