Can you have different departmental Approvers in one AD Group?


Userlevel 3
Badge +16

Hi,

 

We have multiple departments, and have Authorisers for each department.

So when a request comes in on a K2 form, i have my workflow look for the users department and then send the offline Approval to the users Departmental AD Authoriser Group.

 

At the moment i have had to have multiple AD groups created and this doesn't sit well with our AD admins.... They say that for every form this would mean 20+ AD groups and 20+ Group Email addresses (1 for each department). This is how K2 support set this up for me....

 

But i would like to know if I can somehow get away by having just 1 AD Group created, and have all the different departmental Authorsiers in there. But would the workflow be able to check the users department and then somehow match the users department with the Authorsiers with the same department code within that 1 AD group to send for approval?

 

Anyone else do this?

 

K2 support showed me how to have multiple AD groups as that was easier to setup in Workflow using If statements within the Approval Activity.

 

But now that my form will be used globally, that means i have to ask for 20+ AD groups to be created for each K2 form...

 

Any ideas fellow K2ers?

Thanks as always.


4 replies

Badge +5

Any reason why you're not using K2 Roles? You can add multiple users to each role and even use SMO queries for role membership.

Userlevel 3
Badge +16

I've never used K2 roles for anything, i have done it the way K2 support showed me.

 

Are you saying what i explained can be done with Roles? All my Approvers are AD users and belong to different departments.

I would need to send offline approvals to specific departments, then send emails to all the remainers members (of that department) that the request was answered.

 

Is this doable with Roles? If so, any chance of an example similar to what i am trying to achieve?

 

MOST Importantly, I have a K2 form where department contacts manage their own Approvers AD groups, so if i was to use Roles, would i be able to create a form that allows them to add/remove users from a role via a Smartform? If so, i'm all ears.....

Userlevel 1
Badge +8

Hi Sharpharp1

 

There is no out of the box capability to return group members filtered by some attribute (e.g Department). You could look at a custom service broker that could do this (i.e. some .Net code that queries active directory), or you could write a stored procedure in SQL that queries AD (using a linked server to AD) and expose this as a SQL SmartObject method. If you are not familiar with .NET or SQL Active Directory queries there is plenty of examples on Google.

 

The problem you are dealing with is one that most organisation face when trying to automate processes and determine who approvers should be. Some businesses have ERP systems that hold this information (e.g. SAP), but they can be difficult to interface with to get the info you need.

 

One option is create your own repository for storing approvers (e.g. a SQL database). If you can create a generic solution that can be used by all of your forms that might be a good option - it will be a bit of work to set up and you will need to build an interface for the business to maintain the data (and also implement permissions....)


AD groups per department are a good way to go, but if you need one per department per form I can see why that might be a problem.Can you elaborate on why you would need new set of AD groups per form? Are you expecting each form will have a different set of approvers

 

K2 Roles can be useful, but there is no way (out of the box) to allow the business to maintain the membership of these Roles as they are maintained through the K2 Workspace (unless of course you want to give the business access to it). You can add AD groups as role members (and even use SmartObject methods) but this brings you  back to your original problem.

 

Another option to to consider is SharePoint Groups (if you use SharePoint).

 

Finally, for some processes I have simply allowed the users to select the approver/s manually. As K2 always records who the approvers where sometimes the business is happy to allow this to happen - it obviously depends on the criticality/importance of the process.

Userlevel 3
Badge +16

Hi Andrew,

 

Thanks for the pointers.

 

Yes, from the get go I was told that there was a possibility of forms having different departmental Authorisers. This is why is it a big hassle having seperate AD groups for each form (per department).

 

K2 Support showed me how to do this, but the issue we have lots of departments, hence the need for a quantity of AD groups each time i do a form where everyone has access to it.

 

Its a shame i can't just have 1 AD group per form, then have K2 send approvals to those members with department X only, but then also notify the other Department X members that the authorisation was completed.

 

At least i know i can't do this and you've backed up the reason why i'll need masses of AD groups everytime i create a form.

 

As mentioned, i have created a K2 based Portal for department admins to manage these authorisers, so that's almost ready to go live and these AD group memberships can be managed by themselves...

 

Had i been able to have K2 host the Groups and allow department admins to manage the role members within K2, then i would have done it this way... but i'm just thankful i have some kind of solution (although not ideal).

 

Thanks again Andrew for taking the time for your comments.

Reply