How to trigger notifications for members dropping out of Dynamic Groups?

Hi everyone,

I’m struggling with a notification requirement for our Dynamic Groups and hoping someone has a workaround or a "best practice" for this.

The setup: We use DGs heavily, mostly populated by rules looking at specific AD attributes (Department, Office, etc.).

The problem: We need an alert/email whenever a user is removed from one of these groups because they no longer meet the rule criteria (e.g., they changed departments). Since ARS handles these removals automatically in the background, my standard "on-change" workflows don't seem to catch the event—I assume because it's not a manual "Request" being processed through the normal UI/Web Interface.

Has anyone found a reliable way to flag these "drops"?

Thanks!

0 JohnnyQuest 17 days ago

Unless you have specific governance requirement to track changes to the dynamic groups themselves, I think you would have far better luck using a Change Workflow to trap and notify on the changes to the attributes that are used by the membership rules.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 aguliana 17 days ago in reply to JohnnyQuest

Thanks for the reply — that makes sense. Could you share an example of how you’d implement a Change Workflow to trap and notify on changes to the attributes used by the dynamic membership rules?

I haven’t tried capturing change history automatically through a workflow before, and I can see how that would be really powerful.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest 16 days ago in reply to aguliana

Have a look at this part of the documentation that explains how to setup the start condition for a Change Workflow
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 AJ Lindner 14 days ago

An alternative, if you have a SIEM solution that already handles alerting and event notifications, is to forward the Active Roles Admin Service event logs to your SIEM and let it handle that. You can filter for Event ID 1526 which is for "members removed from group" and the event details includes the group name and the removed member(s).
Cancel
Up 0 Down

Reply

Verify Answer

Cancel