Applies To:
GroupID 11

Business Scenario:
While delegating directory group creation to end users reduces Helpdesk load, it is always necessary to have some approval/monitoring process on the creation of new groups being created by the end users. Is there a way to set up a workflow approval process for group creation?

A workflow route can be defined for an identity store to track any new group creation and send out approval requests to concerned Approvers. When a user creates a group via GroupID Self-Service, it will trigger the workflow and an approval request will be generated. In this way, group creation, which would subsequently take effect in Active Directory, is immediately brought to notice.
A workflow route to control group creation involves:

  • the object (group) the workflow applies to
  • the event (create)
  • the filter (security role) to specify a condition that must be met for the workflow to trigger.
  • the approver(s) to send the workflow request for approval.

This implies that when a user meeting a certain workflow triggering condition creates a group via the self-service portal, a workflow request is sent to the approver(s). Changes are applied after the request is approved.


Note:You must configure notifications for an identity store for workflows to work.



  1. In the GroupID Admin Center portal, click the Identity Stores node.
  2. Click on the Triple Dot button on the identity store and then click on Edit to open its properties.
  3. Click the Workflow tab.

  4. Click Add Workflow. A new window will appear.


           5. Make sure the Enabled check box is selected for the workflow to apply.

           6. In the Object(s) list, select Group.            

           7. Enter a name for the workflow In the Name box—for example, Group Creation.

               8. In the Events drop-down list, select Create.

               9. Select the Enable mail approval check box to enable the approver to approve or deny a workflow request from within the workflow email notification.         

               10. The Enable approver acceleration check box applies if approver acceleration has been enabled for the identity store. To exempt this workflow route from approver acceleration, clear this check box.

               11. In the Description box, enter a brief description of the workflow. For example, This workflow tracks the creation of groups by people from the User Security Role.

    1. In the Portal URL drop-down list, select a Self-Service portal URL to include in the workflow email notifications. The URL would redirect the recipients to the portal for acting on the respective request, such as approve or deny it.
    2. Use the Filters area to specify a criterion that must be met for the workflow to trigger. In other words, when this filter criterion is not met, the workflow will not trigger.
      Do not apply a filter if you want the workflow to apply to all users.
      For example, if you apply the following filter:


              It implies that when a user from the User security role creates a group via the Self-Service portal, the change isn’t effective immediately and this workflow gets triggered. When a person from any other security role creates a group, it won’t trigger the workflow.

    1. The final step is to add a workflow approver.
      1. Click Add Approvers in the Approvers area.

      2. Select the user/group to approve the requests generated for this workflow. It is safer to specify an administrator/helpdesk as the approver rather than the group owners.
      3. Click Add.
    2. Click OK on the Workflow Route dialog box and then on the Workflow tab.

    Now, any group creation made through groupid by users from the User security role will trigger a workflow request.

    GroupID Online Help topic: Workflows