• State Verified Answer
  • Replies 3 replies
  • Subscribers 62 subscribers
  • Views 1132 views
  • Users 0 members are here
Options
Related

group membership approval workflow request question

ngkeith
over 1 year ago

I am trying to setup the approval by primary owner workflow for group membership change. However, it didn't seem to work and I am hoping to get some help here. This is a new AR 7.4.3 setup without too much customization. 

What I did

Defined the primary manager for the group which I want users to be able to initiate the change request.

Checked the "Approval by the primary owner (manager) of the group" option under the Membership Approval tab in the group's properties.

Enable the  "Approval by Primary Owner (Manager)" workflow (enabled by default)

What I see

When a regular user login to the AR helpdesk portal, the Add button is not available under the membership option. Users are unable to initiate the request.

When the ARadmin login to the AR helpdesk portal, the Add button is available. However, the admin can add (ARadmin is not the manager of the group) user to the group without being prompted for the approval.

I think I am probably missing something for the regular users. Do I need to give them write permission to the group first? I would assume that is no need since it is going through the approval process.

Thanks

  • 0 over 1 year ago

    Delegated rights still need to be assigned to a user via an Access Template in order for them to be able to add or attempt to add users to groups.

    Approval workflow steps are bypassed by default for ARAdmins. There is an option within the workflow's 'Workflow Options and Start Conditions' (Configure button at the top of the workflow) -> 'Runas options' (lower left corner) to Enforce Approval. Select the 'Enforce Approval' checkbox and try again as an ARAdmin and the Approval step should kick in and prompt the ARAdmin to enter a reason for the change.

  • 0 over 1 year ago in reply to Richard.Lambert


    Thanks for quick reply. I linked the Groups - Add/Remove Members access template to the authenticated users and the workflow started to work. However, with this change, the user can also change group membership for other groups that do not have the approval configure. I assumed we need to group all the approval groups in a single OU and delegate control to it exclusively.

  • +1 over 1 year ago in reply to ngkeith

    Placing these groups in their own OU could work. This might also be a great scenario for the use of Managed Units. The 'approval groups' can be added to a Managed Unit, either statically or via query, and then the same Access Templates rights delegated to the Managed Unit. You could set a Managed Unit query to include groups with the Virtual Attribute "edsvaApprovalByPrimaryOwner" set to True. This way, as the option is enabled on the groups to require approval by the primary owner, the groups will automatically get added to the Managed Unit. If this option is clear, the groups will get removed.