IT Monkey:   Click Here to Help Me Build the Agenda for Upcoming Cireson Webinars!

How can I show all groups from the logged in user he/she currently is a member of?

Dries_WerckxDries_Werckx Customer IT Monkey ✭
I want to create a service request where a user can delete itself from groups he/she currently is a member from. For user experience I want to show the end user a list with all those groups, the user clicks the groups that need to be deleted, clicks save and an orchestrator runbook runs at the background handling the user its selection.

In the future I also want to do this for printers and maybe some other stuff. (let's say location based I want to show you only assets around your location,...)

Is this doable?

Answers

  • Geoff_RossGeoff_Ross Cireson Consultant Super IT Monkey ✭✭✭✭✭
    Dries,

    Doable but tricky. You need those objects to have a relationship to a user object and a type projection containing the group / printer / whatever and the related user. Then in the Request Offering configuration, when you configure the query results prompt, you can pick the Type Projection and then under criteria, you can select that UserHasPrinter (or whatever the relationship is called) > Username equals Portal Logged On Username.

    Does that make sense?

    Geoff
  • Tony_CollettTony_Collett Cireson Support Super IT Monkey ✭✭✭✭✭
    You could extend the User class and include some related items and have a workflow or Runbook automatically update and populate the User Class extension with all the information of the user. 

    And then, as Geoff has said, using a Request Offering with a token that shows the information of the user that is logged on. 
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭
    Thanks! We are going to have a look at both of your answers and discuss it here. Thanks for your fast replies!
  • Brett_MoffettBrett_Moffett Cireson PACE Super IT Monkey ✭✭✭✭✭
    It took me quite a while to accept that SCSM brings in the AD User and group information, but does not link them. I would have thought that because the classes can be related to each other then this would work fine, however, not so much.

    For what you are talking about doing, 
    I also want to do this for printers and maybe some other stuff. (let's say location based I want to show you only assets around your location
    I would suggest using the Location CI (ships with Cireson Asset Management) to create a relationship to the location for any items that are associated with that location. (Computers, Printers, AD Groups, Users etc.) then when you create a Request Offering (or Advanced Request Offering) you can filter based on the location the user has set as default, or a location provided by the user on the call. This could then be used to filter any group or CI selection grid.

    Good luck with your solution.
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭
    Dries,

    Doable but tricky. You need those objects to have a relationship to a user object and a type projection containing the group / printer / whatever and the related user. Then in the Request Offering configuration, when you configure the query results prompt, you can pick the Type Projection and then under criteria, you can select that UserHasPrinter (or whatever the relationship is called) > Username equals Portal Logged On Username.

    Does that make sense?

    Geoff
    @Geoff_Ross :
    I found this article that explains how to use Projections a.k.a Combination classes and create them:
    https://blogs.technet.microsoft.com/antoni/2015/06/05/how-to-create-a-basic-configuration-item-view-and-type-projection-showing-computers-with-their-primary-user-and-custodian-owner/
    (This person uses it for a view, but we can use it for our purpose)

    There is a piece of XML on that page that looks like this:

    The red box marks my question:
    Any tips on how we would do this for the groups and user? Any idea where they are getting the string from in the red box? I can't seem to find any documentation.

  • Alex_MarshAlex_Marsh Premier Partner Advanced IT Monkey ✭✭✭
    You would first need to create a custom relationship that links the group and the user and the subsequent type projections that go with it.
    Something along the lines of:

            <RelationshipType ID="GroupMember" Accessibility="Public" Abstract="false" Base="System!System.Reference">
              <Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63" MinCardinality="0" MaxCardinality="1" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.Group" />
              <Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47" MinCardinality="0" MaxCardinality="2147483647" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.User" />
            </RelationshipType>

    Where the Alias_68ce1678_a07a_45ef_9047_62530622ac05 is the Microsoft.Windows.Library.

    Hope that helps 
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭
    You would first need to create a custom relationship that links the group and the user and the subsequent type projections that go with it.
    Something along the lines of:

            <RelationshipType ID="GroupMember" Accessibility="Public" Abstract="false" Base="System!System.Reference">
              <Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63" MinCardinality="0" MaxCardinality="1" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.Group" />
              <Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47" MinCardinality="0" MaxCardinality="2147483647" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.User" />
            </RelationshipType>

    Where the Alias_68ce1678_a07a_45ef_9047_62530622ac05 is the Microsoft.Windows.Library.

    Hope that helps 

    If I understand correctly I need to create an XML file which has relationship defined like this:

          <RelationshipType ID="GroupMember" Accessibility="Public" Abstract="false" Base="System!System.Reference">
              <Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63" MinCardinality="0" MaxCardinality="1" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.Group" />
              <Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47" MinCardinality="0" MaxCardinality="2147483647" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.User" />
            </RelationshipType>

    The source defines the object you want to have a relationship with the target, f.e: An attachement = Source | Service Request = Target

    In the example you wrote | AD.Group = Source and AD.User = Target

    There is still one thing I'm not sure of:

    Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63"
    Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47"

    Are these the ID's of the projections you need to define in your XML?

  • Alex_MarshAlex_Marsh Premier Partner Advanced IT Monkey ✭✭✭
    You would first need to create a custom relationship that links the group and the user and the subsequent type projections that go with it.
    Something along the lines of:

            <RelationshipType ID="GroupMember" Accessibility="Public" Abstract="false" Base="System!System.Reference">
              <Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63" MinCardinality="0" MaxCardinality="1" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.Group" />
              <Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47" MinCardinality="0" MaxCardinality="2147483647" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.User" />
            </RelationshipType>

    Where the Alias_68ce1678_a07a_45ef_9047_62530622ac05 is the Microsoft.Windows.Library.

    Hope that helps 

    If I understand correctly I need to create an XML file which has relationship defined like this:

          <RelationshipType ID="GroupMember" Accessibility="Public" Abstract="false" Base="System!System.Reference">
              <Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63" MinCardinality="0" MaxCardinality="1" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.Group" />
              <Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47" MinCardinality="0" MaxCardinality="2147483647" Type="Alias_68ce1678_a07a_45ef_9047_62530622ac05!Microsoft.AD.User" />
            </RelationshipType>

    The source defines the object you want to have a relationship with the target, f.e: An attachement = Source | Service Request = Target

    In the example you wrote | AD.Group = Source and AD.User = Target

    There is still one thing I'm not sure of:

    Source ID="Source_6e33228d_589a_40e5_9be9_391e3aae9b63"
    Target ID="Target_bf495040_a846_486d_a6c7_8b8c12e0db47"

    Are these the ID's of the projections you need to define in your XML?

    Those are just generic source and target names generated by the XML as I used the authoring tool to get the correct relationship syntax
  • Conner_WoodConner_Wood Customer Advanced IT Monkey ✭✭✭
    I can't help but feel this is a very complex solution you're attempting to implement.  Considering you'll need a workflow to scan and relate all the SCSM AD Groups of each SCSM AD User, it could blow up in your face real fast.

    Why not have an (advanced) request offering that uses a SR Template which contains a runbook activity as a starting activity... the runbook activity would run and grab the users AD groups, then add those groups as a comment in the SR and send an email to the user stating the groups they are allowed to request removal for.

    If the user replies with confirmation they want "X" group removed, you could have that complete a review activity and trigger a manual activity for your Security Access Team stating:  User wants "X" group membership removed.

    SCSM Web Portal/Cireson Web Portal have limitations regarding the "flow" of how automation will be done.  You may be better off following their tutorial: How to Create Custom Pages in the Cireson Portal and generating your 100% custom form using the SCSM Server Binaries SDK DLLs to complete this.
  • Brett_MoffettBrett_Moffett Cireson PACE Super IT Monkey ✭✭✭✭✭
    @Conner_Wood Your solution is a much simpler one I'll agree and it is a very fast and simple way to get this solution resolved, however, it is then 2 layers rather than just the one.
    Another way that this can be done is to use the relationships on the AD Group or Business Services.
    I demonstrated how this work at Innovate 2015 but in that demo it was for E-Mail distribution lists. (But it could apply to AD Security groups too)

    While that solution would work also, I'm not a fan. It would take some automation to keep a relationship in sync, that already exists in AD. It always frustrated me that the user-group relationship was never brought over in to SCSM via the AD connector.

    Maybe SM 2016 might solve this once and for all.
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭
    I can't help but feel this is a very complex solution you're attempting to implement.  Considering you'll need a workflow to scan and relate all the SCSM AD Groups of each SCSM AD User, it could blow up in your face real fast.

    Why not have an (advanced) request offering that uses a SR Template which contains a runbook activity as a starting activity... the runbook activity would run and grab the users AD groups, then add those groups as a comment in the SR and send an email to the user stating the groups they are allowed to request removal for.

    If the user replies with confirmation they want "X" group removed, you could have that complete a review activity and trigger a manual activity for your Security Access Team stating:  User wants "X" group membership removed.

    SCSM Web Portal/Cireson Web Portal have limitations regarding the "flow" of how automation will be done.  You may be better off following their tutorial: How to Create Custom Pages in the Cireson Portal and generating your 100% custom form using the SCSM Server Binaries SDK DLLs to complete this.
    The reason why we would not implement this is because that's the point of automaiton. What I'd rather do is just show all AD groups where the user selects the groups and this runs a runbook deleting them.

    The reason we need projections and that relationship is for increasing the user experience, also the reason for this post :).

    Thanks for your answer though! The custom pages might have opened a new door for us!
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭

    Maybe SM 2016 might solve this once and for all.
    @Brett_Moffett :
    Just asked a friend that runs Windows Server 2016 TP5 and SCSM + SCORCH 2016 TP5 to check if it was already implemented, unfortunately no luck though. From what I have seen from #LyncUp it seems that Microsoft is focusing on performance of SCSM: Incident requests and the customer portal, and it will take a while before they will do anything for the Service Desk.
    @everyone_reading_this:
    Just to give a small update, we talked with IT management and they are putting this request on hold because we need to focus on something else now. New information will always help and change the priorities we have. Thanks for all your answers until now! If we have a solution we will post an answer here, in the meantime any new information is appreciated.
  • Conner_WoodConner_Wood Customer Advanced IT Monkey ✭✭✭
    Dries_Werckx said:
    The reason why we would not implement this is because that's the point of automation. What I'd rather do is just show all AD groups where the user selects the groups and this runs a runbook deleting them.

    The reason we need projections and that relationship is for increasing the user experience, also the reason for this post :).

    Thanks for your answer though! The custom pages might have opened a new door for us!

    Automation will never be exempt from limitations, be it Out-Of-Box or not.  The main limitation is you cannot (easily) code your own custom control that would allow you to specify a function to execute.  If there was a tutorial to show creating a custom Advanced Request Offering control, much more could be done including what you've explained.

    Type Projections are simply a way of tying "Enterprise Management Objects" together, they are responsible for pre-defining what information to return back.  They do not automate anything by themselves, however they can be optimized by only returning what needs to be searched/viewed/updated.

    A Custom Relationship offers multiple challenges:  

    1. They do not show up in the SCSM Console under Extended Properties, I used the Authoring Tool to create a custom form to display the basic 1:1 relationship (if you already have other forms like preview panes, they will bring about a form conflict)
    2. Lack of documentation for adding custom controls on a form in the SCSM Console, for more advanced controls like a list (for relationships that are "one to many" or "many to many") you have to use a third party app like Visual Studio Authoring Extension with Visual Studio 2015 Community
    3. Luckily, the Cireson Portal is much easier to add custom relationships once you have everything set up.  I recommend reading these threads:  Change Request Primary Owner && Filter Class for specified Relationship List

    I'm all for a better user experience.  I simply wanted to suggest a solution that works within the Out-Of-Box limitations to save time and effort.

    Sometimes I needed to do 100% custom solutions (like custom webpage SR submission forms).  It's important that the more customizations you have, the more you should expect resistance from being helped.  Remember, when you have an unsupported customization that doesn't conform to a list of pre-defined (incomplete/blanket) standards, it becomes all too easy for a troubleshooter to blame whatever issue is being reported on that customization and then insist they cannot support you. >:)

    Just to give a small update, we talked with IT management and they are putting this request on hold because we need to focus on something else now. New information will always help and change the priorities we have. Thanks for all your answers until now! If we have a solution we will post an answer here, in the meantime any new information is appreciated.
    I'm curious to know what that is, perhaps reporting >:) ... I don't have all the answers, but I have much experience with SCSM and developing for it ( C# SDK, SQL Databases ) meaning I'm aware of many limitations that impact design and therefore, functionality.

    Regarding new information, I see others around the forum that are below, at, or above my expertise in all sorts of different areas, it is nothing new to me to learn something new and advanced from others even after I teach them something basic in another area or vice versa.  We are all specialists and being aware of that is what makes this forum mesh so well.
  • Dries_WerckxDries_Werckx Customer IT Monkey ✭
    I have got a new idea for this:
    Let's say we read our AD with Powershell. Like the name says, "Power" we then can do everything we want with these objects.
    We automate with Orchestrator to read our AD and get the -MemberOf property, foreach($user in $users){*add user to related item from groups*} #or/and foreach($group in $groups){*add group to related item from users*}

    (this picture displays SR's but this could be users/groups too. I'm pretty sure about that)

    Now here comes the part I don't know about:
    Is it possible to then display all related config items with type user/group on the portal. Then this problem would be solved.

    This would be the visual of my explanation:

    (I know this is wrong, this is a relative interpretation.)
Sign In or Register to comment.