0 votes

Hello,

we would like to implement self service for group management but in a different way.
Currently an user is able to select a group, an approval is required and the user is added to the group or not.
But there are 3 difficulties:
- the large number of groups (about 1200)
- the names of the groups (the user don't know how to search)
- IT internal groups are in the same OU with the same naming structure

Therefore our idea was only the owner of a target group is allowed to use the self service and add a member to one of the assigend groups.
Is there any way to realize that?

Many thanks.

by (460 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Horst,

Yes, it is possible. The solution will include a group, a Scheduled Task and a Home Page action. The group will include only users that manage groups. The task will add/remove members from the managers group. The Home Page Action will allow managers to add new members only to groups they manage.

Also, you will need to allow access to the Self-Service Web interface only for members of the managers group.

For information on how to create the group, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... Group.html.

For information on how to allow access to the Self-Service Web interface only for members of the new group, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Con ... ccess.html.

i. Creating the Scheduled Task

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.

  4. Click Add Action.

  5. Select Run a program or PowerShell script.

  6. Paste the script below into the Script field.

      $groupManagersDN = "CN=Managers,OU=Groups,DC=domain,DC=com" # TODO: modify me
    
     function SearchObjects($filter)
     {
         $domain = $Context.GetObjectDomain("%distinguishedName%")
         $searcher = $Context.BindToObject("Adaxes://$domain")
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     function UpdateGroupMembership($groupDN, $operation)
     {
         $group = $Context.BindToObjectByDN($groupManagersDN)
         switch ($operation)
         {
             "Add"
             {
                 if (!($group.IsMember($Context.TargetObject.AdsPath)))
                 {
                     $group.Add($Context.TargetObject.AdsPath)
                 }
             }
    
             "Remove"
             {
                 if ($group.IsMember($Context.TargetObject.AdsPath))
                 {
                     $group.Remove($Context.TargetObject.AdsPath)
                 }
             }
         }
     }
    
     # Get managed objects
     try
     {
         $managedObjects = $Context.TargetObject.GetEx("managedObjects")
     }
     catch
     {
         UpdateGroupMembership $groupManagersDN "Remove"
         return
     }
    
     # Check managed objects
     $filter = New-Object "System.Text.StringBuilder"
     [void]$filter.Append("(&(objectCategory=group)(|")
     foreach ($dn in $managedObjects)
     {
         [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
     }
     [void]$filter.Append("))")
     $searchResults = SearchObjects $filter.ToString()
    
     if ($searchResults.Length -eq 0)
     {
         UpdateGroupMembership $groupManagersDN "Remove"
     }
     else
     {
         UpdateGroupMembership $groupManagersDN "Add"
     }
  7. Enter a short description and click OK.

  8. Click Next and finish creating the Scheduled Task.

ii. Creating the Home Page Action

  1. Launch Adaxes Web Interface Customization Tool.
  2. Select the interface type and click Configure Home Page Actions on the General tab.
  3. Click Add and select the Add to Group action.
  4. On step 2 of the wizard, define the conditions for selecting users to be added to the groups and click Next.
  5. Select Allow selecting only AD objects that match the specific LDAP filter.
  6. Enter the following into the LDAP filter field:
    (&(objectCategory=group)(managedBy=%distinguishedName%))
  7. Click Finish.
0

Hello,

many thanks - good idea.
Just a quick question.
I would like to remove the possibility to search and to define the columns to display.
Is there a way to do this?

Regards,
Horst

0

Hello Horst,

I would like to remove the possibility to search

There is no possibility to remove the search bar from the Home Page Action steps. However, you can limit the search with a single container. In your case, we recommend applying the limitation only for the new members selection step. If you limit the groups selection with a specific container, the action will allow selecting groups owned by the initiator only in the container. To apply the limitation:

  1. Launch Adaxes Web Interface Customization Tool.
  2. Select the interface type and click Configure Home Page Actions on the General tab.
  3. Double-click the Home Page Action.
  4. Activate the Target Object Selection tab.
  5. Select Allow selecting only AD objects located under a specific OU or container.
  6. In the Container DN field, specify the distinguished name of the required container.
  7. Click OK twice.

to define the columns to display

There is no such possibility. However, you can configure the columns displayed by default. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_WebInt ... tLists.htm.

0

Ok, understood. I'll test this.

A question of understanding.
I tried to remove the "Look / Browse" feature. I thought I can do this with unclear the checkboxes in the Navigation Bar.
But it seems I missunderstood this feature. :(

0

Hello Horst,

The option you reference affects only the Browse button on the Navigation Bar.

It does not affect Home Page Actions.

0

Hello,

I implemented your adivce and it works perfectly :D :D :D .
Just a last question: would it be possible to use the security group "Owner (managed by)" for this?
First in the access control and second in the security roles?

Best regards,
Horst

0

Hello Horst,

Could you provide all the possible details on what exactly you want to achieve?

0

Sure.
The Access Control tab offers the possibility to define AD groups for "Allow sepecific users and groups only:".
And I would like to use the predefined group "Owner (managed by)" for this, but without any clue how do record this.
With quoutes, without quotes, ...

0

Hello Horst,

Thank you for clarifying. You need to enter the group in the following format: DOMAIN/group. For example:

For more details on how to allow/deny access to Adaxes Web interface, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Con ... ccess.html.

Related questions

0 votes
1 answer

When viewing a group under "My managed objects" I can't see members of a group that are disabled. Is there a way to enable seeing disabled users? In the Administrators web interface I can see all the users properly (enabled and disabled).

asked Apr 21, 2021 by atnorman (120 points)
0 votes
1 answer

Hi Support, We are looking into a way for providing the security group owners in AD to manage the group memberships in Adaxes via self service portal. I did see a ... to manage group membership in Adaxes self service portal. Any help with this is appreciated.

asked Sep 9 by Vish539 (460 points)
0 votes
0 answers

Hi all Primary objective is to manage cloud only group membership but in a future include cloud only accounts. I've registered a Azure domain which is managed by ... /www.adaxes.com/questions/12293/add-to-365-group-automation-for-new-account-creations Thanks

asked May 31 by MinorDruid (20 points)
0 votes
1 answer

Hello, I need to grant the right for a user to manage only one group. This group is "Domain local" so it is possible to add members from other trusted forests. The ... he belong to. How to tell Adaxes to look for users in all registered domains ? Thanks.

asked Feb 4, 2022 by zemitch (200 points)
0 votes
1 answer

Hi , I am hope only manager can list and edit the group. When I user "Add or remove group members". It will list All Group. I am use the AD group set by "Managed By ... see the groups he has permission to edit. Is there any way to achieve the result I need?

asked May 7, 2020 by will.chc.join (90 points)
3,552 questions
3,242 answers
8,243 comments
547,829 users