Request approval for adding members to groups

Using Adaxes, you can allow users to manage their own group membership and delegate group membership management to non-administrative staff. To control the process, membership in important security groups and distribution lists can be allowed only after approval is given by an authorized person.

For information on how to delegate the permissions to add and remove group members, see Grant rights to modify group membership.

In this tutorial, you will learn how to create a business rule to request approval for adding new members to groups.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Business Rule.

  3. Enter a name for the new business rule and click Next.

  4. To trigger the business rule before a new member is added to a group:

    • In the Object Type list, select Group.

    • Select Before and then select adding a member to a group.

    To also request approval for removing members from groups, select adding or removing a member from a group.

    Click Next.

  5. Click Add an action.

  6. Select Send this operation for approval.

  7. In the Action Parameters section, specify the approvers for the operation.

    • Click Add to select specific users and groups.

    • Select Manager of the requestor to allow the manager of operation initiator to approve or deny the operation. The manager is specified in the Manager property of user accounts.

    • Select Owners of the target group to allow any owner of the group to approve or deny the operation. For more details about object ownership in Adaxes, see Object owners.

    • Select Owners of the requestor's OU to allow any owner of the organizational unit where the account of the operation initiator is located to approve or deny the operation. For more details about object ownership in Adaxes, see Object owners.

    • Select Owners of the target group's OU to allow any owner of the organizational unit where the group is located to approve or deny the operation. For more details about object ownership in Adaxes, see Object owners.

    • Click OK.

    Adaxes service administrators have the rights to approve or deny any request.

    Using scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval. For example, using a script you can request approval from current members of the group.

     How { #use_script_to_request_approval}
    • In the Add Action dialog, select the Run a program or PowerShell script action.

    • Click the Edit button.

      Click the button to provide a custom description for the action.

    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a specific user and members of a specific group.

      $approvers = @(
              "CN=John Smith,CN=Users,DC=example,DC=com",
              "CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $false, $false, $false, $false)
      
       How to get the DN of an object { #how_to_get_object_dn}
      • Launch Adaxes Administration console.

      • Right-click the object you need.

      • In the context menu, open the submenu of the Copy item.

      • Click Copy DN. The DN of the selected object will be copied to the clipboard.

      You can use value references in the script (e.g. %name%, %distinguishedName%). Value references will be replaced with corresponding property values of the group object.

      The following script submits an approval request to the current members of the group.

      $approvers = @("%distinguishedName%")
      $Context.SubmitForApproval($approvers, $false, $false, $false, $false)
      

      Value reference %distinguishedName% will be replaced with the DN of the group object.

      For information on how to create scripts for business rules, see Server-side scripting.

    Multi-level approval

    Approval workflow can be configured for multiple levels of approval. To request approval from another group of approvers, add another Send operation for approval action to the business rule.

  8. To request an approval only if certain conditions are met, right-click the action and then click Add Condition.

    Example 1 – If the initiator is not a member of a specific group.

     Step by step { #step_by_step_condition1}
    • Select the If the initiator is a member of <group> condition.

    • In the Condition Parameters section, select is not and specify the group.

    • Click OK.

    Example 2 – If the new member is not the initiator.

     Step by step { #step_by_step_condition2}
    • Select the If the initiator is <user> condition.

    • In the Condition Parameters section, select is not and click the button.

    • Activate the Template tab.

    • In the Template field, enter %member%.

      Value reference %member% will be replaced with the distinguished name (DN) of the new member.

    • Click OK.

    Example 3 – If the initiator and the group are not in the same organizational unit.

     Step by step { #step_by_step_condition3}
    • Select the If located under <location> condition.

    • In the Condition Parameters section, select is not and click the button.

    • Activate the Template tab.

    • In the Template field, enter %adm-InitiatorParentDN%.

      Value reference %adm-InitiatorParentDN% will be replaced with the distinguished name (DN) of the organizational unit where the account of the initiator is located.

    • Click OK.

    When done, click Next.

  9. On the Activity Scope step, click Add.

    Select from the following items:

    • All Objects – select to execute the business rule when a new member is added to any group in any domain managed by Adaxes.

    • Domain – select to execute the business rule when a new member is added to any group within a specific domain.

    • OU or Container – select to execute the business rule when a new member is added to a group located in an organizational unit or container.

    • Group – select to execute the business rule when a new member is added to the selected group or to a group that is a member of the selected one.

    • Business unit – select to execute the business rule when a new member is added to a group that belongs to a specific business unit. To select a business unit, open the Look in drop-down and select the Business Units item.

    You can exclude specific groups, organizational units, business units and domains from the activity scope of the business rule. For example, if you assigned the business rule over all groups in a domain, but do not want it to trigger for the groups located in a specific organizational unit, you can exclude the organizational unit from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog.

     Step by step { #exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

  10. When done, click OK and then click Finish.

See also