shajipappan Contributor.
Contributor.
700 views

To check initiator is a member of a group in Workflow

Hi Guys,

I have a requirement in which, i need to check if the initiator is a member of a particular team/Group. If he is, then the request should be forwarded without manager approval. The initiator is a DN in my workflow.
So for this i have added a condition in the workflow just before manager approval. Here i need to check if the initiator is member of the team.
I tried some options but couldn't succeed.
Can anyone help me with some solutions?
Labels (1)
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: To check initiator is a member of a group in Workflow

On 5/17/2018 6:34 AM, shajipappan wrote:
>
> Hi Guys,
>
> I have a requirement in which, i need to check if the initiator is a
> member of a particular team/Group. If he is, then the request should be
> forwarded without manager approval. The initiator is a DN in my
> workflow.
> So for this i have added a condition in the workflow just before manager
> approval. Here i need to check if the initiator is member of the team.
> I tried some options but couldn't succeed.
> Can anyone help me with some solutions?
>
>


Hi,

You can use the fact group memberships are stored in the user object to
perform the check. The default DAL entity for User does have the 'group'
key pointing to gorup memberships.

IDVault.get() in the engine side can return null, a string or a Java
Vector for you to parse. You also need to take into account the case of
the values since reading group membership will yield LDAP DNs as they
are in eDirectory whereas the initiator casing may not match the format
of those.

Last thing to keep in mind is how you will structure the code - the
condition activity expect a boolean true/false response, so you need to
have either a simple conditional or wrap your logic in a function and
return one of those values. I am a fan of creating functions, placing
them on Overview > Global Scripts and then calling the same from the
workflow activity instead of using an IIFE, though both approaches are
valid.

Showing the IIFE approach below (untested code, may need changes):

(function isLDAPDNmemberOfGroup( ldapdn, groupldapdn ) {
var it, qr;
if ( ldandn == null || groupldapdn == null ) {
return false;
}
groupldapdn = groupldapdn.toLowerCase();

try {
qr = IDVault.get( ldapdn, 'user', 'group' );
} catch(e) {} // discarding the error, add error handling instead.
// if result is null it won't match our 2 if conditions and hit the
// return false at the end.
if ( typeof qr === 'string' && qr.toLowerCase() === groupldapdn ) {
return true;
}
if ( typeof qr === 'object' && qr.size() > 0 ) {
it = qr.iterator();
while( it.hasNext() ) {
if ( String( it.next() ).toLowerCase() === groupldapdn) {
return true;
}
}
}
return false;
})( initiator, 'group LDAP DN here' )


Cheers,

-Fernando
https://github.com/fchierad/PRD
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: To check initiator is a member of a group in Workflow

On 5/18/2018 7:39 AM, Fernando Freitas wrote:
> On 5/17/2018 6:34 AM, shajipappan wrote:
>>
>> Hi Guys,
>>
>> I have a requirement in which, i need to check if the initiator is a
>> member of a particular team/Group. If he is, then the request should be
>> forwarded without manager approval. The initiator is a DN in my
>> workflow.
>> So for this i have added a condition in the workflow just before manager
>> approval. Here i need to check if the initiator is member of the team.
>> I tried some options but couldn't succeed.
>> Can anyone help me with some solutions?
>>
>>

>
> Hi,
>
> You can use the fact group memberships are stored in the user object to
> perform the check. The default DAL entity for User does have the 'group'
> key pointing to gorup memberships.
>
> IDVault.get() in the engine side can return null, a string or a Java
> Vector for you to parse. You also need to take into account the case of
> the values since reading group membership will yield LDAP DNs as they
> are in eDirectory whereas the initiator casing may not match the format
> of those.
>
> Last thing to keep in mind is how you will structure the code - the
> condition activity expect a boolean true/false response, so you need to
> have either a simple conditional or wrap your logic in a function and
> return one of those values. I am a fan of creating functions, placing
> them on Overview > Global Scripts and then calling the same from the
> workflow activity instead of using an IIFE, though both approaches are
> valid.
>
> Showing the IIFE approach below (untested code, may need changes):
>
> (function isLDAPDNmemberOfGroup( ldapdn, groupldapdn ) {
>   var it, qr;
>   if ( ldandn == null || groupldapdn == null ) {
>     return false;
>   }
>   groupldapdn = groupldapdn.toLowerCase();
>
>   try {
>     qr = IDVault.get( ldapdn, 'user', 'group' );
>   } catch(e) {} // discarding the error, add error handling instead.
>   // if result is null it won't match our 2 if conditions and hit the
>   // return false at the end.
>   if ( typeof qr === 'string' && qr.toLowerCase() === groupldapdn ) {
>     return true;
>   }
>   if ( typeof qr === 'object' && qr.size() > 0 ) {
>     it = qr.iterator();
>     while( it.hasNext() ) {
>       if ( String( it.next() ).toLowerCase() === groupldapdn) {
>         return true;
>       }
>     }
>   }
>   return false;
> })( initiator, 'group LDAP DN here' )
>
>
> Cheers,
>
> -Fernando
> https://github.com/fchierad/PRD


hmm typeof a null value does return null, so need that check, forgot
about that when typing. Correction below:

(function isLDAPDNmemberOfGroup( ldapdn, groupldapdn ) {
var it, qr;
if ( ldandn == null || groupldapdn == null ) {
return false;
}
groupldapdn = groupldapdn.toLowerCase();

try {
qr = IDVault.get( ldapdn, 'user', 'group' );
} catch(e) {} // discarding the error, add error handling instead.
if ( qr === null ) {
return false;
}
if ( typeof qr === 'string' && qr.toLowerCase() === groupldapdn ) {
return true;
}
if ( typeof qr === 'object' && qr.size() > 0 ) {
it = qr.iterator();
while( it.hasNext() ) {
if ( String( it.next() ).toLowerCase() === groupldapdn) {
return true;
}
}
}
return false;
})( initiator, 'group LDAP DN here' )
0 Likes
shajipappan Contributor.
Contributor.

Re: To check initiator is a member of a group in Workflow

Thanks Fernando for your suggestion.

Here for checking whether the initiator is a member of admin group, i have written a code in the onload event of a new form field. And with respect to that i have set another form field as True or False.
But when i am trying to map these fields to the flowdata in start activity, i am getting an error while submitting the form. The error is shown as "Error evaluating data items".
Without adding these fields into the flowdata, i can't use the result of this in the workflow.

Can anyone help me with this issue?
0 Likes
shajipappan Contributor.
Contributor.

Re: To check initiator is a member of a group in Workflow

The Error which i am getting in the portal while submitting is:
Process requestId [d953c7550dcc471e81acd61833eb6db1], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items

AND

The Error which i am getting in the User Application Log is:

result: com.novell.soa.script.mozilla.javascript.Undefined@cc3f83c
2018-05-22 03:42:03,238 DEBUG [RBPM] [com.novell.soa.ws.impl.xml.OutputStreamImpl:writeTo] <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>Server Error</faultstring><detail><ns1:AdminException xmlns="http://www.novell.com/provisioning/service" xmlns:ns1="http://www.novell.com/provisioning/service"><ns2:reason xmlns="http://www.novell.com/soa/af/impl/soap" xmlns:ns2="http://www.novell.com/soa/af/impl/soap">Process requestId [7a411f30a1314c248d51c977e964c7d8], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items.</ns2:reason></ns1:AdminException><stackTrace xmlns="" xsi:type="xsd:string">com.novell.soa.af.impl.soap.AdminException={_Reason=Process requestId [7a411f30a1314c248d51c977e964c7d8], Id [cn=Modify User,cn=RequestDefs,cn=AppConfig,cn=User Application,cn=Driver_set,ou=IDM,ou=services,o=company]: Error evaluating data items.}
0 Likes
shajipappan Contributor.
Contributor.

Re: To check initiator is a member of a group in Workflow

Hi Guys,
I used the following script in a condition activity in Workflow. But still i am not able to get the output. I am getting the output of this script as false, even if the initiator is a member of admin group
// Check if initiator is a member of Admin Team
function compare(){
var result = false;
var groupDN= "cn=Admin,ou=Groups,o=company" ;

var initiatorDN = initiator;
var groups=IDVault.get(initiatorDN ,'user','groupmembership');
for (var i=0; i<groups.length; i++)
{
if(groups==groupDN)
{
result = true;
}
}
return result;
}
compare();

Does anyone know how, the IDVault.get query works for returning an array and how to use this array to check if the user is a member of a group?
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: To check initiator is a member of a group in Workflow

Here's code to look up group objects for something else, but it has the type checks on the result which is what you'll be after.....

try{
var notifGroupMails = IDVault.get(objectDN, 'xxxGroup', 'xxxGroupEmailAddresses');
trace("findNotificationEmails(): notifGroupMails " + notifGroupMails.toString(), 3);
if (notifGroupMails != null)
{
if (typeof notifGroupMails === "string")
{
toaddresses.push(notifGroupMails);
}
if (typeof notifGroupMails === "object")
{
for (var g = 0; g < notifGroupMails.size(); g++)
{
toaddresses.push(notifGroupMails.get(g));
}
}
}
}
catch(e3)
{
trace("findNotificationEmails(): Error " + e3, 1);
}


Don't forget that you may want to .toLowerCase() during compare. e.g.:

if(groups.toLowerCase()==groupDN.toLowerCase())

Visit my Website for links to Cool Solution articles.
0 Likes
shajipappan Contributor.
Contributor.

Re: To check initiator is a member of a group in Workflow

Thank you scorpion sting,

Actually in the workflow condition activity, when i used .size(notifGroupMails.size()) function, i was getting an error in the log saying size is not a function.
Thats why i used .length function (groups.length) to get the length of the returned array.
0 Likes
shajipappan Contributor.
Contributor.

Re: To check initiator is a member of a group in Workflow

Thanks a lot guys.
I was able to implement the solution.
Thank you both.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.