How to create a workflow condition that checks for the security group that's going to get assigned.

Hello,

Use the filter:

Member Of of Requested Changes EQUALS DistinguishedNameOfTheSuperMasterGroup

Thanks for the reply. It seems that the member of property itself is not working. For example if I say condition with out any filter as ' Modify property of user - > member of ' and if I update groups in Member of then its not going in to approval ( forget about supermaster ) . Just any change to member of itself didn't work for me.

If you are trying to use the CONTAINS evaluation, then this is normal.

Member Of is a computed attribute. It doesn't really exist. It is built based on the Member attribute of a Group. You cannot use a CONTAINS evaluation against a computed Distinguished Name.

You can use the EQUALS evaluation and compare against the Distinguished Name of the Group or Groups which you want to compare to.

If this is cumbersome due to the high number of groups, then you can abstract it: use a script or some other method to stamp the desired groups and then change the Workflow evaluation to check the stamp.

You should be evaluating a change to a Group, and not a User.

Can you post a screenshot of your Workflow triggering conditions?

In this case does the workflow evaluation has filter condition ? How filtering condition can compare at the groups defined in the script. Or the evaluation is done in the script defined in the workflow and no filter condition required?

Any examples will help. Thank you,.

I changed condition now as, 'Add member to group - > group' and filter as 'Distinguished Name of workflow target EQUALS Distinguished Name of PLANT_SuperMaster"

In this case I am considering only one SuperMaster group. This workflow condition worked when I am trying to add user to the group manually. For example, select User -> Member of -> Add ->select PLANT_SuperMaster, then it trigger the approval process.

In our case, the members are added to group in the script based on certain rules using below command in script. The policy calls the script.

"Add-QADGroupMember -Identity $Group.DN -Member $DN " in function postModify (Request)

So how to make filter look at the script and trigger the approval before script actually add member to superMaster goup.

The execution of the Add-QADGroupMember command will trigger your workflow.  Did you insert an approval activity in your workflow and configure who should be responsible for the approval?

The execution of the Add-QADGroupMember command will trigger your workflow.  Did you insert an approval activity in your workflow and configure who should be responsible for the approval?

Also, check the following:

In the lower left corner of the Workflow Start Conditions dialogue, click on this:

...and make sure this box is checked:

This will make sure that the Approval works when triggered by your policy script.

Thanks for showing this option 'Run-as' . This made all the difference. Appreciate it. I see the workflow trigger Approval now.

Couple of questions though, after I enabled the 'Enforce workflow' I see message in the email notification body as "Service Admin submitted the request to approve….." where as I like to see as the Actual user name who modified the user properties. Some thing like " Tom submitted the request to approve….." .

The other question is, In the web interface the approval request window where Service desk user can enter the reason is no more showing up. When the approval is going to trigger upon changing properties of User then there used to be a pop window where it requests Service desk user to enter the reason for change. I do not see that pop up any more. But the approver request is sent to Approver successfully with reason being empty.

Let's try something simple...

On the Run As dialog, check this option as shown:

IMPORTANT:  In order for this to work, within Active Roles (not native AD), this user must be allowed (have permissions) to add users to this group.  (The workflow itself will prevent them for doing this randomly)