Audit Changes to Dynamic Group Membership Rules through Workflow

Did you ever get to the bottom of this? I am wanting the exact same thing

I missed this question when it was asked originally, sorry about that!

I was able to trigger a Change Workflow when changing a Dynamic Group Membership Rule by setting it to be triggered by a modification to the edsaDGConditionsList attribute.

Thanks mate. I have your example setup and sure enough i am now receiving an email alert when any changes are made to a Dynamic Group. 

Quick question in case you know the answer. Within the email alert that is sent out i am trying to set it so that it tells me what the change was. For example we use Dynamic groups but we have a few where we have explicit memberships. If someone ads user ABC to Group1 then i am trying to have the email alert say something like User ABC has just been added to Group 1

I have been through the tokens on the email template but unless i am missing something the ability to say who was changed is not there. 

An example. The Group Name and Change By are all good. I jusy need to report in the alert who was added or removed. 

Added or Removed: 
<br />
<br />
Group Name: <% =Operation.Target["samAccountName"] %>
<br />
<br />
Changed By: <% =Operation.InitiatorDisplayName %>

Any ideas? 

Many thanks

Craig  

That won't be possible without some custom scripting. Active Roles stores the Dynamic Group membership rules in the accountNameHistory attribute. The actual raw value of this attribute will show the GUID of the explicitly-included object which was just added, as well as the other rules which are configured. These will have to be interpreted and lookups will need to be performed so that the GUID is resolved to a user's name. It would also be necessary to get the before-and-after values of this attribute so that you could capture the differential.

This ask is much more easily done using native auditing tools.

I'm curious how these explicit adds are being performed  in your environment, because normally if you just explicitly add someone to the membership of a dynamic group, the membership rules will ultimately remove them.  You can have a membership rule that allows for explicit members but that would require that those editing the group have AR admin rights - which is something I strongly advise against handing out to just anyone.

Ok thanks mate. When you right click on the Dynamic group and view the change history you see whats been done. Is there no way of tapping  in to that at all? 

We use Dynamic groups with explicit entries for say domain admins. The ability to make changes to Dynamic groups is very heavily controlled with very few people able to make those changes. Plus it stops people making changes in the native tools as ARS just removed them. 

It's alarming to me that you would make Domain Admins a dynamic group!  I strongly advise against this sort of thing.  If you want to protect membership of Domain Admins, there are better ways.

craig mcfarlane said:

view the change history you see whats been done. Is there no way of tapping  in to that at all? 

As Terrance indicated, some custom scripting would be needed to acquire those details and store them in a way that the notification template could get to them.  I've done something similar by taking the value I need and putting into a virtual attribute on the target object which you can then reference using a token in your notification.

Hi mate. This might be your view and your point might be valid. However when we had a security incident the fact our DA was Dynamic saved us. I am not saying there are not better ways of securing this group and this is only one level that we use. 

craig mcfarlane said:

Is there no way of tapping  in to that at all? 

BTW, if you want to mine change history programmatically, take a look at the Quest PoSh cmdlet Get-QARSOperation.  You can filter on operation, object and so on.  Very useful for your use case should you choose to pursue it.

If you're not handy with PoSh, talk to your Quest / OneIdentity rep about finding an integration Partner to write that bit for you... there are some out there that will take on small tasks like this.

if you want a simple update to the actual notification. you can customize that notification in the "Configure Notification Message" 

Personally, im not very good at html scripting but i have known some of my customers who customized this heavily. for my purposes and for your's you can customize it simply to show what the change was especially if you are triggering the notification on a Group Add or removed. On of the Summaries either Activity - Notification Summary or the Operations summary would provide this info out of the box. 

now i havent played with this in a while. you can do some nice work with just this and no scripting.

if you want a simple update to the actual notification. you can customize that notification in the "Configure Notification Message" 

Personally, im not very good at html scripting but i have known some of my customers who customized this heavily. for my purposes and for your's you can customize it simply to show what the change was especially if you are triggering the notification on a Group Add or removed. On of the Summaries either Activity - Notification Summary or the Operations summary would provide this info out of the box. 

now i havent played with this in a while. you can do some nice work with just this and no scripting.