AD Group as Approver

Question

Hi,

We have a scenario where an AD Group (Global Security) is the approver for an approval request.

The group members receive the email alert (via a Distrbution List group email assigned to the Group) but, when they logon to the web UI \ use the Adaxes console, the approval request isn't in their queue (if clicking from the email alert they do not have the right to select the 'Approve' button).

When I logon to the console as a service admin and 'View All Approvers' for the approval ticket, the correct group is set as the approver, and the group contains the user objects that should be able to, but can't, see the ticket in theuir queue?

Rgds

Comments

Hello,

To help us troubleshoot the issue, can you explain the following quote in a bit more detail as we don't quite get the idea:

The group members receive the email alert (via a Distrbution List group email assigned to the Group)

---

Hi,

The 'Managed-By' attribute of the computer object is populated with a "Global Security Group" type AD group - "Acme Security Team".

We hoped that all members of this group would get an email alert when an approval was triggered, but none were sent, so added an email address to the group - "security@acme.com".

This address is for a Distribution Group, which has the same membership (but we cannot use as the approving group directly, as AD won't let us use a DL group for this attribute).

Rgds

---

Just to be clear...

The approval request is being generated because we have set 'Owner\Manager of this computer' as the approver for a change, and have set the Security Group in the computer 'ManagedBy' attribute.

I have also tried manually setting the same group as the approver for the task and we get the same result.

Rgds

---

Hi,

Bit more testing.

If I use the Distribution Group as the approver directly then members of the group receive the approval emails and can approve the resultant ticket. The problem therefore seems to be that Security Groups cannot be used as a target for approvers.

As we are using the ManagedBy attribute as the target in this instance, and it won't allow Distribution groups for this value, this appears to be the issue.

I can work round it by grouping the computers\servers into a groups based on their 'owners', then have a branching ("if computer is a member of...") business rule that hardcodes the approval to the appropriate DL, which adds a layer of complexity, but I guess the question is the current behaviour by design, a bug, or an oversight (or have I missed a trick somewhere).

Rgds

Answer 1

Hello,

The thing is that currently only persons are supported as owners/managers of AD objects in Approval Requests. So, in other words, if a group is directly added as an approver, this will work. However, if a group is added as an approver with the help of the Manager of the target object is Approver / Owner of the target object is Approver options, this won't work.

We were planning to add this functionality later, but since you require the functionality right now, we'll try hard to include the support for this in Adaxes 2013.2 to be available in late September.

By the way, a side note to this. If you specify an AD group as an approver, you don't need to use an additional Distribution List or whatever to send Approval Request notifications to all members of the group. Whenever Adaxes needs to send notifications to approvers, and one of the approvers is a group, Adaxes sends a notification to each member of that group separately. So, all members of a group that have e-mail addresses specified in AD will get a notifcation anyway.

Comments

Good news, thanks.

And yes you are right that the groups are 'split' into individual members when it has been added directly as an approver, rather than via an 'Owner' lookup.

As an aside from my side, will 2013.2 include the 'approve by email' capability that I believe you mentioned was going to be supported in a future release?

Many Thanks

---

The feature is in our TODO list, but we haven't made any detailed planning yet. It will be available in the future, but not in the nearest releases.

---

Hello,

Yesterday, we released Adaxes 2013.2. Starting from that release, if a request is submitted for approval to the owner or manager of an object, and the owner/manager is a group, members of the group are recognized as approvers and are able to approve or deny the request. You can download Adaxes 2013.2 here.

Upgrade Instructions.

For a complete list of new features and improvements, see What's New.