8 Replies Latest reply on May 9, 2017 3:12 PM by Darren.Bradshaw

    Active Directory Permissions Groups - Access Request

    noel.lester Employee

      OK, I am after some help, obviously


      I will give you a rough breakdown of what we are trying to achieve. We have Active Directory Groups setup to permit access to folders on our network, there are two groups for each folder (one for Read-Only and one for Change access). Each pair has the same folder path set, and same manager etc. Currently the manager has to give us written approval before we can add anyone to each group, thus giving them access to that data area.


      Is what we want to do is automate this process, by pulling the groups from AD, setting up a request form where users can select the folder path they want access to, this then automatically picks up the manager to send the approval request to. They then have 3 options (reject, approve change access, approve read only access), this then picks up the correct group to add them too, which we can pass to LPM for the automation to happen.


      We already have the attributes set in AD across all groups, and a standard naming convention etc. And we already know how to pass the attributes into LPM from Service Desk, and have that working from an automation point of view.


      The thing we need help with is the request process within Service Desk. Firstly filtering of the data paths, so the user only sees one of each folder location (not two, as there are two groups with the same folder path set), then depending on whether the manager approves change access or read-only, picking the correct group of the two available for the chose folder path. Our read only groups end FPR and our change groups end FPC if that helps you in working out a way of finding the relevant group names via a lookup calculation or something?


      Oh, and we are using Service Desk 7.7.3


      I am not sure how well I have explained the situation, from a complete outsiders point of view, but any helps of hints would be greatly appreciated. Or if you think you can help but need more information, I would be happy to hear from  you and supply any information you need to help me with this.


      Thanks in advance Community.

        • 1. Re: Active Directory Permissions Groups - Access Request
          karenpeacock SupportEmployee

          I'm not sure I completely understand your requirement but do the folder locations exist as a list and you just want to show different list values to different groups of users?  If so then you may be able to use a filter and this guide may be helpful to you: How To: Understand filters and how to set one up to use it


          • 2. Re: Active Directory Permissions Groups - Access Request
            noel.lester Employee

            Hi Karen


            Thanks for your reply, that guide will definitely help me in filtering out my duplicate folder paths being pulled in from Active Directory.


            One thing you may be able to help me with, in addition to what you already have , is there a way to take a value from the request form, and use it to lookup any matches in a business object? Almost like a VLOOKUP in Excel if you will? So in this case, I want to take the Folder Path, that the end user has chosen, and lookup in a business object any records that have that folder path, as this will give me the list of Active Directory groups, relating to that folder path?


            If I can get that bit sorted, I think I am home and dry with my whole process.


            Thanks again



            • 3. Re: Active Directory Permissions Groups - Access Request
              karenpeacock SupportEmployee

              Hi Noel


              Glad I could help!  When you say lookup the AD groups, where or when do you mean you will look them up?  Do you mean for example that further along in the request process someone picks up the request with the folder path completed and when they look to select an AD group they can only see the related AD groups?  If so then this sounds like this is another filter.


              There is a good step by step guide in the online help:

              https://help.landesk.com/docs/help/en_US/LDSD/7.8/Default.htm#../Subsystems/Designer/Content/Query Designer/Filters.htm


              This one is a bit more complex though because you may need to have a relationship between the group and the folder path.  You might need to ask support for some help and can do so via this link:https://support.landesk.com/CaseLogging.aspx


              Best wishes


              • 4. Re: Active Directory Permissions Groups - Access Request
                noel.lester Employee

                Hi Karen


                Yes that is correct, so once the request is raised by the user, it goes to the approving manager, and depending on if they choose Change access or Read Only access depends on which AD Group name it would pick. But thinking about it, you are right, I could filter on the path name, to return all of the AD Group Names that match, and then I could further filter those, so if they choose Change access, it filters for FPC, and if they choose read only, it filters by FPR? FPC and FPR are how we decipher between the change and read groups at the moment in Active Directory.


                One other question , I am pulling in the approving manager attribute of each group from AD, it is pulling the CN of the approving manager. We also pull the CN for all of our users accounts already (as it's unique). Would I be able to use a filter for this also? Filtering based on the value of the manager associated with that folder path, against the list of users we already have in Service Desk? Allowing us to then assign the request to them for approval? I think we can?


                I know this may sound very confusing or complex, and I'm not sure how well I am explaining things, but you are being really helpful and I appreciate it. I am fairly new to Service Desk development, as I have only recently been on the boot camp training, and being let loose on this project. So I am trying to make sure I am going about things the best way etc.


                Thanks again for your replies and help.



                • 5. Re: Active Directory Permissions Groups - Access Request
                  karenpeacock SupportEmployee

                  That sounds feasible but the more common way people would approach this would be to have a relationship created between the user object and the folder path object.  So on the folder path you would have a new field called "approving manager" and this would show a list of users if the dropdown is clicked (maybe the user list could be filtered to just show managers).


                  Here is a document which shows a similar approach:


                  Assign Incident to different Group according to Category


                  You'll have to read "request" where it refers to an incident, "user" where it says group, and "folder path" instead of category.


                  It would be best to contact support if you get stuck because they will be able to more accurately understand your design.



                  • 6. Re: Active Directory Permissions Groups - Access Request
                    noel.lester Employee



                    I have been playing with this with some/little success. Before I get too far down a route, I wanted to check if I am being stupid, or if I am correct.


                    We are pulling in the Common Name, Admin Description and Managed By attributes from AD, into a newly created Business Object.


                    The common name is the AD group name, of which for each data path there are two. One ending FPR, the other ending FPC, one is to grant read only access, the other to grant Change access.


                    The Admin description is the UNC path to the folder that group related to.


                    The Managed By, is the CN of the user who is responsible for granting access.


                    We want to offer the user a list of Data paths, removing the duplicates, on a request window.


                    Then it needs to find the manager in SD, using the CN imported from AD for the group against the CN for the user in the users business object. (this is imported as part of our usual user import already)


                    Then when that manager approves read only access or change access, it picks the correct group name to pass to LPM via the tps_eventsqueue table. Could this be done by looking up the datapath (admin description), then filtering the results for FPC or FPR depending on which level of approval is selected by the manager?


                    I realise this will likely require filtering etc. my main concern is whether we will need two business objects and imports from AD. One where the Group Name is the named/primary field, and another where the Data Path (Admin Description) is the named/primary field? Or can this be done from one business object with filtering and linking objects etc.


                    Hopefully this makes some sense? I have tried to summarise as best I can, without bogging you down with too much information.

                    • 7. Re: Active Directory Permissions Groups - Access Request
                      noel.lester Employee

                      Hi Karen


                      Thanks for your help, and apologies for my delay in replying.


                      I have managed to get what I want to happen.


                      I do have a small issue at the moment, where if the manager of that is being imported is an analyst, it isn't populating as I need (like it does for end users). Any hints on how to overcome that one?



                      • 8. Re: Active Directory Permissions Groups - Access Request
                        Darren.Bradshaw Expert

                        I am trying to automate adding a user to an AD Group in LPM from a Request in Service Desk.


                        I am able to pass the Group Name and User Name into LPM without a problem, but I am getting an error:


                        - Exception (abort): A system error has occurred. Internal error: Exception of type 'LANDesk.ServiceManagement.Common.BusinessLogicException' was thrown..An invalid directory pathname was passed


                        any ideas?