Adaxes

AD Group as Approver

0 votes

Hi,

We have a scenario where an AD Group (Global Security) is the approver for an approval request.

The group members receive the email alert (via a Distrbution List group email assigned to the Group) but, when they logon to the web UI \ use the Adaxes console, the approval request isn't in their queue (if clicking from the email alert they do not have the right to select the 'Approve' button).

When I logon to the console as a service admin and 'View All Approvers' for the approval ticket, the correct group is set as the approver, and the group contains the user objects that should be able to, but can't, see the ticket in theuir queue?

Rgds

by (1.6k points)
0

Hello,

To help us troubleshoot the issue, can you explain the following quote in a bit more detail as we don't quite get the idea:

The group members receive the email alert (via a Distrbution List group email assigned to the Group)

by (216k points)
0

Hi,

The 'Managed-By' attribute of the computer object is populated with a "Global Security Group" type AD group - "Acme Security Team".

We hoped that all members of this group would get an email alert when an approval was triggered, but none were sent, so added an email address to the group - "security@acme.com".

This address is for a Distribution Group, which has the same membership (but we cannot use as the approving group directly, as AD won't let us use a DL group for this attribute).

Rgds

by (1.6k points)
0

Just to be clear...

The approval request is being generated because we have set 'Owner\Manager of this computer' as the approver for a change, and have set the Security Group in the computer 'ManagedBy' attribute.

I have also tried manually setting the same group as the approver for the task and we get the same result.

Rgds

by (1.6k points)
0

Hi,

Bit more testing.

If I use the Distribution Group as the approver directly then members of the group receive the approval emails and can approve the resultant ticket. The problem therefore seems to be that Security Groups cannot be used as a target for approvers.

As we are using the ManagedBy attribute as the target in this instance, and it won't allow Distribution groups for this value, this appears to be the issue.

I can work round it by grouping the computers\servers into a groups based on their 'owners', then have a branching ("if computer is a member of...") business rule that hardcodes the approval to the appropriate DL, which adds a layer of complexity, but I guess the question is the current behaviour by design, a bug, or an oversight (or have I missed a trick somewhere).

Rgds

by (1.6k points)

1 Answer

0 votes
by (216k points)

Hello,

The thing is that currently only persons are supported as owners/managers of AD objects in Approval Requests. So, in other words, if a group is directly added as an approver, this will work. However, if a group is added as an approver with the help of the Manager of the target object is Approver / Owner of the target object is Approver options, this won't work.

We were planning to add this functionality later, but since you require the functionality right now, we'll try hard to include the support for this in Adaxes 2013.2 to be available in late September.

By the way, a side note to this. If you specify an AD group as an approver, you don't need to use an additional Distribution List or whatever to send Approval Request notifications to all members of the group. Whenever Adaxes needs to send notifications to approvers, and one of the approvers is a group, Adaxes sends a notification to each member of that group separately. So, all members of a group that have e-mail addresses specified in AD will get a notifcation anyway.

0

Good news, thanks.

And yes you are right that the groups are 'split' into individual members when it has been added directly as an approver, rather than via an 'Owner' lookup.

As an aside from my side, will 2013.2 include the 'approve by email' capability that I believe you mentioned was going to be supported in a future release?

Many Thanks

by (1.6k points)
0

The feature is in our TODO list, but we haven't made any detailed planning yet. It will be available in the future, but not in the nearest releases.

by (216k points)
0

Hello,

Yesterday, we released Adaxes 2013.2. Starting from that release, if a request is submitted for approval to the owner or manager of an object, and the owner/manager is a group, members of the group are recognized as approvers and are able to approve or deny the request. You can download Adaxes 2013.2 here.

Upgrade Instructions.

For a complete list of new features and improvements, see What's New.

by (216k points)

Related questions

0 votes
1 answer
Deleting an AD group is not being detected as a change of membership in its parent groups.

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
0 votes
1 answer
Save SQL return as a field in AD?

Short question: I have a Powershell script that is generating some information and saving it to a SQL table. Is there some way to save that information into a field in AD ... using Adaxes, but I don't know how to go the opposite way basically. Thanks!

asked Mar 12 by cstaub (50 points)
0 votes
1 answer
Why is Azure AD synchronized users showing as Password must be changed?

I have recently added our Azure AD domain to managed domains and every user that has both a AD and AAD user account (synced) is showing as "User must change password at next logon" Is this intentional or a bug? What is the best practise on this?

asked May 2, 2023 by Daniel (100 points)
0 votes
1 answer
How can I implement a model to support role-based provisioning operations using AD groups as roles?

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work ... to invest in a full-blown role-based provisioning platform (would rather not!).

asked Dec 24, 2019 by Bernie (310 points)
0 votes
1 answer
Exporting AD accounts as a DR mechanism

I ask too many questions...! We're discussing internally whether it is possible\advisable that, whenever an account is deleted, we perform a flat file data export of the account ... have seen done before? Bit of a poor mans tombstombing as far as I can tell!

asked Jun 11, 2013 by firegoblin (1.6k points)
3,358 questions
3,057 answers
7,805 comments
545,196 users