Automate group membership management

You can configure Adaxes to automatically add and remove users from groups based on certain criteria. There are two ways to automatically maintain group membership in Adaxes – centralized automation and rule-based groups.

With the centralized approach, the membership logic of multiple groups can be managed from one place. You can create a set of conditions that will determine whether an object should be added or removed from a group. Adaxes will check the conditions periodically or after certain events in the directory (e.g. updating a user), and will add or remove objects from groups accordingly.

With rule-based groups, the membership logic for each group is configured independently, and the membership of each group is updated based on its schedule. Another important distinction is that members of rule-based groups can't be added or removed manually.

It is possible to use both approaches in any scenario. However, some cases are better handled with centralized automation, while others – with rule-based groups. For example, if the membership logic for different groups is somehow connected or even mutually exclusive, centralized automation might be more convenient. On the other hand, if the membership logic for multiple groups is totally unrelated, using rule-based groups might be more appropriate.

In this tutorial, you will learn how to apply centralized automation and rule-based groups to automatically maintain group membership of users based on their department.

Centralized automation

To manage group membership centrally, create a custom command with all the necessary actions and conditions, and then execute the command in business rules and scheduled tasks. Business rules will trigger group membership changes immediately after certain events in the directory (e.g. updating a user), whereas scheduled tasks can be used to verify and correct group membership on a periodic basis.

To create a custom command that will add and remove users from groups based on their department:

  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Custom Command.

  3. Enter a name for the new custom command.

  4. Since the command will be executed by business rules and scheduled tasks only, clear the Enabled checkbox. Disabled commands are not displayed in the user interface but cat still be used for automation purposes.

    Click Next.

  5. On the Object Type step, select User.

  6. Click Next twice.

  7. On the Actions step, click Add an action.

  8. Select the Add the user to a group action.

    In the Action Parameters section, select the group that corresponds to one of the departments.

    Click OK.

    Approvals

    Actions executed by business rules can be submitted for approval. For example, you may want a user to be added to a group only after an approval is granted by one of the group owners or by the user's manager.

     How {id=use_script_to_request_approval}
    • Right-click the action for which you want an approval to be requested.

    • Click Edit Action in the context menu.

    • In the Edit Action dialog, enable the Get approval for this action checkbox.

    • Specify the approvers and click OK.

    For information on how to request approval for operations that can be performed both manually and automatically, see Request approval for adding members to groups.

  9. Right-click the added action, and then click Add Condition in the context menu.

  10. Select the If <property> <relation> <value> condition.

    In the Condition Parameters section, specify Department - equals - <department name>.

    Click OK.

  11. Right-click the condition/action block, and then click Add Else in the context menu.

  12. Right-click Do nothing, and then click Add Action in the context menu.

  13. Add the Remove the user from a group action for the same group.

  14. Right-click the If block, and then click Copy in the context menu. To copy the whole block, make sure no actions and conditions are selected.

  15. Right-click outside the block, and then click Paste in the context menu.

  16. Double-click both actions and the condition and configure them for another department.

    Repeat the steps above for each department.

    Using Scripts

    If there are too many departments or the rules for group membership are too complicated, the custom command may become bulky and hard to manage. In this case, instead of adding many actions and conditions, you can use a PowerShell script or use rule-based groups instead of the centralized approach. For details on how to use PowerShell to add and remove users from groups, see Change group membership using scripts.

  17. When done, click Next.

  18. On the Permissions page, click Finish.

  19. Add the custom command to a business rule or scheduled task.

    • Select a business rule or scheduled task that will execute the custom command.

      To execute the custom command after a new user account is created, you can use a built-in business rule, After user creation. For details on how to configure and activate the rule, see Automate user provisioning.

      For instructions on how to create a scheduled task, see Schedule tasks for directory management.

    • Click Add new action set.

    • Right-click Do nothing, and then click Add Action in the context menu.

    • In the Add Action dialog, select Execute a Custom Command.

    • In the Action Parameters section, select the custom command.

      )

    • Click OK.

    • If the custom command is executed in a business rule triggered after updating a user, add the If the Department property has changed condition.

    • Add the custom command to other business rules and scheduled tasks.

       Screenshots

      )


To make the Department property required and allow users to select a department from a drop-down list, you can use property patterns.

For details, see Make an input field a drop-down list.

Rule-based groups

Rule-based groups are configured directly in the Web interface. To automatically manage the membership of a specific group, you need to convert it to rule-based and set up the membership rules.

Rule-based groups should not be confused with Microsoft Entra ID dynamic groups. Rule-based groups are an Adaxes feature, while dynamic groups are native to Microsoft Entra ID.

Here is how to make an existing group rule-based and configure it to include only users from a specific department.

  1. In the Web interface, select a group you want to make rule-based.

  2. In the Membership Type section, click Edit.

    This section might not be present on the group view. There can be two possible reasons:

    • The group is a system group (e.g. Domain Admins). System groups can't be converted to rule-based.

    • The Membership Type section is not enabled in this particular Web interface. In this case, you need to enable it to be able to configure rule-based groups.

       How to enable the Membership Type section {id=add_memtype_section}
      • Open Adaxes Web interface configurator.

      • In the top left corner, select the Web interface you want to customize.

      • In the left navigation menu, click Management.

      • In the Forms and Views section, select Group from the drop-down list.

      • Activate the View tab and click Add under the Sections list.

      • In the Add Section dialog, select Membership Type and complete the wizard.

      • If necessary, activate the Create or Modify tab and add the Membership Type section to the forms for creating and editing groups.

      • Save the changes.

  3. Change the membership type of your group to Rule-based, and then click Add under the Membership Rules field to add a new rule.

  4. In the Add Rule dialog, select Query results from the drop-down.

  5. To include users with a specific Department property value, for example, Sales, do the following:

    • Click Add criteria and then select User in the drop-down list.

    • Click Add.

    • In the dialog that opens, select Department is Sales.

    • Click OK twice.

    If necessary, you can exclude objects from the group. For example, if you don't want the group to contain users located in the Deprovisioned Users organizational unit, you can add a rule to exclude them.

     Step by step {id=how_exclude}
    • Under the Membership Rules field, click Add.

    • In the Add Rule dialog, select Exclude.

    • Select Objects located in OU or container.

    • In the Location field, select the OU.

    • In the Object types drop-down list, select the object types you want to exclude.

    • Click OK.

    Membership rule priority

    Membership rules have an order of priority. If the same object is supposed to be included in the group by one rule but excluded by another rule, Adaxes uses the priority order to determine what to do with the object.

    Membership rules are always displayed in their priority order, which is:

    • Specific objects – highest priority
    • Group owner (Managed By)
    • Group members
    • Objects located in OU or container
    • Query results – lowest priority

    Rules that exclude objects have priority over rules of the same type that include objects.

    For example, imagine a rule-based group with two membership rules – Exclude group members and Include group members:

    Members of both groups will be excluded because the Exclude rule has higher priority.

    Here's a different scenario – a group with the Include group members and Exclude query results rules:

    In this case, if the user account is disabled but they are a Helpdesk group member, they will be included in the group because the Include group members rule has higher priority.

    The priority order of membership rules can't be changed.

  6. When done, save the changes and repeat the steps above for each department.

You can delegate the rights to configure rule-based groups to users. For details, see Grant rights to modify group membership.

See also