Skip to main content

Articles in this section

See more
Print

Configuration of Group Membership Approval

  • Updated

Configuration of Group Membership Approval

NOTE: You should use Restricted Groups to enable group membership approval for a defined set of Active Directory or Microsoft 365 groups. For more details please see Configuration of Restricted Groups rule.

You can enable group membership approval for a selected Active Directory group individually. In this case, each time somebody adds or removes group members, a new approval request will be created and assigned to the group owner(s). The group owner(s) will receive an email notification about this and can subsequently open the Web Portal to complete the approval request by either approving or rejecting it. You can control the approval process via the Approval Dashboard. The approval initiator can check the status of his requests in the My Request Status web query.

Configuration of Membership Approval web action

You need to configure the Membership Approval web action to enable membership approval in your environment and define approval work item titles, expiration, and notification events.

By default, the membership approval feature is disabled.

  1. In the Cayosoft Administrator Console, navigate to Web Actions.

  2. Click Active Directory > Membership Approval web action and enable it. For configuration details, please, see the article.

Enabling membership approval for a selected group

To enable group membership approval for a selected group, please read the Membership Approval article.

Delegate access to My Request Status

  1. To enable initiators to control the status of their approval requests, they need to have access to the Self-Service > My Request Status web query delegated to them.

  2. As Trustees, specify users or groups that will be the approval initiators and be able to see the Self-Service administrative unit and My Request Status web query.

  3. As Trustee Permissions, specify Self-Service Admin Unit > My Request Status web query > Cancel and/or Change History web actions.

Delegate access to My Pending Tasks

  1. For group owners can approve or reject the approval requests assigned to them, you should delegate them access to the Self-Service > My Pending Tasks web query.

  2. As Trustees, specify users or groups (group owners) that will be assigned approval requests and be able to see the Self-Service administrative unit and My Pending Tasks web query.

  3. As Trustee Permissions, specify Self-Service Admin Unit > My Pending Tasks web query > Approve or Reject and/or Change History web actions.

Delegate access to Approval Dashboard

  1. To control the group membership approval process, it is also possible to delegate access to Work with Approval Dashboard, where administrators could perform Approve or Reject, Cancel, and Delete approval requests.

  2. As Trustees, specify users or groups that will be able to see the Approval Dashboard.

  3. As Trustee Permissions, specify Dashboards > Approval Dashboard web query > Approve or Reject, Cancel, Delete or Change History web actions.

Send operation for approval

After membership approval is enabled for a selected group, each time when somebody adds or removes group members, a notification message that the operation will be sent to approval is displayed. The approval Initiator must fill in the comment field on this message and send the operation for approval.

As a result, a new approval task will be created, and the approver will get an email notification. Approvers can be Active Directory users or mail-enabled security groups specified in the ManagedBy and msExchCoManagedByLink (secondary owners) attributes for the selected group.

Distribution groups and security groups with empty mail attributes are not supported as approvers.

Approval is effective for the following web actions:

  • Membership Group Properties User Properties

  • Computer Properties

  • Add to Groups (including the quick action)

  • Leave Group

  • Join Groups

NOTE: In case the approval request initiator and the group owner are the same Active Directory user, even though the ownership is indirect, the approval is bypassed. Also, the approval is bypassed if the initiator is the Global Admin or the initiator is added to the Domain Admins group in the Active Directory.

If expiration time passed and the approval request was not processed, the Cancel Expired Work Items rule will change the state of the corresponding work item from New to Expired.

Related Articles

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.