Grant rights to modify group membership

To add and remove group members, a user must have the permission to modify the Member property of the group object. The permissions to modify properties of directory objects, like any other permissions in Adaxes, are granted with the help of security roles.

Permissions granted by security roles are effective only within Adaxes.

In this tutorial, you will learn how to:

Grant rights to add or remove group members

  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Security Role.

  3. Enter a name for the new security role and click Next.

  4. On the Permissions step, click Add.

  5. In the list of object types on the left, select Group.

    In the Property-specific permissions section, select the Write Member Property permission in the Allow column.

     Optionally, add the Read permission {id=optionally_add_read_permission .my-7}

    It is a good practice to add the Read permission to all security roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view directory objects are granted by built-in security role Domain user. It is recommended to add the Read permission because the default rights can be changed.

    Click OK.

  6. Click Next.

  7. On the Assignments step, click Add.

  8. Select the users and groups to assign the permissions to.

    Owner (Managed By)

    The Owner (Managed By) security principal can be used to assign permissions to group owners.

    When a user becomes an owner of a particular group, they immediately gain the permissions over that group. If a user loses ownership of a group, their permissions are instantly revoked.

    Although non-security groups can be specified as object owners, they will not benefit from permissions granted to Owner (Managed By).

    If a group has multiple owners, a security role assigned to Owner (Managed By) will grant equal permissions to all of them. For more details, see Object owners.

    When done, click Next.

  9. Select the groups which you want to assign the permissions over.

    Select from the following items:

    • All Objects – select to allow managing all groups in all domains managed by Adaxes.

    • Domain – select to allow managing all groups within a specific domain.

    • OU or Container – select to allow managing only the groups located in an organizational unit or container.

    • Group – select to allow managing only the groups that are members of a specific group.

    • Business Unit – select to allow managing only the groups that are members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific groups, organizational units, members of groups and business units from the assignment scope. For example, if you assign the security role over all groups in a domain, but do not want users to manage the groups located in a specific organizational unit, you can exclude the organizational unit from
    the scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog box.

     Step by step {id=exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

    Click Finish to complete the Assign Role wizard.

  10. Click Finish to complete the Create security role wizard.

Control group members

The Allow Write 'Member' Property permission allows adding and removing any member from a group. To control which objects can be members of which groups, you need to create a business rule that will be triggered before a new member is added or removed from a group. The rule will cancel the operation if certain conditions are met.

  1. Launch Adaxes Administration console.

     How {id=collapse2}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Business Rule.

  3. Enter a name for the new business rule and click Next.

  4. To trigger the business rule before a new member is added or removed from a group:

    • In the Object Type list, select Group.

    • Select Before adding or removing a member from a group.

    Click Next.

  5. Click Add an action.

  6. Select Cancel this operation.

    In the Action Parameters section, enter a reason and click OK.

  7. To cancel the operation only if certain conditions are met, right-click the action and then click Add Condition.

    Example 1 – If the new member is not the initiator.

     Step by step {id=step_by_step_condition1}
    • Select the If the member is <specific object> condition.

    • In the Condition Parameters section, select is not in the drop-down list, and click the button.

    • Activate the Template tab.

      In the Template field, enter %initiator%.

      Value reference %initiator% will be replaced with the distinguished name (DN) of the user who is adding/removing a group member.

    • Click OK.

    Example 2 – If the initiator and the group are not in the same organizational unit.

     Step by step {id=step_by_step_condition2}
    • Select the If located under <location> condition.

    • In the Condition Parameters section, select is not in the drop-down list, and click the button.

    • Activate the Template tab.

      In the Template field, enter %adm-InitiatorParentDN%.

      Value reference %adm-InitiatorParentDN% will be replaced with the distinguished name (DN) of the organizational unit where the account of the initiator is located.

    • Click OK.

    Example 3 – If the Job Title property of the member contains the word Manager.

     Step by step {id=step_by_step_condition3}
    • Select the If <property of the member> <relation> <value> condition.

    • In the Condition Parameters section, specify Job Title - contains - Manager.

    • Click OK.

    Example 4 – If the member's manager is not a member of the group.

     Step by step { #step_by_step_condition4}
    • Select the If PowerShell script returns true condition.

    • In the Condition Parameters section, click the Edit button.

    • Use the following script to check the membership of the new member's manager:

      $Context.ConditionIsMet = $true
      $member = $Context.BindToObject("Adaxes://%member%")
      
      $managerDN = $member.GetPropertyValue("manager")
      $members = $Context.TargetObject.GetPropertyValues("member")
      if (-not $members -or -not $managerDN)
      {
          return # User has no manager or target group has no members.
      }
      $Context.ConditionIsMet = $members -notcontains $managerDN
      

      For information on how to create scripts for business rules, see Server-side scripting.

    • Click OK twice.

    When done, click Next.

  8. On the Activity Scope step, click Add.

  9. In the dialog that opens, select from the following items:

    • All Objects – select to execute the business rule for all groups in all domains managed by Adaxes.

    • Domain – select to execute the business rule for all groups within a specific domain.

    • OU or Container – select to execute the business rule for the groups located in an organizational unit or container.

    • Group – select to execute the business rule for the groups that are members of a specific group.

    • Business unit – select to execute the business rule for the groups that are members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific groups, organizational units, business units and domains from the activity scope of the business rule. For example, if you've assigned the business rule over all groups in a domain, but do not want it to trigger for the groups located in a specific organizational unit, you can exclude the Organizational
    Unit from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog box.

     Step by step {id=exclude_scope_rule}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

  10. Click OK and then click Finish.

Approvals

For information on how to request approval when members are added or removed from groups, see Request approval for adding members to groups.

Permissions for rule-based groups

Rule-based groups behave differently from groups with assigned membership. You can't directly add or remove members from a rule-based group, and the permission to modify the Member property will have no effect. To be able to manage rule-based groups, users must have other permissions.

Rule-based groups should not be confused with Microsoft Entra dynamic groups. Rule-based groups are an Adaxes feature, while dynamic groups are native to Microsoft Entra ID.

The first option is to grant the general permission to manage rule-based groups. It includes the rights to perform the following operations:

  • Modify membership rules

  • Modify membership update schedule

  • Trigger membership update manually

Alternatively, you can be more specific and grant the rights to perform a certain operation only.

General permission

To grant the general rights to manage rule-based groups, add the Write Rule-Based Membership permission to your security role.

 Step by step {id=rights_dynamic_groups}
  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.

  3. In the Permissions section on the right, click Add.

  4. In the list of object types on the left, select Group.

  5. In the General permissions section, select the Write Rule-Based Membership permission in the Allow column.

  6. Click OK.

  7. Click Save changes.

Specific permissions

If you want to delegate the rights to perform a certain operation only, you need to assign property-specific permissions. Add the permission to modify the property that corresponds to the operation you want to delegate.

Operation Permission
Modify membership rules Write 'Membership Rules' Property
Modify membership update schedule Write 'Membership Update Schedule' Property
Trigger membership update manually Write 'Update Membership Now' Property

For example, to grant the rights to modify only the membership rules, add the Write Membership Rules Property permission to your security role.

 Step by step {id=rights_membership_rules}
  1. Launch Adaxes Administration console.

     How {id=collapse3}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.

  3. In the Permissions section on the right, click Add.

  4. In the list of object types on the left, select Group.

  5. In the Property-specific permissions section, select the Write Membership Rules Property permission in the Allow column.

  6. Click OK.

  7. Click Save changes.

Finally, the rights to change group membership type from Assigned to Rule-based and back can be granted in a similar fashion. Add the Write Membership Type Property permission to your security role.

How to manage rule-based groups

For details on how to configure and manage rule-based groups, see Automate group membership management.