• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 1585 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recompute itshop assignment components on relocation

CVU
over 6 years ago

Hi,

I have an itshop product that grants membership of a different AD group depending on the location. Once the product is granted, the corresponding AD group to that location is provided. This has saved me from creating different itshop products for every location. 

Is there a way oob I could recompute this assignment if the employee changed the location? 

Thanks!

  • 0 over 6 years ago

    You haven't detailed how you grant the different AD memberships based on location.  I would assume you would be doing this via a dynamic role.  ie 1 dynamic role per location, rule for each role would be: person has membership to product & person location = X, then the entitlement attached to each dynamic role is the AD group for the matching location.

    However if you were using this method then you wouldn't have this question as this would automatically change the AD group if the persons location changed, so this method solves your question.

    I'm curious as to how you had implemented your original requirement.

  • 0 over 6 years ago in reply to grant.kerwood

    Hi  , I'm trying some approaches.

    For your question, the product grants an Eset, so I just need to check the table for Assign events and insert the corresponding group in ADSAccountinADSGroup. How? Every location/department in our database has a  shortname that contains a customer number. Our AD group names share the same customer number. So I just need to compute the corresponding AD group name , then check the ADSAccount for the requester and insert both in ADSAccountinADSGroup.  This approach needs you to monitor delete events too, so the membership will be revoked if the employee loses the Eset. 

    Then I thought it would be easier if I created a generic group name in AD  for the product  and grant it . Then modify the template for column UID_ADSgroup  in ADSAccountinADSGroup , intercept the app group name and change it accordingly. That would save the day for insert,  update and delete operations. 

    All in all, I need to check if the employee changes the location and update the group. For future releases, it would be great if  we could assign AD groups to different locations based on database queries instead of static ad group names.