Removing users automatically from a Record Permissions field
Does anyone know if it is possible to control the contents of a record permissions field via AD group memebership?
We currently have a Record Permissions field to provide access to a particular content record and the 'selectable' users in this field are assigned from a group that is managed via an LDAP synch with our AD. What I would like is for users that are removed from that AD group to subsequently be removed from the RP field automatically once the LDAP synch job has completed.
My testing of this seems to suggest that this is not possible and despite the user being removed from the relevant AD group, they remain 'selected' in the RP field and therefore retain access to the record and receive all subsequent notifications about that record.
Does anyone know of a way of achieving what I'm after?
If user is inactivated, then she or he cannot access the record anyway. I would say it would violate much. What if user got deactivated and then activated next day, but you removed user already from RP?
Overall, auto deletion of users from RP is not basic functionality, you have to implement it. Either via IRP or DataFeed or API, etc.
Something similar was discussed in here: https://community.rsa.com/thread/199625
Thanks very much for the reply, the issue is that the user may not be inactive as they could be a member of another AD group which gives them access to another area of Archer so their account would still be active.
Look likes we are going to have to implement another solution to achieve this.
Jonathan, Archer doesn't treat the group as an authentication component but more of a container for users when it comes to record permission fields; unless the group itself is selected. At the end Archer from a record perspective is just linking to the user and it never re-evaluates if that user group membership has changed.
How is access the role configured that grants access to the application? Is it using the same AD group or a different group? If you use that same AD group it should "block" the user from the record being the user wouldn't have access to the application anymore since the user is no longer a member of the AD group.
Thanks for the response, we actually use different AD groups within the same application but we may now need to rethink this for this application to achieve what we want.