Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The "Onboard Group" workflow provided by EmpowerID offers a structured and intuitive approach for integrating groups into your organization's system. This workflow is tailored to assist users in performing a range of group-related tasks efficiently during the onboarding process. Key functionalities of this workflow include:

  1. Adding Permanent Members: This feature allows for the seamless addition of permanent group members, ensuring that the right individuals gain can access to necessary organizational resources.

  2. Applying RBAC Membership Policies: Users can add members to a group based on Role-Based Access Control ( RBAC ) assignments, such as specific Management Roles, Business Roles, and Locations, or group affiliations. Automatic removal of users from the group is triggered if they If users lose their RBAC assignments, they are automatically removed from the group.

  3. Assigning Responsibility Parties and Owners: Users can designate responsible parties and owners for the group.

  4. Configuring IAM Shop Settings: The group can be published to the IAM Shop, where eligibility and Access Request policies are configured.

Procedure

Step 1: Configure workflow parameters

The Onboard Group workflow incorporates numerous customizable parameters, allowing you to modify the fields displayed to users running the workflow. These parameters are listed in the below table. By customizing Customizing these parameters , allows you can to tailor the workflow to best suit your organization's needs and preferences.

Expand
titleView Workflow Parameters

Parameter

Description

DefaultDomainSuffix

Specifies the default domain suffix that appears in the workflow, such as “empoweridcontractors.onmicrosoft.com”

DefaultEmailMessageName

Name of email template to use for notifying people on creation of a new group

DefaultGroupUsageTypeId

Default integer value of the Group Usage Type.

Include Page
IL:Group Usage Types
IL:Group Usage Types

DefaultValuePermanentMembersOption

This is a Boolean value that specifies whether the Permanent Membership Option radio button appears to users running the workflow.

DefaultValueRBACMembershipOption

This is a Boolean value that specifies whether the RBAC Membership Policies radio button appears to users running the workflow.

DeputyResourceTypeRoleName

Specifies the Access Level granted to group deputies. The default value is “Resource Role Assigner.”

GroupAccessLevelNameForRBACMembershipPolicies

Specifies the Access Level for RBAC Membership Policies. The default value is “Group Member.”

GroupPurposeTextOne_RestrictedCharacters

Specifies the characters that will get removed from GroupPurposeTextOne before the group creation. No delimiters required. Sample values _#$

GroupPurposeTextTwo_RestrictedCharacters

Specifies the characters that will get removed from GroupPurposeTextTwo before the group creation. No delimiters required. Sample values _#$

ManagementRoleIDsToNotify

This is a comma separated list of Management Role IDs to be notified via email upon creation of a new group.

OwnerResourceTypeRoleName

Specifies the Access Level granted to group owners. The default value is “Resource Role Assigner.”

ShowGroupPurposeTextTwo

This is a Boolean value that specifies whether the “Group Purpopse Additional Text” field appears to users running the workflow.

Image RemovedImage Added

ShowGroupUsageType

This is a Boolean value that specifies whether the “Group Usage Type” dropdown appears to users running the workflow.

Image RemovedImage Added

ShowIAMShopSettings

This is a Boolean value that specifies whether the “Configure IAM Shop Settings” section appears to users running the workflow.

Image RemovedImage Added

ShowIAMShopSettings_EligibleAssignees

This is a Boolean value that specifies whether the “Eligible Assignees” option appears to users running the workflow.

Image RemovedImage Added

ShowIAMShopSettings_PreApprovedAssignees

This is a Boolean value that specifies whether the “PreApproved Assignees” option appears to users running the workflow.

Image RemovedImage Added

ShowIAMShopSettings_SuggestedAssignees

This is a Boolean value that specifies whether the “Suggested Assignees” option appears to users running the workflow.

Image RemovedImage Added

ShowMembershipOptions

This is a Boolean value that specifies whether the “Membership Options” section appears to users running the workflow.

Image RemovedImage Added

ShowOwnershipOptions_Deputies

This is a Boolean value that specifies whether the “Deputies” dropdown under the “Group Ownership Settings” section appears to users running the workflow.

Image RemovedImage Added

ShowOwnershipOptions_Owners

This is a Boolean value that specifies whether the “Owners” dropdown under the “Group Ownership Settings” section appears to users running the workflow.

Image RemovedImage Added

TeamCreationDelayInMinutes

Specifies the mumber of minutes the system should wait before creating a Teams group/channel.

TeamDelayServerRestriction

This is a Boolean value the specified whether the creation of the Teams group/channel delayed instance should be picked up on the same server.

...

To configure workflow parameters, do the following:

  1. On the navbar, expand Expand Low Code/No Code Workflow on the navbar and select Low Code Workflows.

  2. Select the Workflow tab and search for Onboard Group.

  3. Click the Display Name for the workflow.

    Image RemovedImage Added

     

  4. On Expand the Request Workflow Parameters accordion on the View One page for the workflow , expand the Request Workflow Parameters accordion and search for the parameter you want to configure.

  5. Click the Edit (blue star) button for the parameter.

    Image RemovedImage Added

  6. Enter the new value in the Value field and click Save.

    Image RemovedImage Added

     

  7. Repeat the above steps to configure other parameters as needed.

Step 2: Run the workflow

To onboard a group, follow these steps:

  1. Access the Portal: Log in to the Resource Admin app in portal for your environment.

  2. Navigate to Group Workflows: In Resource Admin, select Groups from the Resource Type menu and then select the Workflows tab.

  3. Launch the Onboard Group Workflow: Click Onboard Group to start the workflow.

    Image RemovedImage Added

    This opens the Onboard Group wizard workflow. Follow the wizard and fill in the fields of each section of the workflow with the appropriate information for your group. Please note that the sections and fields available may vary depending on the configuration of the workflow parameters.

    Image RemovedImage Added

  4. Select a Tenant or Directory: Choose the tenant or directory location for the new group. For on-premise directories like Active Directory, additionally select the appropriate Organizational Unit (OU).

  5. Submit and Proceed: Click Submit to move to the Group Information section.

    Image RemovedImage Added

  6. Fill in General Group Information: Provide details in the following fields:

    • Group Purpose Text: Enter a name for the group.

    • Group Purpose Additional Text: Enter a display name for the group.

    • Group Usage Type: Indicate the intended usage category for the group.

    • Group Description: Optionally, give a brief description of the group.

      image-20240115-193434.pngImage Removedimage-20240115-193434.pngImage Added


  7. Configure Membership Options:

    • Decide if you want to add permanent members to the group.

    • Choose whether to apply RBAC membership policies to the group.

      Image RemovedImage Added

  8. Click Next to proceed to Additional Group Details and enter additional information about the group, including:

    • Group Type: Select the appropriate type for the group.

    • Is Mail Enabled: If applicable, enable this feature and specify email settings, such as requiring authenticated senders and setting the email domain. Please note mail settings only appear when onboarding groups in directories that support email usage.

    • Notes: Add any relevant notes about the group.

      Image RemovedImage Added

  9. Click Next to proceed to Owner Information and enter the following information:

    • Responsible Party: Search for and select the user responsible for managing and maintaining the group.

    • Owners: Search for and select one or more users to be group owners.

    • Deputies: Search for and select one or more users to be group deputies.

      Image RemovedImage Added

  10. Click Next to proceed to IAM Shop Settings and do the following:

    • Decide if the group should be

    requestable
    • available for request in the IAM Shop.

    • If

    so
    • yes, select an Access Request Policy and define

    Eligible, Preapproved, and Suggested Assignees. Users must have one of the below eligibility assignments to view the group in the IAM Shop.
    • the following assignee types:

      • Eligible Assignees

      • : Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location),

    and
      • then search for and select the specific assignees eligible

    for
      • to request access to the group in the IAM Shop.

      • Preapproved Assignees

      • : Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location),

    and
      • then search for and select the specific assignees who are pre-approved for the group.

      • Suggested Assignees

      • : Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location),

    and
      • then search for and select the specific assignees suggested for the group.

    • Optionally, enter any Additional IAM Shop Settings information.

    Image Removed
    • Image Added

  11. Click Next to proceed.

  12. If you opted to add group members earlier, search for and select one or more accounts to add as group members and then click Next to proceed.

    Image RemovedImage Added

  13. If you opted to add RBAC Membership policies earlier, do the following and then click Next to proceed:

    • Select the type of RBAC Membership policy type: Choose the type

    . Types include Person, Group, Set Group, Management Role, Management Role Definition, and
    • of RBAC Membership policy to apply. Available types include:

      • Person

      • Group

      • Set Group

      • Management Role

      • Management Role Definition

      • Business Role and Location

    .
    • Search for and select the Assignee: Based on the selected policy type, search for and select the specific assignee

    for the type
    • . For example, if you selected "Management Role

    as the type
    • ," search for and

    select
    • choose the

    specific
    • appropriate Management Role.

    Repeat a and b
    • Add Additional Assignees: Repeat the above steps to add additional assignee types as needed.

    • Preview RBAC Membership Resultant People (Optional): Click Preview RBAC Membership Resultant People

    if you want
    • to

    preview
    • see the number of

    people
    • individuals who

    would
    • will be added to the group based on the policy.


    Image Removed

    If you opted to Preview RBAC Membership Resultant People, review

    • Review the resultant count

    and
    • , then click Next to

    review
    • view the

    resultant
    • detailed list of people.

    Image Removed
    • Image Added

  14. If you opted to Preview RBAC Membership Resultant People, review the RBAC Membership Resultant List of People and click Next to proceed.

    Image Removed

  15. Review the summary information and then click Submit to onboard the group.

  16. :

    • Review the resultant count.

    • Click Next to review the detailed list of people.

  17. Review and Submit:

    • Review the Summary Information: Ensure all information is correct.

    • Click Submit: Finalize the group onboarding.

  18. Complete the Wizard:

    • Review the Operation Execution Summary and click Submit to finalize the process.

    Image Removed

    • Click Submit again to exit the wizard.

Results

After completing these steps, the group will be onboarded successfully. You can view the group in the connected system and in EmpowerID. To do this:

  • In Connected System: Navigate to the system and search for the group.

  • In EmpowerID: Search for the group directly.

  • Audit Log: To view the audit log, go Go to System Logs > Audit Log to view the audit log.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue