0 votes

I am attempting something a little complicated. I have done approvals for a group membership but what I want to do is approvals for a sub group membership. The scenario is that a user is being added to a Department and by default, they have access to X web resource which requires a non AD login account. I want to send the manager of the web resource an email to add the user and have them approve it in adaxes for record keeping. The current group approvals only seem to work for direct membership additions. Do you have any suggestions?

by (70 points)
0

Hello!

Do we understand correctly, that you would like to have an approval request created before adding users to groups which are members of another group? In this case, a Business Rule triggering Before Adding a member to a Group can be used. If you need to submit the operation for approval when users are added to the group itself and to the nested groups then you will need to specify the group itself and its members in the activity scope of the Business Rule. Finally, the Business Rule should look like the following:

If this is not what you meant, please, describe the entire workflow in all possible details. Live examples would be much appreciated.

0

This is close but I would like to only have specific sub groups to be sent for approval.

We are trying to implement a group access control record of third party website access for a position change. If I go from Accounting to IT. I will lose access to the accounting resources, such as an accounting web site, and gain access to the IT resources. But the Accounting site is accessed by more than just Accounting and it has no API for automated user management. When I get pulled from that Accounting group, as a part of my transfer workflow, the group that is associated with access to the Accounting site's owner requires approval to indicate that the access was removed, but the other resources associated with the accounting group are not needing to be notified since removal from those groups removes access.

Is there a way to be more selective of the sub groups? Maybe look at the Managed by field of the subgroup for the Business Rule?

0

Also, it looks like the emails are sent out pertaining to the group representing the permission rather than the group representing the site access with the example that you provided.

0

Hi,

I'm a colleague of adowns. Here is a similar script we found. I've also wrote up our specific use cases.

https://www.adaxes.com/script-repositor ... ps-s36.htm

Is Adaxes capable of notifying group owners of indirect membership changes? Can the above script be modified to request approval for membership change operations via a indirect membership?

For example

User1 (AD field 'Manager=Manager1') is a member of JobRoleGroup1 (Managed by Manager1) which is a member of NonADIntegratedResourceGroup1 (Managed by Manager2).

When User1 is added to a JobRoleGroup or is removed from a JobRoleGroup, we'd like to notify Manager2, via their the ownership of NonADIntegratedResourceGroup1, that they need to update their System/Access Control List that not integrated with AD.

Basically we are creating place holder groups for non AD integrated systems so we can use Adaxes reporting and automation functionality. This allows us to run an audit report on a user and see what they should have access to. It also builds the framework needed for non AD integrated systems if they later on gain AD integration functionality.

For these types of groups we are prefixing them with Eres_groupname, meaning External Resource (external to AD intergration).

As an additional piece of information, we've structured our JobRole groups as Role_%title% where the %title% matches the User's AD title property. When Human Resources enters a user title such as 'Test' via the Adaxes Web, we've programmed it to look for matching a matching Role Group which in this case would be Role_Test. If a role group is not found that matches that %title% then Adaxes sends an exception to us (IT dept.) before proceeding. We then have a conversation with HR and the User's manager on what access permissions this employee needs and we build a new Job_%title% group. We then restart this held business rule process and it proceeds to complete the other subsequent process.

With this in mind, we have another scenario to consider.

User1 (AD field 'Manager'=Manager1) is a member of Role_Job1 (Managed by Manager1) which is a member of Eres_NonADIntegratedResourceGroup1 (Managed by Manager2). User1 is promoted, removed from Role_Job1 and becomes a member of Role_Job2 (AD field 'Manager'=Manager3) which is also member of Eres_NonADIntegratedResourceGroup (Managed by Manager2).

In that scenario, two permission changes will happen to the indirect group and would notify the group owner. However since they still are a member of the indirect group before and after the JobRole group change, we are wondering if there is a way to cancel out the approval request going to Manager2.

We envision that this is how the process would run..

Human Resources via the Adaxes web interface changes the employees Job title and submits the changes. We're open to having HR fill out two fields in the Adaxes web form if needed, such as current Job Title and new Job Title. We also may have HR complete a field such as an effective date to indicated when the employee starts working in their new role as it may be a few days out.

Before execution, we run a Business Rule and via Powershell create arrays with the following information. We query the User1's current Role_Jobtitle1 and all of its indirect memberships. We then query the User1's new Role_Jobtitle2 and all of its indirect memberships. We then compare the indirect group memberships of ERES_%groupname% in the two arrays. Then for each unique ERES_%groupname%, we query the Manage By AD field and email the group owner for approval. Any matching ERES_%groupname% entries are ignored as that would create a duplicated request. Once approvals are completed and if the effective date is the same day, Adaxes proceeds with the changed.

Thank you for reviewing our request.

0

Hello,

Is Adaxes capable of notifying group owners of indirect membership changes? Can the above script be modified to request approval for membership change operations via a indirect membership?

As far as we understood, the add/remove operations should be submitted for approval and notifications should be sent to group managers. Please, clarify, following points:

  • Who should approve or deny the request? The manager of the nested group or the manager of the parent group?
  • What should be done if the group does not have the Managed by property populated?
  • Should the notifications be sent to the managers of both the nested and the parent group?

User1 (AD field 'Manager'=Manager1) is a member of Role_Job1 (Managed by Manager1) which is a member of Eres_NonADIntegratedResourceGroup1 (Managed by Manager2). User1 is promoted, removed from Role_Job1 and becomes a member of Role_Job2 (AD field 'Manager'=Manager3) which is also member of Eres_NonADIntegratedResourceGroup (Managed by Manager2).

In that scenario, two permission changes will happen to the indirect group and would notify the group owner. However since they still are a member of the indirect group before and after the JobRole group change, we are wondering if there is a way to cancel out the approval request going to Manager2.

This can be done by a Custom Command with two parameters, a Business Rule triggering Before Removing a member from a Group and a PowerShell script. One parameter will specify the group to remove users from and the second will specify the group to add to. The Custom Command will add the user to the new group first, and then remove from the other group. The script in the Business Rule will check whether the user is a member of at least one nested group and if yes, it will not generate an approval request. Otherwise, the operation will be sent for approval.

0

As far as we understood, the add/remove operations should be submitted for approval and notifications should be sent to group managers. Please, clarify, following points:

  • Who should approve or deny the request? The manager of the nested group or the manager of the parent group?

    Manager of the nested group (we're using the Approve/Deny as a way of notifying the manager to complete a task such as add user to a system they control)

  • What should be done if the group does not have the Managed by property populated?

    Any Eres_%groupname% without a manage by property should be sent to itdept@test.com.

  • **Should the notifications be sent to the managers of both the nested and the parent group?

    If that is possible, we'd like the option to toggle the notification of the parent group. In this case, we foresee that notifying both the parent and nest group owners could create a lot of notifications to the parent group owner. The Role_%titlename% group will have several nested eres_%groupname%. We likely will want to just notify the User's Manager once all nested Eres_%groupname% approvals have been completed along with varios other business rules.**

We also found the following two scripts. Which we believe are what you are referring to on the Custom Command for moving a user between two groups with the same nested group.

https://www.adaxes.com/sdk/SampleScript ... mbers.html
https://www.adaxes.com/sdk/SampleScript ... ember.html

0

Hello!

According to the provided information, we understand it so that the ERES_%groupname% groups are members of the corresponding Role_%titlename% groups. In such case, adding users to the Role_%titlename% does not make them members of the ERES_%groupnames%. To get the membership in these groups, a Business Rule triggering After Adding or removing a member from a Group and a PowerShell script should be used. Upon adding or removing a user from a Role_ group, the script will add or remove the user from the corresponding ERES_ groups. Also, the operation will be submitted for approval by the script.
To avoid creating two approval requests when users are removed from one Role_ group and at the same time added to another Role_ group, a Custom Command with two AD object picker parameters and a PowerShell script can be used. The parameters will be used to specify the Role_ groups. The user on which the command is executed will be removed from all the ERES_ groups related to one Role_ group and added to the ERES_ groups of the other Role_ group. If there are ERES_ groups that are members of both Role_ groups specified in the parameters, the user will just keep their membership in the groups (there will be no duplicate approval requests). The group membership update will be submitted for approval by the Business Rule described above.
If the solution meets you needs, we will provide you with the scripts and detailed instructions.

0

This is actually backwards. The Role_%title% is a member of the ERES_%group%.
Here is a picture!

0

So I need a email sent and approval requested for the ERes_%group% manager when a user is added to a Role_%title% group that is a member of the ERes_%group% unless the user was already indirectly a member of the group. And an email sent and approval requested for removal as well.

1 Answer

0 votes
by (14.1k points)
selected by
Best answer

Hello,

Thank you for the clarification. Here is the solution we recommend:

For adding users to Role groups
When a user is added to a Role group, a Business Rule will trigger. It will send an email notification (not an approval request) to the manager of the Eres group the Role group in question is a member of and check whether the user is currently a member of the Eres group. If the user is a direct member of the Eres group, they will be added to the new Role group right away and no approval requests will be created. If the user is not a direct member of the Eres group, an approval request will be sent to the Manager of the Eres group.

For removing users from the Role groups
When a user is removed from a Role group, a Business Rule will trigger. It will send an e-mail notification (not an approval request) to the Manager of the Eres group the Role group in question is a member of and check whether the user is currently a member of any other Role groups in the Eres group. If the user is a member of other Role groups, an approval request will be sent to the manager of the Role group only and the user will be removed only from this group once the request gets approved. If the user is not a member of any other Role groups in the Eres group an approval request will also be sent for removing the user from the Eres group to the group Manager (as a result once the requests are approved, the user will get removed from both the Eres and the Role groups).

Please, feel free to provide any additional details or corrections.

Related questions

0 votes
1 answer

So I need an approval process before adaxes executes a custom command to create a user. Basicaly an HR group and a Privacy group have to approve. what i have is set up like this ... the first one has been approved. I want them to go out at the same time.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer

I have a web view set up where the user is locked down to only seeing thier approvals. When they get a email notification, and click on the approve or deny link, ... that would grant this access but I am wondering if there is something I am missing.

asked Apr 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

Hi We would like to remind users if they have an outstanding request to approve. I know we can manually send a reminder e-mail on the request. Is there any way we can ... tasks, if for example, a request is waiting for longer than 7 days? Thanks, Mario

asked Aug 2, 2021 by m.car (80 points)
0 votes
1 answer

Hi, I'm wondering if I can implement a delegate system in Adaxes for approvals? What I was thinking was using the "seealso" property to set another user as your assigned delegate ... have the idea but not the skills.......... Is anything like this possible?

asked Mar 5, 2015 by bistromath (840 points)
0 votes
1 answer

Hello, I have a lot of rule-based groups which are updated every day at 5 a.m. but now I would like to change the synchronization time for all groups, for ... custom command be created which updates all groups when executed? Many thanks for your help! D.

asked Jan 9 by DRiVSSi (300 points)
3,548 questions
3,238 answers
8,232 comments
547,810 users