-
Title
How-to: Automatically remove a user from specified groups, when being added to another specified group -
Description
In some environments, it may be required that a user only be a member of one specific group at a time. When a user is added to Group A, they are automatically removed from Group B and Group C. Workflows can be utilized to accomplish this task.
Consider the following scenario:
- There are three groups granting Administrator permissions to different regions in your environment (Groups A, B, and C)
- An Administrator may only be a member of one of these groups at a time
The following example is provided as a proof of concept only. Advanced customization's are not covered by support.
-
Resolution
Please follow the steps below to create and configure the sample workflow, in which when a user is added to Group A, they are automatically removed from Group B and Group C
Create a new Change Workflow
- In the Active Roles MMC, navigate to Configuration > Policies > Workflow
- Right Click and select New > Workflow
- Give the Workflow a Name and Description and click Next
- Select Upon a request to change data in the directory (change workflow)
- Click Finish
Configure the Workflow Options and Start Conditions
This section defines what triggers the Workflow - In this scenario, adding a member to a group
- Select the Workflow
- In the Workflow Pane that opens, select Workflow Options and Start Conditions at the top
- Click the Configure button
- Click the Select Operation button
- Set the Target Object Type to GROUP
- Select the Change Membership button
- Check the Add Member to Group check box
- Click Finish
Configure the Filtering Conditions
This section defines the group we are moderating - In this scenario, Group A
- Select the Workflow
- In the Workflow Pane that opens, select the Workflow Options and Start Conditions at the top
- Click the Configure button
- Under the Filtering Conditions area at the bottom, click the green + icon
- Click Configure condition to evaluate...
- Select Property of Workflow Target...
- In the Target Property selection, select More Choices
- Search for and select the Distinguished Name attribute
- Click OK
- Click Define Value to Compare to...
- Select Object Defined by DN-Value Rule Expression...
- Click Add Entry > Text String
- Insert the DN of the group to be moderated by this Workflow (Group A)
Configure the Workflow Steps
This section defines the groups the user is to be removed from - in this scenario, Groups B and C
- Select the Workflow
- In the Workflow Pane that opens, select the Remove From Group activity on the left, and drag it below the Operation Execution step
- Double click the Remove From Group activity to configure it
- Select the Activity Target tab on the left side
- Click on Workflow Target and select Object Defined by DN-Value Rule Expression...
- Click Add Entry > Property of Object from Workflow Data Context
- Click Target Object > More Choices > Added Member > OK
- Click Target Property > More Choices
- Search for and select Distinguished Name
- Click OK
- Select the Groups tab on the left
- Ensure that Remove the object from these groups is selected
- Click Add Group > Fixed Group in the Directory
- Select Group B and Group C
- Click OK and Save Changes
Once the Workflow has been configured, when a user is placed into Group A, they will automatically be removed from Group B and Group C, if they are currently in the aforementioned groups. To make this process multi-directional, you can create additional workflows re-ordering the included groups.