Yes, it is possible to make this happen. It is necessary to address two requirements here:
- The ability to modify existing Groups and add a Group as a member.
- The ability to create a new Group and populate that Group with a Group as a member.
The second criteria is not immediately obvious because the permission on the Active Directory side which allows the creation of a Group also allows the population of a Group as a single transaction. This is based on a single permission. So, if a User can create a Group, they can populate it at that time, even if they don't have Group modification permissions beyond that.
Two triggered Workflows will be required; one for each of the above requirements.
The first triggered Workflow will have the following layout:
Operation Condition:Add member to Group
Initiator Condition:Any User | Active Directory (or limited, as per your preference)
Filtering Conditions:Added Member property 'objectClass (objectClass)' equals 'group'
In the
Actions section, the simplest way to deal with this is to add a
Stop/Break action. It is important that this
Stop/Break occurs BEFORE the Group Creation event. You may also choose to send an
Approval step to an email address and approve these actions on a per-User basis.
The second requirement is a little harder to deal with. It will have the following layout:
Operation Condition:Create Group
Initiator Condition:Any User | Active Directory (or limited, as per your preference)
Filtering Conditions:New object property "Members (member)" is not empty
The objectClass of Members being added to a Group upon creation cannot be easily queried. Instead, it is necessary to add a
Stop/Break action with an error message if a created Group does not have an empty Members attribute. Again, you may choose to add an
Approval step instead of a straight
Stop/Break, but whichever one you choose has to come BEFORE the Group Modification event.
NOTE: This Workflow will affect the ability to populate any Group with any Members upon creation, whether they be Users or Groups. The error message here should clearly state that Members need to be added post-creation.