• State Not Answered
  • Replies 13 replies
  • Subscribers 62 subscribers
  • Views 4966 views
  • Users 0 members are here
Options
Related

How to create a workflow condition that checks for the security group that's going to get assigned.

soumya malipatel
over 4 years ago

Our Active Roles setup uses script to assign security groups to user depending on Office location and Description ( Job Title) property. The policy calls the script. The script matches the User Office location and Description properties with the office and Descripolumns in text file and gets the security groups from the text file and assigns to the User.

We like to have Approval workflow trigger the approval process if the office and description properties selected is going to add the ‘SuperMaster’ security group to the user.

We have defined workflow condition as, Modify properties of User -> with filter 'Member of Target Object ' Contains 'SuperMaster'.  

The Workflows added with above options trigger approval process if the existing user already has ‘SuperMaster’ permissions and NOT that the user is getting ‘Super Master’ permissions. We need approval process trigger if the job title/ Description is selected that will RESULT in giving ‘Super Master’ permissions.

We have also tried workflow condition as, Modify properties of User -> with filter 'Member of Requested changes ' Contains 'SuperMaster'.  But that also didn't work in the way we want.

Can you help on how to configure a workflow condition that will trigger approval process if the modified Job location/ Description is going to add ‘ SuperMaster’ permissions ? and that trigger the approval in the workflow.

 

 

 

Parents
  • 0 over 4 years ago

    Hello,

    Use the filter:

    Member Of of Requested Changes EQUALS DistinguishedNameOfTheSuperMasterGroup

  • 0 over 4 years ago in reply to Terrance.Crombie

    Thanks for the reply. It seems that the member of property itself is not working. For example if I say condition with out any filter as ' Modify property of user - > member of ' and if I update groups in Member of then its not going in to approval ( forget about supermaster ) . Just any change to member of itself didn't work for me.

  • 0 over 4 years ago in reply to soumya malipatel

    If you are trying to use the CONTAINS evaluation, then this is normal.

    Member Of is a computed attribute. It doesn't really exist. It is built based on the Member attribute of a Group. You cannot use a CONTAINS evaluation against a computed Distinguished Name.

    You can use the EQUALS evaluation and compare against the Distinguished Name of the Group or Groups which you want to compare to.

    If this is cumbersome due to the high number of groups, then you can abstract it: use a script or some other method to stamp the desired groups and then change the Workflow evaluation to check the stamp.

Reply
  • 0 over 4 years ago in reply to soumya malipatel

    If you are trying to use the CONTAINS evaluation, then this is normal.

    Member Of is a computed attribute. It doesn't really exist. It is built based on the Member attribute of a Group. You cannot use a CONTAINS evaluation against a computed Distinguished Name.

    You can use the EQUALS evaluation and compare against the Distinguished Name of the Group or Groups which you want to compare to.

    If this is cumbersome due to the high number of groups, then you can abstract it: use a script or some other method to stamp the desired groups and then change the Workflow evaluation to check the stamp.

Children