I can think of a couple approaches off the top of my head, so I'll babble through them and see if anything sticks for you:
- Create an extension attribute that looks for the existence of a file and reports true if found
- Have the restriction scope include a smart group where we (programmatically) will store the people who need access
- Put a policy in Self Service that "touch"es the file in step one and then updates inventory
- The smart group then sees the computer has the extension attribute and excludes them from the restriction
- Then some other policy or process removes the file and re-updates inventory taking them back out of the exclusion smart group
This could also be done by having a script that directly sets/unsets the extension attribute via an API call. That would be faster but requires comfort and fluency with API scripting.
Does that make sense? Essentially, you are right: we are using the temporary admin process, but instead of running a script to promote/demote the user, we are populating a smart group that excludes the computer from being restricted.
I've done something like this for a couple of clients in the past, so let me know if you have questions about my idea.
Good luck!
