Keng Super Contributor.
Super Contributor.
325 views

Google Driver - Add Member to Groups without using Group Entitlement

Hi,

I am trying to add the new Google User to about 2 Google Groups upon creation. I am not using the Group Entitlement nor Mirroring Group

The Group Name are STAFF and ALLUSERS.

I had add this as part of the User ADD event

<do-add-dest-attr-value class-name="GoogleGroup" name="Members">

<arg-value type="string">

<token-text xml:space="preserve">CN=STAF</token-text>

</arg-value>

</do-add-dest-attr-value>

However I know what I did is wrong, as I can see from ndstrace

Scared hell out of me when I saw a <remove-all-values/>.

Anybody have any clue how to add a member to existing Google Groups without entitlements?

Thanks

 

Labels (1)
0 Likes
7 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Google Driver - Add Member to Groups without using Group Entitlement

Hello,

Ok, so I will apologise in advance for this question, but why do you choose to add these groups directly? Personally, I would have elected to have this action performed by a role membership operation, where a user is granted the "Staff" role, and that would in turn grant the entitlements/group memberships in Google.

Sure, you can do it in driver policy, but then you loose visibility of the permissions granted at the IDV side, and for me that does not conform to best practice.

Cheers,

Steve

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Google Driver - Add Member to Groups without using Group Entitlement

Steve,

There is no RBPM nor Identity Application in this setup, therefore Entitlement is not used in this case.

The requirement is to add 2-3 default Google Group which is the same for all users. Additional group assignments is handled by the Email Team.

Unless there is a way to achieve what you said using Role(s) to assign Group Entitlements using driver policy or some sort.

Else have to use direct driver policy to achieve which is currently what I am trying to do, but don't know how to do it.

Regards,

Keng

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Google Driver - Add Member to Groups without using Group Entitlement

HI,

Anyone had any clue how to write rule to Add user to the Google Groups without using Entitlement or Group Package?

Regards,

Keng

 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Google Driver - Add Member to Groups without using Group Entitlement

Hi,

No, without a userapp to talk to, no RBAC model exists so you will need to write it in policy and drive by ABAC or other means.

This is the MF code from the entitlement grant:

<do-for-each>
<arg-node-set>
<token-entitlement name="NOVLGGLEUSER-GroupMembership"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Adding </token-text>
<token-src-name/>
<token-text xml:space="preserve"> to the following group: </token-text>
<token-xpath expression="es:getEntParamField($current-node,'ID')"/>
</arg-string>
</do-trace-message>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-association>
<token-xpath expression="es:getEntParamField($current-node,'ID')"/>
</arg-association>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>

While this operates as an entitlement triggered on the user, the group membership operation is group centric in google. I would suggest modifying the "do-add-dest-attr-value" verb to use a hard coded group name, rather than the group association in the granted entitlement (as is coded above).

I would expect that to work.

Cheers,

Steve

Tags (1)
0 Likes
Knowledge Partner
Knowledge Partner

Re: Google Driver - Add Member to Groups without using Group Entitlement

To be fair, the older Entitlement Service driver allows the use of Entitlements could happen based on functionally LDAP dynamic group membership.  So the pre-cursor to roles.

Of course they want to deprecate ESD hard.

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Google Driver - Add Member to Groups without using Group Entitlement

Steve,

Not sure this is the correct syntax, but I try to use the following and it's not working.

<do-add-dest-attr-value class-name="Group" name="Member">

<arg-dn>

<token-text xml:space="preserve">CN=TESTIDM</token-text>

</arg-dn>

<arg-value type="dn">

<token-src-dn/>

</arg-value>

</do-add-dest-attr-value>

I put this at the Creation Policies. 

Regards,

Keng

 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Google Driver - Add Member to Groups without using Group Entitlement

Hi,

I think the arg-dn should be the email address of the group you're trying to add the user to. API documentation from Google is below:

https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members

Also, for testing purposes, i would trigger this outside creation policies, perhaps triggered on a change in the description attribute for example... This way, you can remove timing problems for testing purposes, where the user doesn't actually exist in the G Suite directory, but you're trying to add a group membership to it.

Cheers,

Steve

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.