Allow group managers to add/remove users to groups

Community Alums · ‎02-07-2023

I am trying to set up access to allow group managers to add/remove users from their groups. I have attempted to create ACL's against sys_user_grmember but have been unsuccessful.
The group managers need to be able to add/remove users to the groups,

Please provide any suggestion, how can I achieve this.

Thanks in advance..!!

BharathChintala · ‎04-21-2023

@lakshmi53678495 @Community Alums

Try Below ACL Script with no role

Create Delete and Write ACL on table level (‘sys_user_grmember’)

check advanced

in script write below

if(typeof parent != 'undefined' && parent.manager == gs.getUserID()){
answer = true; //Allow access if user has 'user_admin' role or is group manager
}else{

answer = false;

}

If my inputs have helped with your question, please mark my answer as accepted solution, and give a thumb up.
Bharath Chintala

View solution in original post

BharathChintala · ‎02-07-2023

@Community Alums

This solution requires you to modify the out-of-box ACLs for the ‘sys_user_grmember’ table. You’ll also need to modify the ‘Omit Edit Condition’ field for the ‘Group Members’ related list on the ‘Group’ form. These configurations are outlined below.

Write and Delete ACLs (‘sys_user_grmember’)
The following script can be used within your Write and Delete ACLs on the ‘sys_user_grmember’ table. No other roles or conditions are necessary for this configuration.

var answer = false; //Restrict access by default
if(gs.hasRole('user_admin') || current.group.manager == gs.getUserID()){
answer = true; //Allow access if user has 'user_admin' role or is group manager
}

Create ACL(‘sys_user_grmember’)
The create ACL works a little bit differently because we don’t have access to ‘current.group.manager’ before the record is created. Because of this, you need to open up create permissions to the role that your group managers will have. Typically these managers will have the ‘itil’ role anyway so you can just set up your ‘create’ ACL with the ‘itil’ role defined in the related list at the bottom of the ACL.

‘Restrict Changes to Group Managers’ business rule
Opening up the create ACL is necessary for this configuration to work, but needs to be backed up by some additional security in the form of a ‘before’ business rule. The business rule performs a secondary check on insert/update of the group member record to ensure that the user is actually a group manager or has the ‘user_admin’ role. If not, it aborts the insert/update and alerts the user.

Name: Restrict Changes to Group Managers
Table: Group Member [sys_user_grmember]
Name: Restrict Changes to Group Managers
Before: True
Insert/Update: True
Script:

(function executeRule(current, previous /*null when async*/) {
  if(!gs.hasRole('user_admin') && current.group.manager != gs.getUserID()){
  //Abort the insert or update
gs.addErrorMessage('You do not have permission to modify this group membership.');
current.setAbortAction(true);
  }

})(current, previous);

List Control ‘Omit Edit Condition’
The final piece of controlling ‘Create’ access is to limit the visibility of the ‘Edit’ button on the ‘Group Members’ related list on the ‘Group’ form. You can manage this by right-clicking the related list header and selecting ‘Personalize -> List control’ from the context menu. You can place this script in the ‘Omit Edit Condition’ field to restrict visibility of the ‘Edit’ button on the related list to those who have the ‘user_admin’ role or are listed as the manager of the given group.

If the ‘Omit Edit Condition’ field is not visible you can add it by personalizing the ‘List Control’ form

var answer = true; //Hide the 'Edit' button by default
if(gs.hasRole('user_admin') || parent.manager == gs.getUserID()){
answer = false; //Show the 'Edit' button if user has 'user_admin' role or is group manager
}
answer;

That should do it! You may also want to create a ‘Groups’ module that is available for the role that your group managers have. This will allow your group managers easy access to the groups in the system (and with a filter access to the groups that they manage).

If my inputs have helped with your question, please mark my answer as accepted solution, and give a thumb up.
Bharath Chintala

Community Alums · ‎02-07-2023

@BharathChintala ,

I tried but it is not working.

lakshmi53678495 · ‎04-21-2023

Hi Asmitha ,

Did you find solution for the issue.Even we are facing the same issue.Please help us.

lakshmi53678495 · ‎04-21-2023

@BharathChintala

Please help me on this i am not able to find the solution...as you mentioned all the ACL's configured correctly, even though managers are not able to add/remove the group members.