Dynamic Group - Temp Membership

I would start with something like this and then modify it to meet your needs:

Solution Title: Triggering the Automatic Deletion of Microsoft Exchange Mailbox X days after Deprovisioning
Solution Number: 4341083
Solution URL: https://support.oneidentity.com/kb/4341083

"Step 1" would be the same, just use a more relevant name - for example, edsvaDynamicGroupEndDate

Your "Step 2" would be different. You would create a custom Virtual Attribute of Boolean syntax and expose that in the Web Interface. Also, create a Change Workflow that is triggered by setting this Boolean Virtual Attribute to TRUE and have it stamp edsvaDynamicGroupEndDatewith the current date/time plus 48 hours.

Your Scheduled Workflow in "Step 3" would compare the current date/time to the edsvaDynamicGroupEndDate date/time, and clear it if edsvaDynamicGroupEndDate is greater.

The Dynamic Groups would be populated by users with any value in edsvaDynamicGroupEndDate.

Thank you. I will look at this further. I really appreciate you taking the time to reply. 

Can i just check The VA in step one. Is that assigned to the user or the group? Its just not clear and dont want to assume. 

The Virtual Attribute would have to be on the User object.

Hi. I am almost there. In the example link you sent they are searching AD for user accounts. I would like to not search all of AD to find accounts and for my requirements its always going to be a small number of users. However they will always be in a Security Group. I can see that i can change the search activity to Search the group for its members but i cant see a way of specifying the group i would like it to search? Any suggestions

Is this use case planning on having only a single group with this functionality? If so, then searching the group for its members could work, without the need for multiple Search activities within the workflow (each searching a single group). Searching for users with the EndDate virtual attribute set, might make better sense.

However, to answer your question, to specify a single group within a Search activity, set the top option to 'Search the group for its members'. Set the Find: field to 'Users' and in the In: field select 'Fixed group in directory' and search for and select the group.

Thank you. Yes at the moment it is just a single group but if we expanded this out we will use another VA. I have changed the  work flow to reflect the group. Jesus simple when you know how. I now have this set on a test group and will check tomorrow to see if the account is removed. Will confirm back that its all working. Thank you for the help so far 

Thank you. Yes at the moment it is just a single group but if we expanded this out we will use another VA. I have changed the  work flow to reflect the group. Jesus simple when you know how. I now have this set on a test group and will check tomorrow to see if the account is removed. Will confirm back that its all working. Thank you for the help so far 

So my time limit has passed but it has not removed the value  edsvaDynamicGroupEndDate or set my other VA from True to False. I am not 100% sure its actually finding my user account in the security group i asked it to check even though i am the only account in there  

I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions? 

Post some screenshots and maybe we can see the issue. Edit or blur out anything from your environment.

Here is my work first workflow. When the VA McTest1 is set to TRUE this will fire off an approval notification. Once approved the account is automatically added to the Dynamic group and the VA McTest2 is stamped with the date and time +1 for this test

McTest2 VA Date and time settings. I have tried pretty much any combination here

Here i have the second workflow. Searching AD

I am searching for any users inside a security group

So if any users are found then set McTest1 to False as this will remove them from the Dynamic Group and then clear McTest2 VA which was the time

My If Else 

The problem is in your If/Else branch. You are using the wrong conditional. The timestamp will absolutely never be "equal" to the current timestamp plus 1. Instead, you should be checking to see if the timestamp is "greater than" the current day plus 1.

Also, I'd move the conditional check into the filter of your search. It would be much more efficient to simply return the objects that you care about, rather than returning everything and then looping through them, checking each one. You can remove the If/Else entirely. 

Can i just confirm you mean less or equal not greater? Thanks for the heads up on that point though as that was changed in error. When i set to less or equal it now removes the account. I am not sure what else might have changes as yesterday i had that set. Either way thanks for the pointer. 

Thank you. Will check it out 

"I have been over this many times and even recreating it from scratch. trying to search in a group or even just search in an OU. I cant tell if its actually finding my user account but its not removing the date on the VA. At a bit of a loss with this one. Any suggestions?"

Some useful tips, that are not always applicable in all cases, to help verify a Search has been configured properly:

Using the 'Add Report Section' can sometime be useful for seeing what has been found by a Search activity. Add something like the Display Name (depending on the object type) of the found object to the activity and the Display Name of each found object will appear in the Run History of the Workflow.

The LDAP query of the Search being conducted is also in the workflow's Run History. Copy this and paste it into the Advanced tab of a Custom Search in the MMC to also see if any results are found.

Thank you so much Richard for the help