How to create a workflow condition that checks for the security group that's going to get assigned.

Hello,

Use the filter:

Member Of of Requested Changes EQUALS DistinguishedNameOfTheSuperMasterGroup

The policy is adding the user to the group so would this not work as well...

Thanks for reply. I should have said in my question. We do have many super master groups. I like to say contains 'SuperMaster' because the filter should apply to any super master group.

Thanks for the reply. It seems that the member of property itself is not working. For example if I say condition with out any filter as ' Modify property of user - > member of ' and if I update groups in Member of then its not going in to approval ( forget about supermaster ) . Just any change to member of itself didn't work for me.

If you are trying to use the CONTAINS evaluation, then this is normal.

Member Of is a computed attribute. It doesn't really exist. It is built based on the Member attribute of a Group. You cannot use a CONTAINS evaluation against a computed Distinguished Name.

You can use the EQUALS evaluation and compare against the Distinguished Name of the Group or Groups which you want to compare to.

If this is cumbersome due to the high number of groups, then you can abstract it: use a script or some other method to stamp the desired groups and then change the Workflow evaluation to check the stamp.

You should be evaluating a change to a Group, and not a User.

Can you post a screenshot of your Workflow triggering conditions?

In this case does the workflow evaluation has filter condition ? How filtering condition can compare at the groups defined in the script. Or the evaluation is done in the script defined in the workflow and no filter condition required?

Any examples will help. Thank you,.

All you have to do is change the "Equals" operator in my example above to "Contains"

I changed condition now as, 'Add member to group - > group' and filter as 'Distinguished Name of workflow target EQUALS Distinguished Name of PLANT_SuperMaster"

In this case I am considering only one SuperMaster group. This workflow condition worked when I am trying to add user to the group manually. For example, select User -> Member of -> Add ->select PLANT_SuperMaster, then it trigger the approval process.

In our case, the members are added to group in the script based on certain rules using below command in script. The policy calls the script.

"Add-QADGroupMember -Identity $Group.DN -Member $DN " in function postModify (Request)

So how to make filter look at the script and trigger the approval before script actually add member to superMaster goup.

The execution of the Add-QADGroupMember command will trigger your workflow.  Did you insert an approval activity in your workflow and configure who should be responsible for the approval?