Allow Managers to Add Users to Groups

Question

Hi

We would like to allow Managers of Users to add their Users to Security Groups. Currently, we always get the following error:

Currently our Security for Managers looks like follow:

If we have a seperate rule to allow managers to write "Members Property" of Security Groups, the Business Rule for the Appproval workflow is ignored.

What settings do we have to adjust to make this possible?

• Manager of User XY can add UserXY to Group AB, then trigger the Business Rule

Thanks, Mario

Answer 1

Hello Mario,

The thing is that when you are adding a member to a group, it is the group that is modified, not the member. As such, you need to grant users who are managers the permissions to manage group membership. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm. Unfortunately, it is not possible to delegate the permissions to only add specific users to specific groups. This part can be handled in the business rule using corresponding actions/conditions.

As the target object of your business rule is a group, the condition matching InitiatorUserName with %username% will not work as the value reference will resolve into the sAMAccountName property value of the group, not the member being added.

For us to help you with the business rule configuration, please, specify the following:

• Should the business rule not perform any actions if a user adds themselves to a group?
• Should the business rule not perform any actions if the target group is a specific one?
• Would it meet your needs if the business rule cancels the operation if the initiator is not the manager of the member being added?

Any additional details regarding the desired behavior will be much appreciated.

Comments

Thanks for your fast reply.

We have the following Scenarios:

• Groups that dont have an owner, that users can add themself without any approval (ex. "Hide my Mobile from Signature") (thats what i tried to achieve with the first action set in my image)
• Groups that have a owner/manager, user can add themself but need approval from the owner, managers can add their users/employees, but need approval from the owner (second action set in my image) (script below)
• Groups that dont have an owner/manager, user can add themself but need approval from people sepcified in the adaxes, managers can add their users/employees, but need approval from people sepcified in the adaxes (third action set in my image)

# The condition is met if $Context.ConditionIsMet is set to $True.
$group = Get-ADGroup -Identity '%username%' -properties managedby
$manager = $group.ManagedBy
$length = $manager.Length

if($manager.Length -gt 0) {
    $Context.LogMessage("$manager", "Information")
    $Context.LogMessage("Group has a Owner", "Information")
    $Context.ConditionIsMet = $True

    }
    else {
    $Context.LogMessage("Group has no Owner", "Information")
    $Context.ConditionIsMet = $False
    }

---

Hello Mario,

Thank you for the provided details. Sorry for the confusion, but it is not clear how points one and three match together. They have the same if statement, but different results. Could you, please, clarify this point?

---

Lets say we have the following groups without owner

• HideMyMobileFromSignature
• Local_Machine_Admins

User can add themself to both groups and so can their managers.

Point 1: For "HideMyMobileFromSignature" we dont want anyone to give an approval as its only a "cosmetic" group that user can decide theirself.

Point 3: For the Group "Local_Machine_Admins" we want someone from IT Staff (1 out of X Users, so we cant set a manager on the group) to give an Approval.

---

Hello Mario,

Thank you for clarifying. What about the cases when the member being added is not the initiator? How should such situations be handled?

---

For Option 1: Inform them by Mail For Option 3: Nothing

---

Hello Mario,

Thank you for the update. Let us clarify the whole behavior:

• If a user adds themselves to a specific group (e.g. HideMyMobileFromSignature) that has no owner, the business rule should not do anything. If a user is added to the same group by their manager, an email notification should be sent.
• If a user is added to a group that has an owner, the operation is submitted for approval no matter if the addition is made by the user themselves or by their manager.
• If a user adds themselves to a specific group (e.g. LocalMachineAdmins) that has an owner the operation must be submitted for approval. If a user is added to the same group by their manager nothing should be done (including no approval).

If the above is correct, your business rule should be as below. There is no need to add the parts where nothing will be done as they will be ignored by the business rule according to the conditions.

---

Thanks for the clarification and the rules.

Point 1:

• Instead of the Manager it should be "if Initiator is not the targeted user". This would make more sense for us, as also IT Staff or HR could add them to this group.
• Can you confirm that the Mail-Properties are the right one for sending it to the user (an not the group or initiator):

Point 2: I think for us it would be only "ManagedBy = Empty" and nothing else, as all empty groups expect the one in Point 1 should be approved by the specified people. Does this make sense for you?

---

Hello Mario,

Instead of the Manager it should be "if Initiator is not the targeted user".

You can change the condition this way, but in the case it will be met for all the cases when adding to a group is not performed by the user themselves while in your case you mentioned checking whether it is done by the user’s manager.

Can you confirm that the Mail-Properties are the right one for sending it to the user

Yes, the settings are correct.

all empty groups expect the one in Point 1 should be approved by the specified people. Does this make sense for you?

Yes, this approach will also work.