Assign user to a single security group among ones contained in a OU

Question

Hello,

We would like to implement a form / extend one where a user (eventually created before) is made member of a security group defining his/her role, and this group is one among all the roles (groups) available in a precise OU.

Ideally, we envision a form field called 'Role' whose value is a combo box filled with all the roles the user could assume. That value would then make the user a member of the corresponding group, eventually removing him/her from any other previously role held. We understand that PowerShell coding is in order (either before visualizing the or after form validation), but we are prepared for this.

Or maybe a special (modified) 'Add to group' function is more suitable, calling it 'Add to role' with an exit script to guarantee the membership to a single role?

Apologize if the question seems convoluted. Thanks!

Answer 1

Hello,

Sorry for the confusion, but we are not quite sure about the desired behavior. When a user calls a function, they need to be able to select a single group from a list and then get added to it. Is that correct? If so, you can use a custom command with a drop-down list parameter. The values of the parameter items will be group distinguished names and the item names can correspond to the role names. For example: In the custom command, there will only be the Add to group action: The following tutorial should be helpful: https://www.adaxes.com/help/CreateCustomCommand/. If this is not what you need, please, describe the desired behavior with live examples and screenshots (if possible).

Comments

Hello,

Thank you for your answer. I'll try to be more specific: assume that in a given OU there is a set of security groups, each one identifying internally a specific role. To give a couple of examples, the security group F-Secretary in that OU identifies a secretary. That group is already member of one or more other domain security groups (in other OUs) which give access to the resources the security group controls. Or you have the security group F-Head of Department, which is member in turn of all the security groups controlling the resources an head of department should access.

The idea behind is that by making a given user account a member of one of those 'role' groups will give the user access all the necessary resources. Hence the idea of making the user a member of just one of the 'role' groups, plus of course making room for additional specific needs an user could have in terms of membership.

For the help desk it would be helpful to have a 'guided' way to add the user to its role, but of course it is perfectly possible to do the same with the provided "Add to group" feature, except that it's less inmediate and it doesn't avoid possible manual errors, apart from browsing among tens or hundreds of security groups.

I don't know if the above explains better what we do have in mind.

Thanks a lot!

---

Hello,

Thank you for the provided details. It looks like the approach we suggested above should work just fine. Please, give it a try. If there is something specific in the solution that does not meet your needs, please, point it out in details.

---

Thank you again.

Now, regarding the custom command, the Drop-down list parameter needs to be pre-loaded manually, i.e. can't be generated dynamically with a script I suppose.

And the Directory object picker can only be filtered on a given OU, but always returns the AD object (the group samAccountName supposedly), right?

The best solution could be to pre-fill the drop-down list dynamically with a script at run time, getting the AD objects currently defined and eventually using another attribute (the display name for instance) in the list. But maybe we are asking too much.

---

Hello,

Drop-down list parameter needs to be pre-loaded manually, i.e. can't be generated dynamically with a script I suppose.

Yes, that is correct.

And the Directory object picker can only be filtered on a given OU, but always returns the AD object (the group samAccountName supposedly), right?

Yes, that is correct. However, the actual parameter value is the distinguished name, not the sAMAcountName.

The best solution could be to pre-fill the drop-down list dynamically with a script at run time

Unfortunately, there is no such possibility. We have plans for something like that, but there is currently no ETA for the feature.