Configure Access Groups

What is Access Groups?

Moveworks Group Access enables users to self-service the management of distribution list (DL), also known as email groups.

Groups Access is composed of these key features:

  • Create and manage email groups
  • Add yourself or others to email groups
  • Remove yourself or others from email groups

Learn more about group access here : Group Access

Overview of the Access Groups module

This module enables you to configure the behavior of the 'access group' skill. The access account configuration is primarily divided into two parts:

  1. Configuring Ingestion: This involves setting up the process to intake groups from an external system and then feed them into the internal system.

  2. Managing the Provisioning System: This includes the following subtasks:

    1. Selection: Choose a provisioning system that will execute necessary actions.
    2. Group Action Settings Creation: Draft the configuration for actions related to group management.
    3. Addition to Group Action Settings: Enhance the existing group action settings by adding new configurations.
    4. Removal from Group Action Settings: Update the group action settings by taking out redundant or unnecessary configurations.

This structure allows for a more organized and straightforward approach to managing access.

Configuring Access Groups

Ingestion

This configuration enables a connection between Moveworks and your external Identity and Access Management (IDAM) system, where your user groups are located.

  1. In the section Set Up System for Group Ingestion, you are required to specify the system where your user groups reside.
  2. Click "Add" to incorporate a new system. In this section, you can define the following:
    1. Ingest Attributes: These are attributes from your external system. Here, you need to list down the attributes you wish to ingest, such as 'distinguishedName'.
    2. Select System: Choose the IDAM system connector.
    3. Group Filters: Insert the filters here to fine-tune the groups being ingested from the external system.
      1. These filters can be established in two ways:
        1. Group Email Filter: Input the emails to be excluded. Incase for group based email filters these groups are still ingested under moveworks but aren't actionable. The bot will reply with "sorry, I can't help with this group" if this group is referenced.
        2. Rule-Based Filter: Employ Domain Specific Languages (DSLs) to filter out emails to be excluded. Learn more about this writing this DSL rule here :
  3. Configure General Settings:
    1. Choose Joining Key: If identical groups are being ingested from multiple systems, you need to select the joining key. This is typically necessary when you're dealing with multiple Microsoft systems such as Active Directory (AD) and Exchange Online. By default, 'Email' is selected.
    2. Set Up Common Filters: These are universal group filters, and setting them up follows the same process as the system-specific group filters.

Manage provisioning system

Selecting Provisioning system

In this section you have to select which integrations can be used to provision access group skill.

  1. Click on the Add button to add a new integration.
  2. Select the system.
  3. Provide the post provision URL : This is you portal link that will be shown to user if the user is added to the access group. This a non-mandatory field.
  4. Select if you want to use this integration for DL creation : Only one system will be used for this action. If multiple systems are selected the skill action might fail.

Create DL action settings

In this section you have enable the settings for create DL action skill and select the moveworks approval model it will follow.

  1. Select if you want the user to provide description while creation DL action. This context will be recorded in the resultant ticket getting created.
  2. Select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.
  3. DL validation JSON payload : This is a advance setting which will enable validations while a DL is created and also enable you to add a pre-fix or change the domain. Refer to the JSON bender documentation for more examples here :

Add user to DL settings

In this section you have enable to settings for Add to DL action skill and select the moveworks approval model it will follow.

  1. Select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.
  2. Select to hide details on group add : Enable this to hide DL request details from the user e.g. 'you can now receive emails from [email protected]'. Recommended to leave this off.

Remove user from DL settings

In this section you have to enable setting for removing users from DL. These action is only supported into the following integrations.

  1. G-suite
  2. Active Directory

Here you have to select :

  1. Select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.

How to guides

How do I enable the create DL skill/ Add user to DL skill/ Remove user from DL skill ?

Plugin controls can be used to enable or disable a skill.

  1. Navigate to the advanced configs and go through the available plugin controls.
  2. Enable the plugin for the respective skill using the plugin control.

How do I select the approval model for the create DL skill/ Add user to DL skill/ Remove user from DL skill ?

  1. Navigate to the sub-section for the each skill.
  2. Select the approval model that skill will follow.