Group Access

Moveworks Group Access enables users to self-service the management of distribution list (DL), also known as email groups.

Groups Access is composed of these key features:

Group Access request

As shown above, occasionally a user will tell the bot they need help with a distribution list but do not specify what action they want the bot to take, i.e. “I want to update a dl”. In this case, the bot can recognize the user is making a Group Access request and respond with a message showing all available actions it can take on the user’s behalf regarding DLs.

Configuration Options

Prohibit changes to specific groups

There may be some groups that for business reasons you don’t want to be modifiable by users. Moveworks lets you restrict changes on specific groups. For example, some groups you may want to restrict changes on are those used to maintain organizational structure (All-Engineering, All-Company, All-Women) and/or critical leadership groups (Company executives, Legal team). Moveworks can do this in the following ways:

  • Dynamically:
    • For example, Moveworks can be configured to prohibit changes on all groups ending with a certain alias.
  • Statically:
    • Moveworks can be configured to prohibit changes on a finite list of emails to ignore.

Use the language that best suits your org for groups

You can configure which term is used in your bot experience to refer to email lists i.e. groups, distribution list, etc. Admins that use Google Groups may choose to use the term “groups” when referring to distribution lists. Other admins who use Active Directory and/or Exchange may choose to use the term “distribution list”. By default email lists are referred to as “groups”. To change the term being used to refer to email lists, contact your Moveworks Customer Success team.

Ask for description before creating group

The description will be used when creating the group to set as the desc property of the group in the downstream in your email groups system, in remove downstream.

Enforce email prefix naming convention

Some org may want to enforce certain naming standards for email groups. For example, public distribution may need to have the “pdl” prefix. The bot can be configured to support naming conventions.

Note: the naming conventions cannot be dynamic, based on location, role, or other attributes.

Assign approver owners to groups without owners

If a group is without an owner, users can designate a person to become the approver for any groups related requests.

Specify your approval workflow

Moveworks allows you to configure approval workflows for the different supported group operations (add, create, delete). Admins can specify any approval workflow for group requests so that users adhere to your organizational policy. Approval workflows can include logic related to an employees role (is manager), whether or not an employee is a member of a group, and/or whether or not an employee is an owner of a group. Here are some of the most commonly used approval workflows we see across our customers:

Adding users to group requests

→ Group owners manage all requests

  • Requests made by owners of a group will automatically be approved.
  • All requests for group modifications need to be approved by group owners.

→ Auto approve requests for group owners, group members, and managers

  • Requests made by members or owners of a group or a person who holds a manager title will automatically be approved.
  • Requests made by non-members require approval — you specify approval owner (ex. group owners, specific person, or specific group of people)

→ No Approvals required

  • Every request is automatically approved.

Removing users from a group

→ Group owners manage all requests

  • Requests made by owners of a group will automatically be approved.
  • All requests to modify a group need to be approved by group owners.

→ Automatic request approval for group owners, group members, and managers

  • Requests made by members or owners of a group or a person who holds a manager title will automatically be approved.
  • Requests made by non-members require approval — you specify approval owner (i.e. group owners, specific person, or specific group of people)

📘

Note about Google Groups

If you are using Google Groups, Moveworks can honor your pre-existing approval workflow for email groups related to “Open groups” if such group settings for your organization exists. In addition to the “Open groups” setting, there are additional settings that Moveworks will respect that are only applicable to Google Groups (who can join, who can invite, who can moderate members, who can contact owner, who can view membership, who can post a message, who can view the group, is archived).

Supported email groups:

The Moveworks Group Access skill works across Google and Microsoft email systems. For specifics on what type of groups we support, you can refer to the following table.

Type of groupProvisionerDL Group Action Support
Google GroupsGoogle SuiteDL: Create, DL: Add, DL: Remove
Exchange Online Distribution ListMicrosoft Exchange OnlineDL: Create, DL: Add
O365 Unified GroupMicrosoft GraphDL: Create, DL: Add
On-Prem Distribution GroupMicrosoft Active DirectoryDL: Create, DL: Add, DL: Remove
On-Prem Mail-Enabled Security GroupMicrosoft Active DirectoryDL: Create, DL: Add, DL: Remove
Azure AD Cloud-Managed Security GroupMicrosoft GraphUnsupported via DL skill (Supported via Access Software skill)
On-Prem Security GroupMicrosoft Active DirectoryUnsupported
Exchange Online Mail-Enabled Security GroupMicrosoft Exchange OnlineUnsupported

Create a DL

Users can create new email lists, also known as distribution lists (DLs), directly in chat by messaging with the Moveworks bot.

Create a group

To have the Moveworks bot create a new DL, users can send the bot a message in chat, such as:

  • “Create a new marketing dl”
  • “I need to create a new group for my team”

The bot will recognize the user wants to create a group and proceeds to ask them what they would like to name the new group. Then the user can reply to the bot with the name they’d like to give the new group.

After the user tells the bot what they’d like to name the group, the bot confirms with the user the group name and email alias they’d like to give the new group. The bot also lets the user know the group will have the default settings and that the user will be set as the owner of group.

At this point, the user can click on Yes to acknowledge that is the correct name and email address they’d like to give the group, and submit the group request. The bot will then make a REST API call or LDAP request to your respective IDAM system to create the new group. Once it’s done the bot will confirm the group has been created, and provide a link to where they can manage or make changes to the newly made group.

Users can also click on No, modify to give the group a different name, before submitting the group request. When they click on No, modify, a window will appear where the user can edit the owner of the group, the group display name, and the group email prefix.

📘

At this point, the user can also add multiple users to the group.

Configuration Options

Approvals

Administrators can configure whether or not a user requires approval to create a new distribution list.

Add users to a DL

Users can ask the Moveworks bot in chat to add themselves or others to email lists and groups, also known as distribution lists (DLs). They can specify which DL they want to be added to and their request will automatically be completed (depending on their organization’s approval workflow).

Add yourself to a DL

To be added to a DL, users can message the Moveworks bot telling it they want to be added to a specific DL. In response, the bot will reply with a message summarizing the name of the user and the name of the group they are about to be added to. The user can then click on Yes, if the information is correct, and their request will be submitted. The bot will check for any approvals needed to fulfill the request. Once all approvals are secured the bot will add the user to the group and notify them they are now a member of that DL.

Users can also click on No, modify, to change the details of their request. A form will appear when they click No, modify, and they will be able to change the user being added, the group they’re being added to, and add other individuals.

Adding others to a group with user disambiguation

To add others to a group, users can message the bot asking it to add a specific individual to a group. The user can mention the name of the user and the name of the DL they want that person to be added to, and the bot will present a list of DL names that match the user’s request. The user can then select the DL they want to add the other user to by replying to the bot with the number preceding the DL name.

🚧

The bot can only disambiguate user messages for requests to add or remove users from a DL.

Adding multiple people to a group

To add multiple other users to a group, users can message the bot asking it to add users to a group. The bot will be able to recognize the user is asking to add a number of people to a DL, and provide a form for the user to do so. They can then click on Yes, add users to open the form and enter in the email addresses of the users they’d like to add to a group, and enter the name of the group they’d like these people to be added to. Then they can click on Submit and their request will be submitted. Once all approvals are secured the bot will add these users to the desired group and notify them they are now a member of that DL.

Notification for others

When users are added to a group they will be notified in chat by the Moveworks bot that they are now a member of that DL.

Configuration Options

Approvals

Moveworks can be configured to automatically request approval from the owner of a distribution list if required.

Orphaned Email Group

Email groups without an owner assigned can be configured so that a specific person or group of people can receive group request and approve them.

Blocklist

A blocklist allows admins to restrict self additions and third-party additions to a static list of groups. Blocklists can be used for groups where membership is restricted (for example, legal, executives, or financial reporting) and for groups where membership is already automated by another system (i.e. “All-Hands Group” or a group based on location or job category).

FAQ

Q: What if I don’t want some of my groups indexed?

A: Moveworks supports configuring a Denylist. When a group is added to the denylist, the bot will not have any knowledge of this group when searching for DLs.

Q: Does Moveworks cache all the groups in my system?

A: Yes, Moveworks uses its enterprise cache to periodically (every 24 hours) index all groups for searchability.

Q: How often does Moveworks automatically populate the fields in a group request form based on information from the user?

A: The frequency in which the Moveworks bot is able to pre-fill the fields in a group request form varies.

  • 75.2% of the time, a user making a request to add another user to a group will be presented with a form where they must manually fill in all the fields.
  • 21.5% of the time, the bot will be able to pre-fill the user field in a group access request, and the user must manually enter what group they want to make changes to in the group field.
  • 3.3% of the time, the bot will be able to pre-fill the user and group field, and ask for confirmation from the user that the fields have been automatically filled correctly.

Remove users from a DL

Users can ask the Moveworks bot in chat to remove themselves or others from email lists and groups, also known as distribution lists (DLs). They can specify which DL they want to be removed from and their request will automatically be completed (depending on their organization’s approval workflow).

Remove yourself or others from a DL

Automated removal from DL

📘

Automated removal is only supported for Google Groups & groups within on-premise Active Directory.

To be taken off a distribution list, users first message the Moveworks bot telling it they want to remove themselves from an email group. Users can also tell bot to remove other users from email groups. In response, the bot will reply offering the user the option to remove users from a DL by clicking on Remove users from group. When the user clicks on the button, a form will appear in a window.

The form will ask for the email addresses of users to be removed as well as the distribution list they are being removed from. Based on the user’s initial message the bot is able to parse out the name of the user and DL they are being removed from. The fields in the form will be auto-populated with this information and is taken from the bot’s conversation with the user. At this point, the user can also add the email addresses of other users they’d also like to be remove from the group. And when the user clicks on Submit, the bot will tell them what approvals are needed before the request can be completed. And once the removal request is approved, the bot will notify the user they and/or other users have been removed from the DL.

Manual removal from DL

If a system does not support automated removal of users, the Moveworks bot can still help users remove themselves from a group. The user asks the bot to remove them from a specific group, and it will help them file a structured ticket to capture all the information needed for an agent to complete their request.

Removal Notification

When users are removed from a group they will be notified in chat by the Moveworks bot that they are now no longer a member of that DL.

Configuration Options

Approvals

Moveworks can be configured to automatically request approval from the owner of a group if required.

Orphaned Email Group

Email groups without an owner assigned can be configured so that a specific person or group of people can receive approvals.

Blocklist

A blocklist allows admins to restrict self removal and third-party removals to a static list of groups. Blocklists can be used for groups where membership is restricted (for example, legal, executives, or financial reporting) and for groups where membership is already automated by another system (for example, an “All-Hands Group” or a group based on location or job category).