Home Advanced Request Offering

Active Directory Group Membership Management

Steve_ClarkeSteve_Clarke Customer Adept IT Monkey ✭✭
in Advanced Request Offering

Hi guys,

There are a few similar threads I could find on adding a user to a group via a request offering but that is not quite what we are after.

What I would like to create is a request offering where a user could select a group and then have it auto enumerate the members of that group on the page. The user could then either just view, or add or remove users from the group.

Basically a total group managment RO that could be presented to some users who have delegated access to manage memberships of a particular group.

I have a feeling this may be beyond the portal and I might have to turn to another product like FIM.

If anyone has done something similar I would be really keen to hear your approach.

Thanks,

Steve 

Answers

  • Morten_MeislerMorten_Meisler Premier Partner Advanced IT Monkey ✭✭✭
    edited April 2017
    I think this will be hard to achieve, but it can be done, though it might not be the exact experience you have in mind and there are some stepping stones to defeat before you can even start making the request offering and the automation. Just like you can list the computers from the Primary User, you should be able to do the same for a group and its users. But unfortunately there are no relationship between a user and a group in SCSM, that's a "many (groups) - to many (users)" relationship (system.containment) that you have to make yourself and then have a regular workflow to find and sync AD-memberships to the CMDB (set the target and source of your relationship). Once this is done you can build a request offering; this could be 1) Query result with groups (single target selection) 2) Query result of Users based on previous choice in the filter (multi target selection) 3) A simple list with an option to A: Remove users selected, B: Add users (if this is chosen, a new query result with all users will show up where you select the users to add). A runbook is then triggered that checks the simple list choice and do the action required.

    Alternatively you could also do this administration from the SCSM Console instead of making a request offering, but this still requires you to make a relationship and also a multi-instance listpicker on the group form. But overall I like the idea that AD membership is managed through your ITSM platform to get granular permissions and auditting history of who changed what when etc. Definitely best practice :)
  • Tom_HendricksTom_Hendricks Customer Super IT Monkey ✭✭✭✭✭
    Steve_Clarke said:
    ...

    I have a feeling this may be beyond the portal and I might have to turn to another product like FIM.

    ...
    You might spend as much or more effort getting FIM (now MIM) going, from what I understand.  SCSM does not, by default, capture group membership, but if your process runs through SCSM forms, then that is easily rectified by including an activity in your form to update the CMDB in your templates. 

    I also believe that using SCSM catalog forms to manage this is best handled with many forms, rather than one.  When you break it apart, your workflows are simpler.
  • Steve_ClarkeSteve_Clarke Customer Adept IT Monkey ✭✭
    Thanks for your thoughts on this guys. We are still yet to implement this function and are continuting to look at the best way to go about this. I will share the process once we have decided on a solution. 
Sign In or Register to comment.