Automate Group Membership Management


You can configure Adaxes to automatically add and remove users from groups based on certain rules. For example, when a new user is created in Active Directory, Adaxes can automatically add the user to the group that corresponds to their department. When the Department property of a user is changed, Adaxes can remove the user from the group associated with previous department, and add the user to the group that corresponds to the new department. To ensure that all Active Directory users are members of appropriate groups, you can use Scheduled Tasks to maintain group membership on a periodic basis.

To share the group membership rules between different Business Rules and Scheduled Tasks, you can create a Custom Command that will contain all the necessary actions and conditions, and then execute the command in Business Rules and Scheduled Tasks.

In this tutorial, you will learn how to create a Custom Command that will add and remove users from groups based on their department, and how to execute the command in Business Rules and Scheduled Tasks.


  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Custom Command.



    Enter a name for the new Custom Command.

  2. Since the Custom Command will be executed by Business Rules and Scheduled Tasks only, uncheck the Enabled checkbox. Disabled commands are not displayed in the user interface.


    Click Next.

  3. Select the User object type and click Next.


  4. On the Parameters step click Next.


  5. On the Actions step click Add an action.



    Select the Add the User to a group action.



    In the Action Parameters section, select the group that corresponds to one of the departments.



    Click OK.


    Approvals

    Actions executed by Business Rules can be submitted for approval. For example, you may want a user to be added to a group only after an approval is granted by the group owner or by the manager of the user.

    • Right-click the action for which you want an approval to be requested.
    • Click Edit Action in the context menu.


    • In the Edit Action dialog, check the Get approval for this action checkbox.


    • Specify the approvers and click OK.


    For information on how to request approval for operations that can be performed both manually, by users and automatically, see Request Approval for Adding Members to Groups.

  6. Right-click the newly added action and select Add Condition in the context menu.



    Select the If <property> <relation> <value> condition.



    In the Condition Parameters section specify Department - equals - <Department Name>.



    Click OK.

  7. Right-click the condition/action block and select Add Else in the context menu.




    Right-click Do nothing and select Add Action in the context menu.




    Add a Remove the User from a group action for the same group.




    Right-click the If block and select Copy in the context menu. To copy the whole block, make sure no actions and conditions are selected.




    Right-click outside the block and select Paste in the context menu.




    Double-click both actions and the condition and configure them for another department.




    Repeat the steps above for each department.


    Using Scripts

    If there are too many departments or the rules for group membership are too complicated, the Custom Command may become bulky and hard to manage. In this case, instead of adding many actions and conditions, you can use a PowerShell script. For details on how to use PowerShell to add and remove users from groups, see Change Group Membership Using Scripts.

  8. When done, click Next. On the Permissions page, click Finish.


  9. Select a Business Rule or a Scheduled Task that will execute the Custom Command.


    To execute the Custom Command after a new user account is created, you can use built-in Business Rule After User Creation. For details on how to configure and activate the rule, see Automate User Provisioning.

    For instructions on how to create a Scheduled Task, see Schedule Tasks for AD Management.

  10. Click Add new action set.


    Right-click Do nothing and select Add Action in the context menu.


    In the Add Action dialog, select Execute a Custom Command.


    In the Action Parameters section, select the Custom Command.


    Click OK.

  11. If the Custom Command is executed in a Business Rule triggered after updating a user, add the If the Department property has changed condition.



    Add the Custom Command to other Business Rules and Scheduled Tasks.






To make Department a required field and allow users to select a department from a drop-down list, you can use Property Patterns.

For details, see Make an Input Field a Drop-Down List.




See Also




Open tutorial filtering

Got questions?
Support Forum