Rule based groups based on users attributes

Question

Hi,

would it be possible to achieve the following idea:

Creating and updating rule based groups, based on user attributes like company?

For each company value in AD, there should be a rule based group looking for this company.

So in theory, we need to get all unique company values, then create a group with this company value as filter.

Answer 1

Update

Starting with Adaxes 2020.1, you can configure groups to be rule-based without using scheduled tasks and/or scripts. For details, have a look at section Rule-based groups of the following tutorial: https://www.adaxes.com/help/AddUsersToGroupsByDepartment/#dynamicgroups.

Original

Hello,

It is possible using a scheduled task and a PowerShell script. The script will need to do the following:

1. Find all the unique property values.
2. Find all the existing rule-based groups.
3. Check each group for a rule containing the criteria based property value.
4. For all the property values that do not correspond to criteria in the found groups, create a new rule-based group.

It would significantly decrease the timing for the script execution if all those groups are located in a single OU. Unfortunately, we do not have such a script, but the following article should be a good starting point: https://www.adaxes.com/sdk/IAdmGroup2.

Comments

Ok, I will try this and have the first blocker How to read the rule?

I tried this

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Bind to the group
$groupDN = "mygroupdn"
$group = $service.OpenObject("Adaxes://$groupDN", $null, $null, 0)

# 
$rules = $group.MembershipRules

$rules shows me

Type                 : ADM_BUSINESSUNITMEMBERSHIPTYPE_QUERY
BaseObjectPath       : Adaxes://<GUID=17894c9b-0451-4e83-a5c2-962ab06ac1e7>
BaseObjectDnTemplate : 
Scope                : ADS_SCOPE_SUBTREE
Exclude              : False
Disabled             : False

How can I now read/create/update the rule?

---

Hello,

The MembershipRules property returns an object represented by the IAdmBusinessUnitMembershipRules interface. It is a collection and you need to iterate through the items in the collection to find the required membership rule and check its criteria. Membership rules in the collection are each represented by the IAdmBusinessUnitMembershipRule interface.