0 votes

Hi

How do I design one or more Security Roles to meet the following criterias:

A user can only be added to a group within a given scope when:

1 - The user requests membership to a given group for himself.
- or -
2 - A user, that is member of (for example) "All user managers", requests membership to a given group for another user.

Actually #2 is working, but I cannot get the "self" to work, without giving the user rights to add other users to groups too :?
Membership may requires approval by the group manager, but that workflow is working too.

- Thanks

by (2.6k points)

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello,

The user requests membership to a given group for himself.

To achieve this, you will need to do the following:

  • Grant users rights to modify Member property of required groups
  • Create a Business Rule that will trigger Before Adding a member to a Group and cancel the operation if the initiator is trying to add another account to the group rather than their own one.

To create the Business Rule:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes service node, navigate to New and click Business Rule.
  3. On step 2 of the Create Business Rule wizard select Group object type.
  4. Select Before Adding a member to a Group and click Next.
  5. Click Add Action and select Cancel this operation.
  6. Enter an optional reason for cancelling and click OK.
  7. Double-click Always and select If the initiator is a member of <Group>.
  8. Select is not and click Select Group.
  9. Select the group and click OK twice.
  10. Right-click the action you have created and click Add Condition.
  11. Select If the initiator is <User> , select is not and click Select User.
  12. Activate the Template tab, enter %member% into the Template field and click OK twice.
  13. Click Next and finish creating the Business Rule.

Related questions

0 votes
1 answer

In most situations in Adaxes when multiple members are added or removed from a group the members are processed individually allowing business rules to run for each of them. ... a business rule to get information about the other members added with the cmdlet?

asked Mar 8 by Carl Bruinsma (120 points)
0 votes
1 answer

We are attempting to use the member property in a powershell script for all groups. We get this error message on certain groups that are used as "primary". If we set another ... just shows the single member in the group in which the group is not the primary.

asked Feb 19, 2020 by mark.it.admin (2.3k points)
0 votes
1 answer

Trying to set the primary proxy when doing a name change on an email address.

asked Jul 13, 2023 by mightycabal (1.0k points)
0 votes
0 answers

We have a multiforest set up. One of the domains is a non hybrid. Whenever a user is created in that domain it gives an error saying- 'Property 'ms-exch-target- ... active Directory schema'. How can we write an exception while adding to that non-hybrid domain?

asked Oct 31, 2022 by Aishwarya Gavali (40 points)
0 votes
1 answer

Is there a way to have a powershell script write to the logs in Adaxes? I have a powershell script that removes all groups from a user. This script is executed from ... ", ]","]") Set-Admuser -identity "%distinguishedName%" -Replace @{info=$Group_collection} }

asked Jul 25, 2014 by mobosys (290 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users