Support for regular expression (regex) to allow/block user or group login

[uurazzle]

Hi,

I'd like to propose an enhancement for Xcreds that would greatly benefit our workflow. Currently, there are situations where it's challenging to manage access permissions effectively, especially when dealing with directory services managed by other teams. Often, it's difficult to justify making adjustments to organizational units (OUs) or groups to accommodate specific needs for sub-locations or restrict access for certain sub-teams or departments.

To address this challenge, I suggest adding support for regular expressions (regex) in Xcreds, allowing us to block or allow logins based on user or group criteria. By incorporating regex functionality, we can dynamically manage access permissions without relying solely on predefined OUs or groups, providing greater flexibility and adaptability to our authentication process.

This enhancement would empower our team to tailor access control more precisely to our needs, reducing dependency on external teams and streamlining our workflow. I believe it would significantly improve our efficiency and enhance security measures.

To illustrate, we currently have multiple guest account implementations that require specific access permissions on sets of Macs denoted by groups such as "GX[RANDOM_NUMBERS]", "GP[RANDOM_NUMBERS]", and "GN[RANDOM_NUMBERS]". Enabling Xcreds to utilize regular expressions and implementing this through configuration profiles would simplify the process of blocking or allowing access. This could be achieved via the distribution and assignment of configuration profiles.

[twocanoes]

can this be done with the override script? There is a group called DenyLoginUnlessGroupMember. You have the override script return what users are allowed to log into that machine based on criteria in the script.

[uurazzle]

Hi,

Thank you for your response and for suggesting the use of the override script with the DenyLoginUnlessGroupMember group. While this approach can address some of our needs, incorporating support for regular expressions (regex) directly into Xcreds would offer a more flexible and powerful solution.

With regex, we can efficiently manage scenarios where a user is not part of a specific group. Implementing this with the DenyLoginUnlessGroupMember group is an option. However, adding all users we might want to allow or block to this workflow would be burdensome in our environment, as it depends on central IT administrators to manage and update these groups. This additional task would require significant time and resources, making it less feasible for us.

That ability to allow us to use Regular expressions (regex) in situations where the DenyLoginUnlessGroupMember group isn't an option would be a great addition to allowing us more flexibility and control.

[twocanoes]

I need to understand this better before i implement it. please send a message to [email protected] to set up a meeting so we can discuss.

[twocanoes]

Suggested ways to implement:

1. Wild card for users and groups. If a group is specified as GP*, then any user that has a group that starts with GP would match. For users, if there is an array of "allowed users" and GP* is allowed, and the user is GPUser01, then the user would be allowed.
2. Make both allowed and denied options for access based on name or group membership
3. Make a script as a way to see if a user is allowed or denied. If a pref is defined with a script path, a final check may be done by passing the user info to the script and getting back an "allowed" or "denied".