0 votes

Hi

How do I design one or more Security Roles to meet the following criterias:

A user can only be added to a group within a given scope when:

1 - The user requests membership to a given group for himself.
- or -
2 - A user, that is member of (for example) "All user managers", requests membership to a given group for another user.

Actually #2 is working, but I cannot get the "self" to work, without giving the user rights to add other users to groups too :?
Membership may requires approval by the group manager, but that workflow is working too.

- Thanks

by (2.6k points)

1 Answer

0 votes
by (220k points)
selected by
Best answer

Hello,

The user requests membership to a given group for himself.

To achieve this, you will need to do the following:

  • Grant users rights to modify Member property of required groups
  • Create a Business Rule that will trigger Before Adding a member to a Group and cancel the operation if the initiator is trying to add another account to the group rather than their own one.

To create the Business Rule:

  1. Launch Adaxes Administration Console.
  2. Right-click your Adaxes service node, navigate to New and click Business Rule.
  3. On step 2 of the Create Business Rule wizard select Group object type.
  4. Select Before Adding a member to a Group and click Next.
  5. Click Add Action and select Cancel this operation.
  6. Enter an optional reason for cancelling and click OK.
  7. Double-click Always and select If the initiator is a member of <Group>.
  8. Select is not and click Select Group.
  9. Select the group and click OK twice.
  10. Right-click the action you have created and click Add Condition.
  11. Select If the initiator is <User> , select is not and click Select User.
  12. Activate the Template tab, enter %member% into the Template field and click OK twice.
  13. Click Next and finish creating the Business Rule.

Related questions

0 votes
1 answer

We are attempting to use the member property in a powershell script for all groups. We get this error message on certain groups that are used as "primary". If we set another ... just shows the single member in the group in which the group is not the primary.

asked Feb 19, 2020 by mark.it.admin (1.8k points)
0 votes
1 answer

Is there a way to have a powershell script write to the logs in Adaxes? I have a powershell script that removes all groups from a user. This script is executed from ... ", ]","]") Set-Admuser -identity "%distinguishedName%" -Replace @{info=$Group_collection} }

asked Jul 25, 2014 by mobosys (190 points)
0 votes
0 answers

Is it possible to trigger an action 'after removing a member from a group' unless that member is a member of another group? For example I have two security groups: 'DS Senders' and ... 'DS Senders' but not if they are a member of 'DS Viewers', and vice versa.

asked Oct 26, 2021 by bavery (250 points)
0 votes
1 answer

Hello, Is there a way to send an email notification when a user is added to a group dynamically (with LDAP filter) , it's work only when i add the user manually Thank you

asked Jun 30, 2021 by GG (70 points)
0 votes
1 answer

Hello I am trying to set up a script to copy the 'Members Of' from specific accounts to a new user account after creating the user. Something very similar to this: https:/ ... to the ever changing nature of the business. Is someone able to help me with this?

asked May 28, 2020 by adantona (40 points)
2,740 questions
2,474 answers
6,475 comments
1,373,655 users