The thing is that when you are adding a member to a group, it is the group that is modified, not the member. As such, you need to grant users who are managers the permissions to manage group membership. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm. Unfortunately, it is not possible to delegate the permissions to only add specific users to specific groups. This part can be handled in the business rule using corresponding actions/conditions.
As the target object of your business rule is a group, the condition matching InitiatorUserName with %username% will not work as the value reference will resolve into the sAMAccountName property value of the group, not the member being added.
For us to help you with the business rule configuration, please, specify the following:
- Should the business rule not perform any actions if a user adds themselves to a group?
- Should the business rule not perform any actions if the target group is a specific one?
- Would it meet your needs if the business rule cancels the operation if the initiator is not the manager of the member being added?
Any additional details regarding the desired behavior will be much appreciated.