Views:

Applies To:

GroupID 9 and above – Self-Service

Business Case:

It is not unusual for users to leave the organization or change departments within an organization. You need a list of all groups that the user is a primary or additional owner for, so you can change the ownership of those groups.

Solution:

Using GroupID, you can get a list of the groups owned by a user or group object. You can get:

  • Groups that a user owns as a primary owner.
  • Groups that a user owns as an additional owner.
  • All groups owned by a user, whether as a primary or additional owner.

Methodology:

Case 1: Extract a combined listing of groups that a user owns as a primary owner or additional owner

In this case, you can search for an object in the Self-Service portal and extract a list of all groups that it owns.

  1. In the Self-Service portal, click Advanced Search at the top to go to the Advanced Search page.

  2. Search for the user whose groups you want to extract.

  3. On the Search Results page, select your required user and click Managed By on the toolbar.



    The portal displays all groups that the user owns as a primary or additional owner. To export the group list to Microsoft Excel, click Export Results on the toolbar.

Case 2: Extract a list of groups that a user owns as a primary owner or additional owner

In this case, you add two fields, Primary Owner and Additional Owner, to the search page in the Self-Service portal. That done,

  • Specify a user’s display name in the Primary Owner field to get all groups the user owns as a primary owner.
  • Specify a user’s display name in the Additional Owner field to get all groups the user owns as an additional owner.

Follow these steps to add the search fields.

  1. In GroupID Management Console, select Self-Service > Portals > [Required portal] > Designs.

  2. Select an identity store. to customize the portal design for it.

  3. On the Search Forms tab, select the search form, Groups, and click Edit.

  4. On the Edit Search Form dialog box, you have to add two fields, Primary Owner and Additional Owner.

    1. To add the Primary Owner field, click Add in the Search Form area.

    2. On the dialog box, enter a display name for the field, map it to the managedBy attribute, and select the display type as DN. Click OK.

    3. Again, on the Edit Search Form dialog box, click Add in the Search Form area to add the Additional Owner field.

    4. On the dialog box, enter a display name for the field, map it to the XAdditionalOwner attribute, and select the display type as Text. Click OK.

  5. Click OK to close the Edit Search Form dialog box. Then click Save in the top left corner of the window.

  6. Launch the Self-Service portal and head to the Group Search page by clicking Groups > Group Search.

  7. Specify a user's display name in the Primary Owner box and click Search. The portal fetches all groups that have the user as the primary owner

  8. You can also search for an additional owner by providing the GUID of the additional owner. The GUID is required because the additional owner information is stored in the form of GUID in Elasticsearch (where the portal gets its data from). XAdditionalOwner is a pseudo attribute of GroupID and Active Directory cannot resolve it because there is no corresponding AD attribute.

    To search the groups a user is an additional owner of, provide the GUID of that user in the Additional Owner box and click Search

    Note: Both the primary and additional owner search will not work together, so search with the primary owner or additional owner only.
  9. Once the required results are populated, simply click Export Results to extract the data in the form of an MS Excel report.

    Note: This change to the Group Search page applies to all users who use the portal. To restrict users’ access to this type of search, you can create a second portal for admins only and customize the search page for that portal.
To extract the GUID of a user: 

There is no direct way to extract the GUID of a user in Active Directory. You have to use Windows PowerShell or GroupID Management Shell to extract the GUID using either of the following commands:

For Windows PowerShell

Get-ADUser -Identity
(Enter the DisplayName/SamAccountName/DistinguishedName, whichever is populated in your AD for the users)

For GroupID Management Shell

Get-User -Identity
(Enter the DisplayName/SamAccountName/DistinguishedName, whichever is populated in your AD for the users)

Object GUID will be present in the results of these commands.

Reference:

GroupID Online Help topic: Customizing search forms