Group membership management is a task that begs to be automated. How so? It is a recurring task that follows a certain logic, allows no room for error, and takes a lot of time if done manually. Rule-based groups in Adaxes provide you with a straightforward and efficient method to keep group membership in check without spending any time on it whatsoever. They can help you pull away from manual group management and ensure that all objects in your AD are members of correct groups at all times.
How rule-based groups work
To automatically manage the members of a certain group, all you need to do is define its membership rules and how often should its members be updated. From then on, Adaxes will take over the process of adding and removing members, according to the rules that you set.
Membership rules are flexible and allow you to include objects in different ways. For starters, you can make a group include objects located in a certain OU and/or members of other groups.
However, the most powerful tool at your disposal is the ability to include objects based on search criteria. For example, you can include users whose job title contains the word Manager, but only if they are from a specific office and their account is enabled. If needed, these criteria can be infinitely complex, and this is what makes rule-based groups so versatile.
You are not limited in the group choice either. Any group in your Active Directory can become rule-based, but from the AD perspective it will not change — Adaxes will only take control of the membership management process. This means you can use rule-based groups for the same purposes as ordinary security or distribution groups while enjoying the perks of automatic membership management.
Finally, members of rule-based groups can't be added or removed manually via Adaxes. This feature acts as an extra layer of protection against unintentional or inappropriate membership changes. You will always be sure that all members of a rule-based group are there because they fit the membership rules.
Common usage scenarios
You might be wondering whether it is possible to translate the membership logic of groups in your environment into membership rules. The short answer is yes. Membership rules can cover virtually any scenario. Here are the most common ones to get you started.
Users from a specific department
Here is an example of a rule-based group that includes all enabled users from the Marketing department. To achieve the best results, you can make each department group rule-based. If a user switches their department, Adaxes will automatically add them to the correct group and will remove them from the group associated with the previous department.
Managers and supervisors from specific offices
This example shows a more granular application of membership rules. Such a group will include all users in your environment whose job title contains the word Manager or Supervisor, but users from the HQ office will be excluded. On top of that, you can exclude members of a certain group, for example, users who are on vacation.
Recently created users
This rule-based group offers a convenient way of managing recently created users. It can be useful if you need to restrict certain permissions until a user account matures, or perform operations on new user accounts in bulk. Adaxes will add each freshly created user account to this group, and will automatically remove them one by one as soon as 7 days after creation have passed.
Specific employee category
Employee IDs usually follow a certain pattern that has some information about the employee coded into them. It makes sense to use patterns that already exist in your organization and add users to groups based on their employee ID. As you can see, a simple pattern can be described using a single membership rule. You can also add more membership rules to, for example, explicitly include several users whose employee ID doesn't follow the pattern.
Group for room mailboxes
If you need to collectively manage other objects besides users, here is an example for you. You can unite all room mailboxes from a certain office into a single rule-based group. What if you need to exclude room mailboxes that belong to another group and also a specific room mailbox? A couple more rules will do the trick. From there, you can use other Adaxes features to, for example, automatically restrict who can book meeting rooms associated with these mailboxes.
Alternative: centralized automation
The best part about automating group management in Adaxes is that rule-based groups are not the only way. You can also take advantage of centralized automation and configure the membership rules for several groups in one place, using if/else conditions. Adaxes will periodically check these conditions and will add or remove objects from groups accordingly. If periodic membership updates aren't quick enough for you, they can also be triggered on certain events in your Active Directory. For example, you can configure Adaxes to add or remove users from groups immediately after their department changes.
At the end of the day, both automation methods achieve the same goal. They let you take a firm grip on groups in your AD while relieving you from the need to monitor and manage them manually. By removing the human factor from the equation, you can reduce the number of errors and achieve a more secure environment, where all users have exactly the permissions they should have, no more, no less.