• State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7874 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Workflow to add new user to a group based on department - what am I missing?

jimcapo
over 7 years ago

Hi,

 

 I'm relatively new to ARS (We're running 7.0 in our env). I've been tasked to create / test some workflows based on new user creation. One that I'm attempting to create now is departmental.

 

 

I've created a "change workflow" with the following parameters - 

Workflow options and start conditions:

Operation that starts this workflow: Create

Target object type: User

Initiation Conditions - 

Any User / Container is "Active Directory"

 

Filtering Conditions -

 

Department of Workflow Target equals "test-department"

 

I've dragged the "Add object to groups" activity and set the appropriate group in the "Groups" tab within that activity (global group, does not require approval from owner). The activity target is set to "workflow target". 

 

Doesn't look like I've got any errors (no exclamation points).

 

I've attempted to create a few users, specifically setting the department during created to the "test-department" - however, once the user is created, they are not being added to the group. 

 

What am I missing?

 

 

Thanks,

 

 

Jim

  • 0 over 7 years ago
    I'm not sure what may be the issue with this Workflow, but I believe that you may not be leveraging the best tool for this.

    The Dynamic Groups feature in Active Roles is designed to do what you want. Create a Group, convert it to a Dynamic Group, and then set the membership rules on the Group so that it populates itself with members from a given Department.

    The benefit here is that these Groups will automatically populate as departments change, not just when Users are created.

    You can take it a step further, and create a Group Family for the department attribute: this way, all departments will get their own Group, and new departments will automatically get a populated Group.
  • 0 over 7 years ago
    Nice, wasn't aware of dynamic groups. That would of course require any other groups to be made dynamic, which I'm not so sure mgmt would let fly. I'll defiantly pass along the info, though.... as well as trying to get the workflow working as well.
  • 0 over 7 years ago
    Presumably, when you configured the add-member-to-group activity, you specified your target group?

    Thinking ahead - this is going to be a bit trickier for more than just your test group as you are going to have to calculate the name of the target group based on the department name. Not difficult - just something to think about as you go forward with your implementation.

    I like Terrence's suggestion of Group Family as they are not as processor-intensive as Dynamic Groups.

    There is yet another option and this is group membership auto provisioning in user provisioning policies. This could work well IF your OU structure is divided up by department, if not, perhaps not as practical.
  • 0 over 7 years ago
    There are few options to accomplish it Group Member = F(user.department):
    #1. Automated Group Membership Policy (regular ARS Policy)
    #2. Dynamic Groups (no manual group management)
    #3. Group Family: overnight update/generation of DL per Department
    #4. Workflow On Demand
    #5. Custom Policy Script (onPostModify() Set-QADGroup)