Policies have been around for a long time and need to be looked at and enhanced. There are several limitations currently with policies when it comes to the creation, definition, and application.
With the first one, we are limited to what types of policies can be created. For instance, as mentioned in another idea, you are only able to create a uniqueness policy for samAccountName and UPN. There are far too many attributes for users that need to be validated in this manner. A generic uniqueness policy should be available to define any attribute that needs to be validated. There are other policies of this type like Name Length that could be used for other attributes.
In defining the policies, you have few limitations that I will try to capture here. First, as mentioned in another idea, you are unable to use regular expressions for a Validate Specific Property policy. Additionally with this policy, defining scopes requires you to enter in each individual value for a range. So instead of being able to enter in A-Z you have to enter in A,B,C,D... This make the policy overly complicated.
Second, when I define a policy it is not validated in real-time. I am required to complete the operation I am doing and submit before I get an error. It would be beneficial if policies were validated as you clicked through each tab. This way you can fix the problem before you get to the end. It is possible that multiple policies will fail on submission and then you need to go back and try to fix them all.
Next, and probably not the last as I am sure I am forgetting something, we need to make sure policy management is centralized. For instance, if I define a attribute validation policy, the web client should be able to request that information and perform the validation in real-time like the new web client attribute validation does. You should not be required to enter this validation in more than one location, and configuring it in the web client only applies there. If you use PowerShell or the 32bit client it will not be validated against that setting. I can see where many of the policies that can be defined could be accessed by the web client and validated in real-time to make it easier for the AA to know when something needs to be changed.
by: Richard M. | over a year ago | Configuration
Comments
Thank you for this submission. This idea, while covering a broad set of policy requirements, is valid.
Let's break this out into clarification about each point, please confirm:
You are requesting a generic unique policy that can be defined for a set of attributes in the product.
You want to use regular expressions to define the policy validation criteria.
You are asking for the policies to be evaluated in realtime on the client side.
You would like all policies to be managed in a central location in the product.
Let me respond to each of these:
1. Yes, we need to be able to define a policy that can be validated against any potential attribute of a user. It would be done by selecting the attribute you want to validate and then defining the the criteria for that attribute to be validated against.
2. Yes, regular expression validation is much more efficient than trying to use sets of characters. By having to provide each character in the policy for what needs to be validated is overly complex. This is easier to demonstrate than describe.
3. Yes, this is not as important as the others but is something that is very often seen in web consoles where while you are typing the system validates that the value meet the criteria. It appears this is able to be done today with the field validation in the web client, but only if you specify it in the properties of the attribute field which makes it a customization. This is why the last point is so important.
4. Yes, there needs to be a way to do attribute validation without having more than one location to set them up. This used to be the case until we introduced validation at the attribute level of the property pages. Instead of creating a new way to do validation we need to improve the existing and leverage what is there. For example, if I define a policy for samAccountName and I want it to validate in real-time through the web client, the web client should query to see if there is a policy for that value and use that policy. Currently there is the potential for conflicting validation where the web client configuration could not be configured correctly to what the central policy states for the validation.
I am more than happy to have a discussion around this and walk through how it is today and what I feel would be more user and administratively friendly.