I am trying to set up a self service AD group membership form/workflow where an end user can see what security groups they belong to and submit a request to be added or removed from a group. The part where I am having issues is finding a way for the end user to be able to see all the security groups they already belong to. I assume that I could just query LDAP to get the group memberships, store it in a variable, and then present that to the end user. But for some reason I can't get the WF action to work correctly. Could someone help walk me through how I would set the query LDAP function?
Solved! Go to Solution.
Hello William Lemons -
I was working with another community member on something very similar so I took what I did for them and changed it slightly to accomplish what you are looking for. In the post Nintex Workflow - Ldap security query , I created a workflow that looks up a user's information based on email address and then checks if they are a member of a specific user group.
Taking that same functionality, we can take the user's email address and simply send a notification to them with what groups they are currently in.
I attached the .nwf file for you so that you can upload it into a test environment and give it a shot.
The workflow is the same as what I described in the linked post, but rather than checking for a specific group, I create a readable list of groups and then send an email (I provided a brief description of it below, but might be worth the read).
First action is to call a web service (GetUserLoginFromEmail) to get the user's login.
Take note of the emailXML input syntax (casued a bit of a hiccup to get it right). At this point, I would "Run Now" with your email address to ensure you are getting results.
Once we have that in place, it is time to pick apart the results and get the User Login. We can do that using a Query XML action.
Now we have the user's login based on their email address. We can use this to get their CN by looking up their Distinguished Name is in User Profile and set it to a variable using Set variable action.
This will provide you with a string like so:
Store that in the variable userCN, and then you can plug that into your LDAP query.
Again, I would run this with predictable data to check that it is working. Once that is setup and working, all that is left is to loop through the groups to create a readable list of groups.
Create a notification and fill it in with the groups
***Keep in mind that you will need to provide credentials for the web service and query LDAP actions. Also, you will need to update the LDAP path to reflect your environment.***
Hope this helps!
Let me know how this works for you!
Ryan Greenaway - Yes that would save a step and allow a workflow variable to be plugged right into that. The reason I did it this way was because I was helping someone with a similar request and all they had to go on was email address. With that in mind, you need to know the user's ID in order to user Query User Profile action.
If you do not know the login, and all you have to go on is email address, then the way I did it will get you there. However, if you know the user's login, then all you need to do is go after the Distinguished Name from user profile.
Please let us know how it works out for you.
Also, as Ryan mentioned above, if you know the user's login, you can skip the first 2 actions and simply go after the Distinguished Name from the Query User Profile.
Ultimately you'll need to login, just depends on how you are getting it.
It works great! I guess my next challenge is getting this to be displayed in a Nintex Form for an end user to see rather than email the results. Would anyone have any idea on how to accomplish this as well? Thanks so much again, you guys are life savers!
Excellent William Lemons! Glad to hear you got it working. Be sure to mark your question as answered so others can find it.
Alternatively, you could have the user enter their info, submit it, run the workflow and update the list item with the results. This would require the user to have to come back and reopen the form, so probably not the best experience.
I will see what I can come up with if I get some time.
Glad to help!
I actually believe the ability to start a workflow from a form and then post back the results from the workflow to the form, without the form closing would be a beneficial piece of functionality. Workflow allows us to do much more complicated queries from a number of sources, compared to forms, and as such allowing the user to click a button (that triggers a workflow) get a spinning donut for a few moments and then have an action in the workflow that completes the post back to the form.
I've created a suggestion on Uservoice for this if you think it'll be useful.
Great idea! I swear I read something about that somewhere in the community. I believe it was an example displaying the status of the workflow on the form. Let me do some searching and see what I can find.