How To: Trigger a workflow when a user changes the query for a Group

Views:

Applies To:

GroupID 8 and above

Business Scenario:

While directory groups contribute to organizational effectiveness, IT administrators must also vigilantly monitor group membership for accuracy and security. Since Smart Group and Dynasty memberships can be altered with any change to a group’s query, is there a way to track the changes made to the queries of groups in GroupID?

Solution:

A workflow route can be defined for an identity store to track any changes to a group’s query. When a user changes a query, it will trigger the workflow and an approval request will be generated. In this way, query changes, that would subsequently affect group membership, are immediately brought to notice.

A workflow route to control query changes involves:

the object (group) the workflow applies to
the event (edit)
the attribute (criteria) to be monitored
the approver(s) to send the workflow request for approval

This implies that when a user changes the values stored in the criteria attribute for a group, a workflow request is sent to the approver(s). Changes are applied after the request is approved.

Note:

You must configure notifications for an identity store for workflows to work.

Steps:

In GroupID Management Console, click the Identity Stores node.
On the Identity Stores tab, double-click an identity store to open its properties.
Click the Workflow tab.
Click Add.
Enter a name for the workflow In the Name box. For example, Changes to group query.
In the Description box, enter a brief description of the workflow. For example, This workflow tracks changes made to a group’s query.
Make sure the Enabled check box is selected for the workflow to apply.
In the Object(s) list, select Group.
In the Events drop-down list, select Edit.
Select the Enable mail approval check box to enable the approver to approve or deny a workflow request from within the workflow email notification.
The Enable approver acceleration check box applies if approver acceleration has been enabled for the identity store. To exempt this workflow route from approver acceleration, clear this check box.
In the Portal URL drop-down list, select a Self-Service portal URL to include in the workflow email notifications. The URL would redirect the recipients to the portal for acting on the respective request, such as approve or deny it.
Use the Fields area to specify the field (attributes) that you want to apply a check to. When the value of this attribute is modified for a group object, this workflow is triggered.
1. Click Add in the Fields area.
2. Select criteria in the Field drop-down list.
  Using the identity Store tab on the Query Designer dialog box, users can add a custom criterion to a group’s query (for example, fetch all users who live in Livermore and have a fax number). Criteria is a GroupID pseudo attribute that stores this custom criterion. When a user changes this custom criterion on the Identity Store tab, the value of the criteria attribute changes, thus triggering this workflow.
3. Click OK.
Use the Filters area to specify a criterion that must be met for the workflow to trigger. In other words, when this filter criterion is not met, the workflow will not trigger.
Do not apply a filter if you want the workflow to apply to all users.
For example, if you apply the following filter:

Field
employeeType Condition
Not Equals Value
manager

It implies that when a manager changes the value of the criteria attribute, the change is effective immediately and this workflow does not apply. When a non-manager user changes the value of the attribute, it triggers the workflow.
The final step is to add a workflow approver.
1. Click Add in the Approvers area.
2. Select the user/group to approve the requests generated for this workflow. It is safer to specify an administrator as approver rather than the group owners.
3. Click OK.
Click OK on the Workflow Route dialog box and then on the Workflow tab.