Views:

Applies To:

GroupID 8, 9, 10 – Automate & Self-Service

Business Scenario:

Long before Microsoft introduced the concept of a secondary owner for groups, GroupID has been providing the functionality under the name of additional owners.

Group additional owners is a GroupID pseudo configuration stored in the GroupID database. Additional owners have exactly the same rights and permissions as the primary owner with regard to group management, group expiry and renewal, and workflow request management.

When Microsoft introduced the concept of secondary owners with Exchange 2010 and later, we integrated the Microsoft Implementation; so whether it is GroupID additional owner or Microsoft secondary owner (msExchCoManagedByLink), they work in the same way with differences seamless to end users.

Having additional owners along with a primary owner ensures that if a group's primary owner is away, all group-related operations continue as normal.

Requirement:

We want to make sure that new groups that are created using GroupID must have one or more additional owners.

Solution:

By applying the Group Owners policy, you ensure that your groups have a certain number of additional owners.

By default or in the absence of this policy, groups can have zero to any number of additional owners.

The Group Owners policy is applied at the role level in an identity store.

Steps:

  1. In GroupID Management Console, click the Identity Stores node.
  2. On the Identity Stores tab, double-click the required identity store to open its properties.
  3. Click the Security Roles tab.
  4. Select a role to configure the Group Owners policy for it and click Edit.
  5. On the Role Properties page, click the Policies tab.
  6. Click Group Owners in the left pane.
  7. In the Minimum box, type or select a number in the range, 0-3, to set the minimum number of additional owners that a group must have. The default value 0 indicates that role members can create groups having no additional owners.
  8. In the Maximum box, type or select a number in the range, 0-100, to set the maximum number of additional owners that a group can have. This value should either be equal or higher than the value provided in the Minimum box.
  9. Click Apply and then OK.

These settings ensure that when a role member creates a group using Automate or the Self-Service portal, he or she must specify the required number of additional owners for it. Moreover, when a role member updates the group, he or she can change the additional owners, but the number must fall within the minimum and maximum bounds.

With the Group Owners policy applied, when a role member tries to create or modify a group without specifying the required number of additional owners, he or she will not succeed until the policy is complied with.

Note: The Group Owners policy also applies to groups that are created or modified via GroupID Management Shell and the scheduled job of Smart Group Update.

Impact:

Impact on the Self-Service portal (create event):

When a role member tries to create a group without specifying the required number of additional owners, he or she gets the following message:

Impact on the Self-Service portal (modify event):

Similarly, when a role member tries to clear the additional owners of an existing group through group properties (such that the additional owners are less than the minimum number required), he or she gets the following message:

Impact on Automate (create event):

When a role member tries to create a group without specifying the required number of additional owners, he or she gets the following message:

Impact on Automate (modify event):

Similarly, when a role member tries to clear the additional owners of an existing group through group properties (such that the additional owners are less than the minimum number required), he or she gets the following message:

 

Important: For Automate, the Group Owners policy does not apply to groups that were created before the policy was specified. The warning message is displayed but changes are saved. For groups that are created after the policy is enforced, changes would not be saved until the policy is conformed to.


Related Article:

How To: Enforce a primary owner for groups

Reference:

GroupID Online Help topic: Group Ownership Enforcement policy

Keywords: Identity stores, Security Roles, additional owners, minimum, maximum, force, groups