You can enable group membership approval for a selected Active Directory group individually. In this case, each time when somebody wants to add or remove group members, new approval request will be created and assigned to the group owner(s). The group owner(s) will receive email notification about this. After that, they could open Cayosoft Administrator Web Portal and complete the approval request - approve or reject it. You can control the approval process via the Approval Dashboard. Approval initiator can check the status of his requests in My Request Status web query.
Configuration of Membership Approval web action
You should configure Membership Approval web action to enable membership approval in your environment, define approval work item titles, expiration and notification events.
By default, membership approval feature is disabled. You should open Cayosoft Administrator Console, navigate to HOME > CONFIGURATION > Web Interface > Web Actions > Active Directory > Membership Approval web action and enable it. For configuration details, please, see Membership Approval web action article.
Enabling membership approval for a selected group
To enable group membership approval for a selected group, please read the Membership Approval section in Working with groups article.
Send operation to approval
After membership approval is enabled for a selected group, each time when somebody adds or removes group members, a notification message that operation will be sent to approval is displayed. Approval Initiator should fill the comment field on this message and send operation to approval.
As a result, new approval task will be created, and the approver will get an email notification.
Approvers can be Active Directory users or mail-enabled security groups specified in ManagedBy and msExchCoManagedByLink (secondary owners) attributes for the selected group.
Distribution groups and security groups with empty mail attribute are not supported as approvers.
Approval is effective for the following web actions:
- Group Properties
- User Properties
- Computer Properties
- Add to Groups (including the quick action)
- Leave Group
- Join Groups
Delegate access to My Request Status
In order to initiators can control the statuses of their approval requests, you should delegate them the access to My Organization > My Request Status web query.
As Trustees specify users or groups that will be the approval initiators and be able to see the My Organization administrative unit and My Request Status web query.
As Trustee Permissions specify My Organization Admin Unit > My Request Status web query > Cancel and/or Change History web actions.
Delegate access to My Pending Tasks
In order to group owners can approve or reject the approval requests assigned to them, you should delegate them the access to My Organization > My Pending Tasks web query.
As Trustees specify users or groups (group owners) that will be assigned approval requests and be able to see the My Organization administrative unit and My Pending Tasks web query.
As Trustee Permissions specify My Organization Admin Unit > My Pending Tasks web query > Approve or Reject and/or Change History web actions.
Delegate access to Approval Dashboard
To control the group membership approval process, it is also possible to delegate access to Approval Dashboard, where administrators could perform Approve or Reject, Cancel and Delete approval requests.
As Trustees specify users or groups that will be able to see the Approval Dashboard.
As Trustee Permissions specify Dashboards > Approval Dashboard web query > Approve or Reject, Cancel, Delete or Change history web actions.