Managing service subscriptions

[Dan Munns]

Hi all,

I am looking at service catalog subscriptions at am wondering if there is a way to add users to a team/dept based on a custom AD field as well as add them into their normal day to day team/dept

We currently have around 200 users who can raise requests. This changes constantly and I don't fancy having to keep lists of users up to date per service.

What I was hoping for was something along the lines of:

1.           User account in AD has HR as Dept and Payroll as Team so they are added to the correct dept and team on the LDAP update.
2.           User account has 'Authoriser' in custom field 1 in AD so they are also added to the 'Authorisers' team which is a subscriber team for service requests and staff changes.

I feel there must be a way of doing it automatically as having to maintain multiple lists of subscribers to all services is a lot of work and would end up being a constantly running maintenance task for at least one of the service desk staff.

Any pointers / assistance appreciated

Thanks   

[Conor]

Hi Dan

The simplest way would be to copy the existing import script, change the LDAP filter to only look for users with 'authoriser' in the custom field in the copied import script (or a wildcard if there may be multiple values in that field), and then map the custom field value into the OrgLookup function at the bottom of the copied import script and schedule it shortly after the existing import script.

This will mean that each user that has the custom field populated with authoriser in AD will be automatically added to the authoriser team when the second import runs, and the first import will have already added them to their day to day team/dept. Any existing details on the user record will remain unless they have changed in between the scripts running, in which case they will be updated.

One of the developers may have a way of managing it in the one script, but this method will be very easy to set up and manage moving forward.

Hope this helps!

Conor

 

[Conor]

From the wiki page https://wiki.hornbill.com/index.php/LDAP_User_Import one thing I should point out is that the value in custom field 1 should match the name of the team in Hornbill: 

OrgLookup

The name of the Organization in Hornbill must match the value of the Attribute in LDAP.

• Action - (Both | Update | Create) - When to Associate Organisation On Create, On Update or Both
• Enabled - Turns on or off the Lookup of Orgnisations
• Attribute - The LDAP Attribute to use for the name of the Site ,Any value wrapped with [] will be treaded ad an LDAP field
• Type - The Organisation Type (0=general ,1=team ,2=department ,3=costcenter ,4=division ,5=company)
• Membership - The Organisation Membership the users will be added with (member,teamLeader,manager)
• TasksView - If set true, then the user can view tasks assigned to this group
• TasksAction - If set true, then the user can action tasks assigned to this group.

[Dan Munns]

@conorh

Thanks I have sorted it out now.

Cheers

Dan

[Dan Munns]

Hi all,

I have sorted out the LDAP import to complete the above (thanks @conorh)

However I am now looking for a way to remove users from the group should the need arise.

I can see a way for the LDAP to remove items from user profiles in service manager, only update them. As this is used for delegated authorisers the auth/not auth tag in AD will change and mean that the user needs removing form the authoriser group in service manager.

I am hoping that this isn't a manual process as I get the feeling that this will not get maintained and negate the auth process I have created for us.

Any help gratefully received

Thanks

Dan

[Conor]

Hi @Dan Munns

This is the flip side of the import - it will never remove data, only update or insert. For attributes against a record such as mobile number for users, or location for an asset, these values will be updated if different in the source but never removed if the value is not in the source anymore. For multiple values, such as team membership where a user may be a member of different teams then it will not remove them from those teams, but it can add a user to multiple teams. 

So the import will never remove a user from a group if that has changed in the source. Fortunately it is incredibly easy to do this manually in Service Manager via the admin tool. Go to Admin -> System -> Organisational Data -> Organisation -> Authorisers, and from there you can simply select each user that does not need to be in the team anymore on the left and then hit the delete button on the top right. There will be a prompt to confirm if you want to remove those users from the team, hit yes and the selected users will no longer be a part of that team. 

In a nutshell the addition of users to a team can be managed automatically via the AD import, but it will never remove users from a team automatically. As you will see though, it couldn't be much easier to manage manually in this case.

Thanks

Conor

[Dan Munns]

Ok thanks

Dan