Quantcast
Viewing all articles
Browse latest Browse all 4767

Time Based Application Access via Active Directory Groups using FIM 2010 R2

Hello,

In FIM  2010 R2, is there any way of achieving time based application access?

Scenario- A user to be allowed to access application for a certain duration only let's say for 1 month. The application is linked to Active Directory Group which has to be managed via FIM and user to be kept as member for the fixed duration only. If the user needs to have access for more time, user can request for extension.

Approach 1- Create 1 attribute("Valid Upto"-Datetime Type) and bind it with user object. Store the expiry date to future date for the users who need to have access to the application. Now, created one Criteria Based / RBAC Group mentioning the desired criteria based on "ValidUpto" attribute. As soon as the criteria doesn't match for any user, it will be thrown out of the group and for the ones whose dates will be extended will still remain a part of the group.

The above approach is challenged by client asking if they need to do this for 100 Applications, there would be a need to create 100 new attributes which will increase the data load for FIM Server as the present user count is approx - 50k(inactive) & 30k(active)

Is there any other standard way of achieving this in FIM 2010 R2, i.e. if there can be any attribute which can be created and bind to request object rather than user object which can be used commonly for all applications or the mentioned approach is standard in terms of industry best practice which won't hamper the database or any other feature of FIM 2010 R2.

Thanks.


Regards,
Manuj Khurana


Viewing all articles
Browse latest Browse all 4767

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>