Audit Changes to Dynamic Group Membership Rules through Workflow

Did you ever get to the bottom of this? I am wanting the exact same thing

I missed this question when it was asked originally, sorry about that!

I was able to trigger a Change Workflow when changing a Dynamic Group Membership Rule by setting it to be triggered by a modification to the edsaDGConditionsList attribute.

Thanks mate. Are you able to expand or screen shot your work flow or explain your filtering conditions. 

Here are the triggering conditions that I used.

The filter can be used to target a specific Dynamic Group like I have here. If it were blank, this would fire for all Dynamic Groups.

Thanks mate. I really appreciate you sharing that. Will give this a go. 

Thanks mate. I have your example setup and sure enough i am now receiving an email alert when any changes are made to a Dynamic Group. 

Quick question in case you know the answer. Within the email alert that is sent out i am trying to set it so that it tells me what the change was. For example we use Dynamic groups but we have a few where we have explicit memberships. If someone ads user ABC to Group1 then i am trying to have the email alert say something like User ABC has just been added to Group 1

I have been through the tokens on the email template but unless i am missing something the ability to say who was changed is not there. 

An example. The Group Name and Change By are all good. I jusy need to report in the alert who was added or removed. 

Added or Removed: 
<br />
<br />
Group Name: <% =Operation.Target["samAccountName"] %>
<br />
<br />
Changed By: <% =Operation.InitiatorDisplayName %>

Any ideas? 

Many thanks

Craig  

That won't be possible without some custom scripting. Active Roles stores the Dynamic Group membership rules in the accountNameHistory attribute. The actual raw value of this attribute will show the GUID of the explicitly-included object which was just added, as well as the other rules which are configured. These will have to be interpreted and lookups will need to be performed so that the GUID is resolved to a user's name. It would also be necessary to get the before-and-after values of this attribute so that you could capture the differential.

This ask is much more easily done using native auditing tools.

I'm curious how these explicit adds are being performed  in your environment, because normally if you just explicitly add someone to the membership of a dynamic group, the membership rules will ultimately remove them.  You can have a membership rule that allows for explicit members but that would require that those editing the group have AR admin rights - which is something I strongly advise against handing out to just anyone.

Ok thanks mate. When you right click on the Dynamic group and view the change history you see whats been done. Is there no way of tapping  in to that at all? 

Ok thanks mate. When you right click on the Dynamic group and view the change history you see whats been done. Is there no way of tapping  in to that at all? 

craig mcfarlane said:

Is there no way of tapping  in to that at all? 

BTW, if you want to mine change history programmatically, take a look at the Quest PoSh cmdlet Get-QARSOperation.  You can filter on operation, object and so on.  Very useful for your use case should you choose to pursue it.

If you're not handy with PoSh, talk to your Quest / OneIdentity rep about finding an integration Partner to write that bit for you... there are some out there that will take on small tasks like this.