How to Add Group Members While Creating Active Directory Group Using Plan

laxman6 · March 27, 2024, 1:13pm

I’m Creating Group in Active Directory Using Quick Link Form Workflow, But I don’t no How to add Group Members to while creating Group. How to achieve this requirement.

Thanks & Regards
Laxman

kjakubiak · March 27, 2024, 1:32pm

Hi Laxman,
The only way to do that would be to create new provisioning plan for each user to grant this group. The problem is that in IIQ entitlements needs to be assigned to the identity - not identities to entitlements. That’s why you have to assign them always by creating provisioning plan for identity to grant entitlement.

iamksatish · March 27, 2024, 3:37pm

@laxman6
If you have the AD group DN details and users to be added to the group in the form, have a workflow step to add the members and us the provisioner API to add the group to the users AD account

Try to fetch the users AD native Identity and use the below sample code from there

        ProvisioningPlan plan = new ProvisioningPlan();

 AccountRequest accReq = new AccountRequest();
        accReq.setOperation(AccountRequest.Operation.Modify);
        accReq.setApplication(<AD_APP_NAME>);

        AttributeRequest attrReq = new AttributeRequest();

        attrReq.setOp(ProvisioningPlan.Operation.Add);
        attrReq.setName("memberOf");
        attrReq.setValue(<GROUP_DN>);
        accReq.add(attrReq);
        accReq.setNativeIdentity(<USERS_AD_LINK_NATIVEIDENTIY>);
        accReqs.add(accReq);

plan.setAccountRequests(accReqs);
        plan.setIdentity(<IdentityObject>);
        Provisioner provisioner= new Provisioner(context);
        provisioner.setNoLocking(true);

        ProvisioningProject project = provisioner.compile(plan);

        provisioner.execute(project);

amansingh · April 10, 2024, 1:05pm

Creating a group is a separate process and adding members to this group is a follow up operation that should be done as it requires the nativeIdentity of AD account of the user to be added and separate plans have to be invoked.

How I would solution it is by leveraging your current QuickLink and supporting workflow in the following ways:

i. Once the QuickLink performs its activity to have another form pop-up to add users to the newly created group. Once the users are selected invoking another workflow and creating the plan and passing it to the OOTB workflow hence having proper audit trail.
Now to make it more efficient you can always leverage the RequestObject and triggering it from different task servers.

ii. Would be to invoke provisioner API which I think the code snippet has been shared in this post.

Would still recommend option 1 as auditors will have more visibility.

Thanks,
Aman

Topic		Replies	Views
Active Directory Account & group creation through API IIQ Discussion and Questions apis , identityiq	3	879	July 26, 2023
Active Directory Group with more than 5K members - Challenges IdentityIQ (IIQ)	1	598	August 16, 2022
AD Create Provisioning Policy IIQ Discussion and Questions identityiq , provisioning	17	344	April 16, 2024
Active Directory - Cross-Domain Group Membership IIQ Discussion and Questions identityiq	5	721	December 11, 2023
New Workgroup Created via QuickLink IIQ Discussion and Questions workflows , identityiq	3	135	April 3, 2024

How to Add Group Members While Creating Active Directory Group Using Plan

Related Topics