One of the most common tasks for an IT department is administration of security groups. Security groups are used to control access to most of today’s applications. Memberships of some groups are modified often, for example group that control access to project work spaces. Often I see this modification handle as a request to service desk that service desk either does it manual or they escalate it to 2nd line that does it manually. Often it is done direct in Active Directory Users and Computers whit a user account that has unnecessary high permissions. The risk of human errors are always there, as often the Active Directory tool is run with a high privilege account and the engineer modifying the group can misunderstand what to do.
In this blog post I will show a idea how to handle group management with the self service portal in Service Manager and configure Orchestrator to execute all modification. A nice benefit by using Service Manager is that you get tracking of everything, who submitted the change, who approved it and so on. A nice benefit of using Orchestrator is that is will be done the same every time and no manual steps are required. In this example a manager, a user that is configured as manager on a security group in Active Directory can, with the self service portal in Service Manager
- Add member to security group
- Remove member from security group
- Request a list of members of a security group
I wrote a blog post a couple of weeks ago around password reset with Service Manager and Orchestrator. This idea around group management is very similar to the password reset idea, for that reason I will not write down all the steps again. Look at the password reset post how this build the integration between Orchestrator and Service Manager. One difference compared with the password reset post is that I use Business Phone instead of Pager to store the manager value. That is affect both runbooks and when you build the portal offering,
The group management idea is built on a number of runbooks
- 10.1.1 Invoke 10.1.2 and 10.1.3 to list group members, update the service request and then send a updated list of members to the manager
- 10.1.2 List group members. This is done with a customer assembly. The Active Directory integration pack includes a “Get Group” activity, but it do not get members of the group, only the group itself. I created a new activity that use Powershell to list group members.
- 10.1.3 Updates the service request with a new description
- 10.1.5 Handle add member to group
- 10.1.6 Handle remove member from group
List group members
A manager navigates to the self service portal and request a list of group members. The manager can select only groups where the manager is owner. Read more about details how that works in the password reset blog post. The 10.1.1 runbook executes, as it is part of the service request template for the list group members offering. The runbook ends with sending a e-mail to the manager. The e-mail contains a list of all members of the security group.
Add/remove member of group
A manager (owner of at least one group) navigates to the self service portal and select either the Add User To Group offering or the Remove User From Group offering. Select which group and input the username of the user to add or remove to/from the security group.
This was a simple example of what you could do with Service Manager and Orchestrator. You can of course add a lot more features and details. I didn’t spend any time on fault tolerance or error handling in the runbooks as this is an example, but for all production runbooks you should really spend time on that.
You can download my custom assembly file for list group members in Active Directory, Service Manager management pack and Orchestrator runbooks here, 20120716_GroupManagement. Please note that this is provided “as is” with no warranties at all.
I Think it is easier to look at one of the 3rd party portals that can do this. Else you need to build and customize a lot in SCSM. I have only seen it with 3rd party portal solutions.
Hi, sorry no, dont Think that is possible. I know some of the MS partners have portals with that, for example the portal from Atea/Spintop.
Does anyone know how to setup the runbook to return the members of a group in the SCSM self service portal? I would like to create a self service offering the SCSM portal using AD group membership for an application owner to see who has access to an application and be able to select the users that should be removed and add new users to the group in the same request. Is this possible with SCO and SCSM?
Is there any way to display group members in the portal. I would like to be able to have a user select a group and see the current members to remove. Then select the users to be removed and then search for users to add to the group all in one request offering. Thus giving certain staff the ability to control who gets access to an application or file structure via group membership.
There is no password for the runbook.
what is the password for the runbook
Hi, you will need to import the Active Directory integration pack. So delete the runbook, import the AD IP, import the runbook again. Then that should be “normal”. I think it is a get Group activity from the AD IP.
What kind of object is this:
Does this runbook require additional IP’s to doe’s used in your reset password post?