• State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 6831 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

workflow to add a user to a group using temporal group access

kannan.mallan
over 6 years ago

i need to remove and add accounts to a group after 24 hours for a business reason. Example: User requests for exception ; the exception is granted only by removing the account from a group; the exception expires in 24 hours and the account need to be added manually back to the same group.

This is done manually today.  I would like to automate this using ARS workflows.  user requests for exception ; AD admin will remove the user account form group ; this removal should force the admin to setup temporal group membership settings to add the account after 24 hours. so, the entire flow is automated.

any idea how to set this up?

  • +1 over 6 years ago

    Hi Kannan,

    This should be doable via a workflow and a PowerShell script module.

    First, you'll create a workflow that you would run manually (not triggered on AD change). Configure the workflow to have a parameter called userDN. This should prompt to browse for a user object. This will be the user that will be removed and added back at a later time.

    Next, you'll create a new PowerShell script module with the following:


    ## BEGIN SCRIPT ##
    function temporaryGroupMemberRemoval($Request){
    # Workflow has parameter called userDN that browses for user object.
    $userDN = $workflow.Parameter("userDN")
    $groupDN = "" # Static DN of group.

    # Remove the user from the group right away.
    Remove-QADGroupMember -Identity $groupDN -Member $userDN

    # Create hash table to be used for scheduled operation control on add member.
    # The time is calculated for 24 hours from the current time.
    $time = (Get-Date).AddHours(24).ToUniversalTime()
    $hash = @{}
    $hash.add("ScheduledOperation-SetTime",$time)

    # Add the user back to the group using the scheduled operation control.
    Add-QADGroupMember -Identity $groupDN -Member $userDN -Control $hash
    }
    ## END SCRIPT ##

    In the script above, input the DN of the group for the $groupDN variable.

    In your workflow, drag over a Script activity and configure it to run the above script module.

    You can of course, modify the script to also send an email to the user to notify them of the change, including the time they will be added back to the group using the $time variable.

    I hope this helps!

    -Nick

  • 0 over 6 years ago
    1. The Policy script is robust, solid option.
    2. Another option, you may want to explore, to use Workflow On-Request policy feature. The feature allow to Add-to-Group , Remove-from-group. Not sure it allows to control Temporary Group Membership (maybe?) Also, the Workflow cab to be used on Scheduled basis to execute Remove-from-group based on VA-attribute mark when user was added to the group. Note: in case OOB feature does not fit the request and you need to do explicit scripting, I strongly recommend to fall back on explicit policy scripting #1 above by Nick.D.