SelfService Manage Group

Question

Hello,

we would like to implement self service for group management but in a different way.
Currently an user is able to select a group, an approval is required and the user is added to the group or not.
But there are 3 difficulties:
- the large number of groups (about 1200)
- the names of the groups (the user don't know how to search)
- IT internal groups are in the same OU with the same naming structure

Therefore our idea was only the owner of a target group is allowed to use the self service and add a member to one of the assigend groups.
Is there any way to realize that?

Many thanks.

Answer 1

Hello Horst,

Yes, it is possible. The solution will include a group, a Scheduled Task and a Home Page action. The group will include only users that manage groups. The task will add/remove members from the managers group. The Home Page Action will allow managers to add new members only to groups they manage.

Also, you will need to allow access to the Self-Service Web interface only for members of the managers group.

For information on how to create the group, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... Group.html.

For information on how to allow access to the Self-Service Web interface only for members of the new group, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Con ... ccess.html.

i. Creating the Scheduled Task

1. Launch Adaxes Administration Console.

2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
   

3. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
   

4. Click Add Action.

5. Select Run a program or PowerShell script.

6. Paste the script below into the Script field.

     $groupManagersDN = "CN=Managers,OU=Groups,DC=domain,DC=com" # TODO: modify me
   
    function SearchObjects($filter)
    {
        $domain = $Context.GetObjectDomain("%distinguishedName%")
        $searcher = $Context.BindToObject("Adaxes://$domain")
        $searcher.SearchFilter = $filter
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.PageSize = 500
   
        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
   
            return ,$searchResults
        }
        finally
        {
            # Release resources
            if ($searchResultIterator){ $searchResultIterator.Dispose() }
        }
    }
   
    function UpdateGroupMembership($groupDN, $operation)
    {
        $group = $Context.BindToObjectByDN($groupManagersDN)
        switch ($operation)
        {
            "Add"
            {
                if (!($group.IsMember($Context.TargetObject.AdsPath)))
                {
                    $group.Add($Context.TargetObject.AdsPath)
                }
            }
   
            "Remove"
            {
                if ($group.IsMember($Context.TargetObject.AdsPath))
                {
                    $group.Remove($Context.TargetObject.AdsPath)
                }
            }
        }
    }
   
    # Get managed objects
    try
    {
        $managedObjects = $Context.TargetObject.GetEx("managedObjects")
    }
    catch
    {
        UpdateGroupMembership $groupManagersDN "Remove"
        return
    }
   
    # Check managed objects
    $filter = New-Object "System.Text.StringBuilder"
    [void]$filter.Append("(&(objectCategory=group)(|")
    foreach ($dn in $managedObjects)
    {
        [void]$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn))
    }
    [void]$filter.Append("))")
    $searchResults = SearchObjects $filter.ToString()
   
    if ($searchResults.Length -eq 0)
    {
        UpdateGroupMembership $groupManagersDN "Remove"
    }
    else
    {
        UpdateGroupMembership $groupManagersDN "Add"
    }

7. Enter a short description and click OK.
   

8. Click Next and finish creating the Scheduled Task.

ii. Creating the Home Page Action

1. Launch Adaxes Web Interface Customization Tool.
2. Select the interface type and click Configure Home Page Actions on the General tab.
   
3. Click Add and select the Add to Group action.
4. On step 2 of the wizard, define the conditions for selecting users to be added to the groups and click Next.
5. Select Allow selecting only AD objects that match the specific LDAP filter.
6. Enter the following into the LDAP filter field:
   (&(objectCategory=group)(managedBy=%distinguishedName%))
   
7. Click Finish.

Comments

Hello,

many thanks - good idea.
Just a quick question.
I would like to remove the possibility to search and to define the columns to display.
Is there a way to do this?

Regards,
Horst

---

Hello Horst,

I would like to remove the possibility to search

There is no possibility to remove the search bar from the Home Page Action steps. However, you can limit the search with a single container. In your case, we recommend applying the limitation only for the new members selection step. If you limit the groups selection with a specific container, the action will allow selecting groups owned by the initiator only in the container. To apply the limitation:

1. Launch Adaxes Web Interface Customization Tool.
2. Select the interface type and click Configure Home Page Actions on the General tab.
   
3. Double-click the Home Page Action.
4. Activate the Target Object Selection tab.
5. Select Allow selecting only AD objects located under a specific OU or container.
6. In the Container DN field, specify the distinguished name of the required container.
   
7. Click OK twice.

to define the columns to display

There is no such possibility. However, you can configure the columns displayed by default. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_WebInt ... tLists.htm.

---

Ok, understood. I'll test this.

A question of understanding.
I tried to remove the "Look / Browse" feature. I thought I can do this with unclear the checkboxes in the Navigation Bar.
But it seems I missunderstood this feature. :(

---

Hello Horst,

The option you reference affects only the Browse button on the Navigation Bar.

It does not affect Home Page Actions.

---

Hello,

I implemented your adivce and it works perfectly :D :D :D .
Just a last question: would it be possible to use the security group "Owner (managed by)" for this?
First in the access control and second in the security roles?

Best regards,
Horst

---

Hello Horst,

Could you provide all the possible details on what exactly you want to achieve?

---

Sure.
The Access Control tab offers the possibility to define AD groups for "Allow sepecific users and groups only:".
And I would like to use the predefined group "Owner (managed by)" for this, but without any clue how do record this.
With quoutes, without quotes, ...

---

Hello Horst,

Thank you for clarifying. You need to enter the group in the following format: DOMAIN/group. For example:

For more details on how to allow/deny access to Adaxes Web interface, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Con ... ccess.html.