How to allow OU Owners to modify the members of their groups?

Question

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have the ability to remove users from the security groups that fall within their respective OUs but nowhere else.

How would I grant permissions (and expose this feature to the end users) for the OU Owners to remove users from their groups without granting them the ability to remove users from all security groups?

Comments

Hello,

To be able to request membership in a group, a user must have the permissions to add or remove members of that group. These permissions can’t be granted separately. In your case, you need to create a Business Unit that will contain all security groups except built-in groups (e.g. Administrators) and a Security Role assigned over this Business Unit, that will allow members of the Domain Users group to modify the Member property of Group objects.

Then, you will need to set up an approval step. A Business Rule that triggers Before adding a member to a group and sends the operation for approval to the Owner of the target group's OU should be used for this purpose. Also, this Business Rule should have a If the initiator is not %member% condition that will check whether a user is requesting membership for someone else, and will cancel the operation if they are. Optionally, you can make an exclusion for OU owners and allow them adding other members by their own initiative. The Business Rule should be assigned over the same Business Unit (the one which contains all security groups).

To prevent users from removing group members they are not authorized to remove, you need another Business Rule that triggers Before removing a member from a group. This rule will have a If PowerShell script returns true condition that will check whether the initiator of the Remove member operation is the owner of the OU where the group is located, and cancel the operation if they aren’t.

To expose the feature, you need to add the Add to group action to the Web Interface for end users and select Always perform for the current user in the Member Selection section, so that users will be able to request membership only for themselves.

It is highly recommended to use two separate Web Interfaces for end users and for OU owners. This way you will be able to disable all Web Interface elements that allow adding or removing group members and leave only the dedicated Add to group action for simplicity. To be specific, you can hide the Add members operation and customize forms for viewing and editing groups to hide Add and Remove buttons in the Members section.

If the same Web Interface is used, hiding the operation and the buttons for end users will also hide them for OU owners. It is not necessary to hide them though, as the logic of who can add/remove members is controlled by Business Rules.

If you need further guidance on how to implement this architecture, please, describe the desired workflow and permissions in all the possible details.

There is also an alternative approach, which is more complicated and requires an additional Scheduled Task, a Custom Command, a dynamic Business Unit and a PowerShell script. The only benefit of this approach is that it will be easier to hide elements of the Web Interface if you plan on using the same interface for end users and OU owners.

---

Hello,

Thank you for the helpful response. Do you have an example of a powershell script condition I could use to check whether the initiating user is a member of the OU owner group?

Thanks!

---

Hello,

Do we understand you correctly, that you need a script that will check whether the initiator of the Remove member operation is the owner of the OU where the target group is located? If this is the case, you can check out this script from our repository. It should be used in the If PowerShell script returns true condition of the Business Rule triggering Before removing a member from a group.

The script will return True if the initiator is not the OU owner. Please note, that the script will also return True and cancel the operation if the OU where the group is located has no owner. It will be impossible to remove members from this group until an owner is assigned to its OU.

The Business Rule itself should look like this:

---

Thank you! Yes, this is exactly what I was looking for. Appreciate your help!

---

One final question. Is it possible to restrict the groups that these OU owners can see from their dashoard? I'd like to only present them with the security groups which they are the OU owners for. Ideally i'd like to implement something like the following LDAP filter string:

Is something like this possible using LDAP filters?

---

We noticed that you have asked a question about how to assign an OU owner as the owner of all groups under this OU.

If you are going to implement this, you will be able to use this LDAP filter in your Web Interface action: (managedBy=%adm-InitiatorDN%).

However, it will work only if the initiating user has direct ownership over groups, i.e. this user is explicitly specified in the managedBy attribute of a group.

---

Great thank you for clarifying. Are there any plans to add the ability for the 'managedBy' flag to work with AD Groups and their corresponding group members as well?

---

Hello,

Unfortunately, there are no such plans at the moment. As a workaround, you can create a Scheduled Task which will run this script, and assign the task over OU owners or all users. The script will periodically check which objects are managed by a user, build an LDAP filter for these objects, and save the filter in the specified attribute of a user, for example CustomAttributeText1.

You will then be able to use a value reference to retrieve the LDAP filter for group selection in your Web Interface action: The filter will be different for each logged on user and will include all objects managed by the user (both, directly and via group membership). Please note, that you need to use %adm-CustomAttributeText1% and not (managedBy=%adm-CustomAttributeText1%), as the attribute will contain the entire filter.