Active Directory groups can be used to manage access control within SharePoint but oftentimes, the required groups are not in existence and cannot easily be created. But there is a lot of relevant organizational information in Active Directory which could be used for the creation of access control within SharePoint. By combining the ability of Nintex workflows to query Active Directory using LDAP and the possibility of creating access control groups within SharePoint via web services, group creation and configuration can be automated to some degree.
In order to do this, you will need a SharePoint list which stores the parameters which will be used to lookup information from Active Directory.
In this example, the objective is to create country based access control groups, which are then made up of certain departments. As the nomenclature used in each country may vary, the list allows this information to be tailored in each case.
The overall shape of the workflow is as follows:
The first step is to delete the existing group and then recreate it, querying Active Directory in five parallel actions for the members of three core departments, in this case Finance, Legal and Tax, with the option of another department plus a non-department criterion if the information required does not fall into the standard departmental schema.
Each parallel action consists of the following steps:
The LDAP query assembles the members of the group, then a For Each loop takes each user in turn, adds the domain name to the user ID and then write to the group which has been created.
The workflow only needs to be run once to create each group. However, it is ultimately dependent on the consistency of information held in Active Directory.
Leave a Reply