To check initiator is a member of a group in Workflow

Hi Guys,

I have a requirement in which, i need to check if the initiator is a member of a particular team/Group. If he is, then the request should be forwarded without manager approval. The initiator is a DN in my workflow.
So for this i have added a condition in the workflow just before manager approval. Here i need to check if the initiator is member of the team.
I tried some options but couldn't succeed.
Can anyone help me with some solutions?
  • On 5/17/2018 6:34 AM, shajipappan wrote:
    >
    > Hi Guys,
    >
    > I have a requirement in which, i need to check if the initiator is a
    > member of a particular team/Group. If he is, then the request should be
    > forwarded without manager approval. The initiator is a DN in my
    > workflow.
    > So for this i have added a condition in the workflow just before manager
    > approval. Here i need to check if the initiator is member of the team.
    > I tried some options but couldn't succeed.
    > Can anyone help me with some solutions?
    >
    >


    Hi,

    You can use the fact group memberships are stored in the user object to
    perform the check. The default DAL entity for User does have the 'group'
    key pointing to gorup memberships.

    IDVault.get() in the engine side can return null, a string or a Java
    Vector for you to parse. You also need to take into account the case of
    the values since reading group membership will yield LDAP DNs as they
    are in eDirectory whereas the initiator casing may not match the format
    of those.

    Last thing to keep in mind is how you will structure the code - the
    condition activity expect a boolean true/false response, so you need to
    have either a simple conditional or wrap your logic in a function and
    return one of those values. I am a fan of creating functions, placing
    them on Overview > Global Scripts and then calling the same from the
    workflow activity instead of using an IIFE, though both approaches are
    valid.

    Showing the IIFE approach below (untested code, may need changes):

    (function isLDAPDNmemberOfGroup( ldapdn, groupldapdn ) {
    var it, qr;
    if ( ldandn == null || groupldapdn == null ) {
    return false;
    }
    groupldapdn = groupldapdn.toLowerCase();

    try {
    qr = IDVault.get( ldapdn, 'user', 'group' );
    } catch(e) {} // discarding the error, add error handling instead.
    // if result is null it won't match our 2 if conditions and hit the
    // return false at the end.
    if ( typeof qr === 'string'
  • On 5/18/2018 7:39 AM, Fernando Freitas wrote:
    > On 5/17/2018 6:34 AM, shajipappan wrote:
    >>
    >> Hi Guys,
    >>
    >> I have a requirement in which, i need to check if the initiator is a
    >> member of a particular team/Group. If he is, then the request should be
    >> forwarded without manager approval. The initiator is a DN in my
    >> workflow.
    >> So for this i have added a condition in the workflow just before manager
    >> approval. Here i need to check if the initiator is member of the team.
    >> I tried some options but couldn't succeed.
    >> Can anyone help me with some solutions?
    >>
    >>

    >
    > Hi,
    >
    > You can use the fact group memberships are stored in the user object to
    > perform the check. The default DAL entity for User does have the 'group'
    > key pointing to gorup memberships.
    >
    > IDVault.get() in the engine side can return null, a string or a Java
    > Vector for you to parse. You also need to take into account the case of
    > the values since reading group membership will yield LDAP DNs as they
    > are in eDirectory whereas the initiator casing may not match the format
    > of those.
    >
    > Last thing to keep in mind is how you will structure the code - the
    > condition activity expect a boolean true/false response, so you need to
    > have either a simple conditional or wrap your logic in a function and
    > return one of those values. I am a fan of creating functions, placing
    > them on Overview > Global Scripts and then calling the same from the
    > workflow activity instead of using an IIFE, though both approaches are
    > valid.
    >
    > Showing the IIFE approach below (untested code, may need changes):
    >
    > (function isLDAPDNmemberOfGroup( ldapdn, groupldapdn ) {
    >   var it, qr;
    >   if ( ldandn == null || groupldapdn == null ) {
    >     return false;
    >   }
    >   groupldapdn = groupldapdn.toLowerCase();
    >
    >   try {
    >     qr = IDVault.get( ldapdn, 'user', 'group' );
    >   } catch(e) {} // discarding the error, add error handling instead.
    >   // if result is null it won't match our 2 if conditions and hit the
    >   // return false at the end.
    >   if ( typeof qr === 'string'
  • Hi Guys,
    I used the following script in a condition activity in Workflow. But still i am not able to get the output. I am getting the output of this script as false, even if the initiator is a member of admin group
    // Check if initiator is a member of Admin Team
    function compare(){
    var result = false;
    var groupDN= "cn=Admin,ou=Groups,o=company" ;

    var initiatorDN = initiator;
    var groups=IDVault.get(initiatorDN ,'user','groupmembership');
    for (var i=0; i<groups.length; i )
    {
    if(groups==groupDN)
    {
    result = true;
    }
    }
    return result;
    }
    compare();

    Does anyone know how, the IDVault.get query works for returning an array and how to use this array to check if the user is a member of a group?
  • Thanks Fernando for your suggestion.

    Here for checking whether the initiator is a member of admin group, i have written a code in the onload event of a new form field. And with respect to that i have set another form field as True or False.
    But when i am trying to map these fields to the flowdata in start activity, i am getting an error while submitting the form. The error is shown as "Error evaluating data items".
    Without adding these fields into the flowdata, i can't use the result of this in the workflow.

    Can anyone help me with this issue?
  • The Error which i am getting in the portal while submitting is:
    Process requestId [d953c7550dcc471e81acd61833eb6db1], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items

    AND

    The Error which i am getting in the User Application Log is:

    result: com.novell.soa.script.mozilla.javascript.Undefined@cc3f83c
    2018-05-22 03:42:03,238 DEBUG [RBPM] [com.novell.soa.ws.impl.xml.OutputStreamImpl:writeTo] <SOAP-ENV:Envelope xmlns:SOAP-ENV='schemas.xmlsoap.org/.../' xmlns:xsd='www.w3.org/.../XMLSchema' xmlns:xsi='www.w3.org/.../faultcode><faultstring>Server Error</faultstring><detail><ns1:AdminException xmlns="">www.novell.com/.../service" xmlns:ns1="">www.novell.com/.../service"><ns2:reason xmlns="">www.novell.com/.../soap" xmlns:ns2="">www.novell.com/.../soap">Process requestId [7a411f30a1314c248d51c977e964c7d8], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items.</ns2:reason></ns1:AdminException><stackTrace xmlns="" xsi:type="xsd:string">com.novell.soa.af.impl.soap.AdminException={_Reason=Process requestId [7a411f30a1314c248d51c977e964c7d8], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items.}
  • Here's code to look up group objects for something else, but it has the type checks on the result which is what you'll be after.....

    try{
    var notifGroupMails = IDVault.get(objectDN, 'xxxGroup', 'xxxGroupEmailAddresses');
    trace("findNotificationEmails(): notifGroupMails " notifGroupMails.toString(), 3);
    if (notifGroupMails != null)
    {
    if (typeof notifGroupMails === "string")
    {
    toaddresses.push(notifGroupMails);
    }
    if (typeof notifGroupMails === "object")
    {
    for (var g = 0; g < notifGroupMails.size(); g )
    {
    toaddresses.push(notifGroupMails.get(g));
    }
    }
    }
    }
    catch(e3)
    {
    trace("findNotificationEmails(): Error " e3, 1);
    }


    Don't forget that you may want to .toLowerCase() during compare. e.g.:

    if(groups.toLowerCase()==groupDN.toLowerCase())
  • Thank you scorpion sting,

    Actually in the workflow condition activity, when i used .size(notifGroupMails.size()) function, i was getting an error in the log saying size is not a function.
    Thats why i used .length function (groups.length) to get the length of the returned array.
  • Thanks a lot guys.
    I was able to implement the solution.
    Thank you both.