Adaxes

Self Service - join Group Permission Question

0 votes

Hi Forum,

We want to implement an Approval Process for joining a Group within Self Service.

1. Create a new Action in Webinterface processed on the current User
2. Filter displayed groups

Business Rule:
1. Before Adding a Member to a Group
Send for Approval

With that we wan't to delegate the process of requesting rights to the manager of the group without invoking the Helpdesk.

But this means we need to grant all our Users write permissions on the Groups. So the user is able to modify all the groups within Self Service.
We tried to give the User the permission in the Business Rule - but the rule won't be triggered because the user doesn't have the permission.

Is there a way to get this running?

Thanks & cheers

by (650 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

In this case, we recommend using a Custom Command, and not a Business Rule. To implement what you want, you'll need to create a Custom Command that will be executed on Groups (not users). The command will add the user who launched it to the AD group on which the command is executed. Also, it will send this operation for approval to the group owner (the user or group specified in the Managed By attribute of the group). An advantage of using a Custom Command is that a user doesn't need permissions for all the actions that the Custom Command performs. The only permission a user needs is the permission to execute the Custom Command itself.

Additionally, you will need to distribute the permissions to execute the Custom Command among users, and also configure an action that allows to launch the Custom Command from the Web interface for self-service.

To implement such a solution:

I. Create Custom Command for self-adding to AD groups

To create a Custom Command that will add the user who launches it to the group on which it is launched:

  1. Create a new Custom Command.
  2. On step 2 of the Create Custom Command wizard, select the Group object type.
  3. On step 3, add the Update the Group action and click Add.
  4. Select Member.
  5. Click the Browse button embedded in the New value field.
  6. Activate the Template tab.
  7. Specify %adm-InitiatorDN%. It is a value reference that will be replaced with the Distinguished Name (DN) of the operation initiator, that is, the user who launches the Custom Command.
  8. Click OK 2 times.
  9. Select Get approval for this action.
  10. Select Owner of the target group.
  11. Enter a short description for the script and click OK.
  12. Finish creation of the Custom Command.

II. Distribute permissions to run the Custom Command

To distribute permissions to run the Custom Command that you've created on step I., you'll need to create a Security Role as follows:

  1. Create a new Security Role.
  2. On step 2 of the Create Security Role wizard, click Add.
  3. Select the Group object type.
  4. In the General permissions section, select Execute 'My Custom Command', where My Custom Command is the name of the Custom Command that you've created on step 1.
  5. Click OK, and then Next.
  6. On step 3 of the wizard, you need to specify who will be able to run the Custom Command and on which groups they will be able to execute it. For information on how to assign your Security Role, see steps 5 and 6 in the following tutorial: http://www.adaxes.com/tutorials_Delegat ... ership.htm.
  7. When done, click Finish.

III. Create an action to launch the Custom Command in the Web interface

For information on how to create an action that allows running the Custom Command in the Web interface, see Custom Command. In Step 3, you will find information on how to filter the groups that will be displayed when running the action.

Related questions

0 votes
1 answer
Self Service - Join a Group - Workflow does not initate

Hi all I want to create a workflow on the Self Service portal. The choice is the default Join a group or possibly a new action. A normal user should be able to ... by" of the group has the permission (Write membership) as described in the guide. Micael

asked Jan 21, 2019 by ecit (100 points)
0 votes
1 answer
Question on self service client tool for mac

Can Self service client tool work on macbooks with local account setup. Our macbooks are managed by Kandji MDM, which have local accounts setup on each machine and not ... will sync local accounts with their AD password on macbooks setup with local accounts.

asked Mar 29, 2023 by Vish539 (460 points)
0 votes
1 answer
Force a question to be answered in password self service

Hi Team, We would like to use security based questions and answers for password resets. I have found that we can force a user to answer certain questions when enrolling, but if ... . Is there a way to ensure that a question must be answered each time? Thanks,

asked May 19, 2020 by antondubek (440 points)
0 votes
0 answers
Self Service Password Reset Question

All, This may be somewhat of a generic question, but I've looked through a majority of the Self Service Password reset documentation and can't really find a definitive answer. ... the "PssEnroll.aspx" page and all I can do is answer my questions once again.

asked Sep 7, 2017 by Ben.Burrell (490 points)
0 votes
1 answer
Self Service Question

Hi, Is there a way to trigger the execution of a script when a user requests a password reset? Thanks!

asked Apr 19, 2017 by BradG (950 points)
3,541 questions
3,232 answers
8,225 comments
547,802 users