0 votes

Hi

We would like to allow Managers of Users to add their Users to Security Groups. Currently, we always get the following error: image.png

Currently our Security for Managers looks like follow: image.png

If we have a seperate rule to allow managers to write "Members Property" of Security Groups, the Business Rule for the Appproval workflow is ignored. image.png

What settings do we have to adjust to make this possible?

  • Manager of User XY can add UserXY to Group AB, then trigger the Business Rule

Thanks, Mario

by (60 points)

1 Answer

0 votes
by (211k points)

Hello Mario,

The thing is that when you are adding a member to a group, it is the group that is modified, not the member. As such, you need to grant users who are managers the permissions to manage group membership. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm. Unfortunately, it is not possible to delegate the permissions to only add specific users to specific groups. This part can be handled in the business rule using corresponding actions/conditions.

As the target object of your business rule is a group, the condition matching InitiatorUserName with %username% will not work as the value reference will resolve into the sAMAccountName property value of the group, not the member being added.

For us to help you with the business rule configuration, please, specify the following:

  • Should the business rule not perform any actions if a user adds themselves to a group?
  • Should the business rule not perform any actions if the target group is a specific one?
  • Would it meet your needs if the business rule cancels the operation if the initiator is not the manager of the member being added?

Any additional details regarding the desired behavior will be much appreciated.

0

Thanks for your fast reply.

We have the following Scenarios:

  • Groups that dont have an owner, that users can add themself without any approval (ex. "Hide my Mobile from Signature") (thats what i tried to achieve with the first action set in my image)
  • Groups that have a owner/manager, user can add themself but need approval from the owner, managers can add their users/employees, but need approval from the owner (second action set in my image) (script below)
  • Groups that dont have an owner/manager, user can add themself but need approval from people sepcified in the adaxes, managers can add their users/employees, but need approval from people sepcified in the adaxes (third action set in my image)
# The condition is met if $Context.ConditionIsMet is set to $True.
$group = Get-ADGroup -Identity '%username%' -properties managedby
$manager = $group.ManagedBy
$length = $manager.Length

if($manager.Length -gt 0) {
    $Context.LogMessage("$manager", "Information")
    $Context.LogMessage("Group has a Owner", "Information")
    $Context.ConditionIsMet = $True

    }
    else {
    $Context.LogMessage("Group has no Owner", "Information")
    $Context.ConditionIsMet = $False
    }
0

Hello Mario,

Thank you for the provided details. Sorry for the confusion, but it is not clear how points one and three match together. They have the same if statement, but different results. Could you, please, clarify this point?

0

Lets say we have the following groups without owner

  • HideMyMobileFromSignature
  • Local_Machine_Admins

User can add themself to both groups and so can their managers.

Point 1: For "HideMyMobileFromSignature" we dont want anyone to give an approval as its only a "cosmetic" group that user can decide theirself.

Point 3: For the Group "Local_Machine_Admins" we want someone from IT Staff (1 out of X Users, so we cant set a manager on the group) to give an Approval. image.png

0

Hello Mario,

Thank you for clarifying. What about the cases when the member being added is not the initiator? How should such situations be handled?

0

For Option 1: Inform them by Mail For Option 3: Nothing

0

Hello Mario,

Thank you for the update. Let us clarify the whole behavior:

  • If a user adds themselves to a specific group (e.g. HideMyMobileFromSignature) that has no owner, the business rule should not do anything. If a user is added to the same group by their manager, an email notification should be sent.
  • If a user is added to a group that has an owner, the operation is submitted for approval no matter if the addition is made by the user themselves or by their manager.
  • If a user adds themselves to a specific group (e.g. LocalMachineAdmins) that has an owner the operation must be submitted for approval. If a user is added to the same group by their manager nothing should be done (including no approval).

If the above is correct, your business rule should be as below. There is no need to add the parts where nothing will be done as they will be ignored by the business rule according to the conditions. image.png

0

Thanks for the clarification and the rules.

Point 1:

  • Instead of the Manager it should be "if Initiator is not the targeted user". This would make more sense for us, as also IT Staff or HR could add them to this group.
  • Can you confirm that the Mail-Properties are the right one for sending it to the user (an not the group or initiator): image.png

Point 2: I think for us it would be only "ManagedBy = Empty" and nothing else, as all empty groups expect the one in Point 1 should be approved by the specified people. Does this make sense for you?

image.png

0

Hello Mario,

Instead of the Manager it should be "if Initiator is not the targeted user".

You can change the condition this way, but in the case it will be met for all the cases when adding to a group is not performed by the user themselves while in your case you mentioned checking whether it is done by the user’s manager.

Can you confirm that the Mail-Properties are the right one for sending it to the user

Yes, the settings are correct.

all empty groups expect the one in Point 1 should be approved by the specified people. Does this make sense for you?

Yes, this approach will also work.

Related questions

0 votes
1 answer

Hi All, I was following the following documentation https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm However I cannot work out how to make it ... can only add themselves. Any help would be great. Many Thanks

asked Mar 30, 2020 by antondubek (440 points)
0 votes
0 answers

We would like users to be able to add their mobile number and carrier information from within the web console. Preferably, they would enter their mobile number in a ... ". This address would then be written to an extensionAttribute field in Active Directory.

asked Mar 2, 2016 by Kikaida (1.1k points)
0 votes
1 answer

I'd like to allow users to remove themselves from groups that they are already members of. Currently I have a business rule in place thats only allowing the OU Owners ... user is a member of the adm-groupname' then allow then to remove themselves.

asked Apr 30, 2020 by sirslimjim (330 points)
0 votes
1 answer

They can navigate to both the user or the group within the ADAXES web interface without issue. They can then either Add to Group or Add Member but the resulting ... something to the web interface which prevents changing the lookup domain. Any ideas? Thanks!

asked Apr 9, 2020 by VTPatsFan (610 points)
0 votes
0 answers

Our users accounts are on-prem & synched through DirSync. Our distribution groups are cloud based only. What's the best way to automatically to accomplish these task? 1. ... the list being up to date if an account is created outside of adaxes) Thanks

asked Apr 27, 2015 by auser42 (340 points)
2,607 questions
2,344 answers
6,228 comments
861,079 users