Configure Access Groups

What is Access Groups?

Moveworks Group Access enables users to self-service the management of distribution list (DL), also known as email groups.

Groups Access is composed of these key features:

  • Create and manage email groups
  • Add yourself or others to email groups
  • Remove yourself or others from email groups

Learn more about group access here : Group Access

Configure Access Groups

Follow the steps below to configure Access Groups.

1. Configure your Connectors

Add Connector config for your Groups Integration system such as: gsuite, active_directory, msgraph, etc.

We recommend the following naming for integration ids:

  1. Active Directory -> active_directory
  2. Microsoft Graph -> ms_graph
  3. Exchange Online -> exchange
  4. Google Workspace -> gsuite

2) Add source in Group Ingestion Config

Under Group Access > Ingestion., add the relevant integrations. This allows Moveworks to ingest the groups for easy real-time searchability.

Under this section, you can also configure Group Filters to fine-tune the groups being ingested from the external system:

These filters can be established in two ways:

  1. **Group Email Filter: **Input the emails to be excluded. Incase for group based email filters these groups are still ingested under moveworks but aren't actionable. The bot will reply with "sorry, I can't help with this group" if this group is referenced.
  2. Rule-Based Filter: Employ Domain Specific Languages (DSLs) to filter out emails to be excluded. Learn more about this writing this DSL rule [here]
📘

Important note on Microsoft Groups Ecosystem

If ingesting groups from Microsoft Graph, and other Microsoft Systems such as Active Directory, and Exchange Online, always set Microsoft Graph to be the last priority in your ingestion configuration, or else it will corrupt your group source info, since Microsoft Graph contains groups sourced from Active Directory and Exchange Online.

3. Add provisioner system in Access Groups Config under Group Access > Connector Settings. This allows the assistant actions to work.

📘

NOTE: The priority here is important to keep in mind. Priority 1 (the group system at the top of the provisioner) will get used when Creating Groups. In the example above, Groups created will leverage the MS Graph integration and be created as Unified 365/Entra Groups.

4. Enable Plugin Settings for the relevant Group actions you wish to enable.

Group Creation settings

In this section you have enable the settings for create DL action skill and select the moveworks approval model it will follow.

  1. Select if you want the user to provide description while creation DL action. This context will be recorded in the resultant ticket getting created.
  2. Select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.
  3. DL validation JSON payload: This is a advance setting which will enable validations while a DL is created and also enable you to add a pre-fix or change the domain. Refer to the JSON bender documentation for more details on writing JSON Bender. The example below enforces a standard company-external.com as the email domain.
{
 "email": {
   "CONDITIONAL()": {
     "context": {
       "group_name": "$SPLIT(email OR \"\", \"@\")[0] OR NULL"
     },
     "condition": "group_name",
     "on_pass": "$CONCAT([group_name, \"@company-external.com\"])"
   }
 }
}

Group member addition settings

In this section you have enable to settings for Add to DL action skill and select the moveworks approval model it will follow.

  1. Select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.
  2. Select to hide details on group add : Enable this to hide DL request details from the user e.g. 'you can now receive emails from [email protected]'. Recommended to leave this off.

Group member removal settings

In this section you have to enable setting for removing users from DL. ⚠️ Note: These action is only supported for Google Workspace (fka GSuite), and Active Directory.

Here you have to select the moveworks approval model to follow. To learn more on native approvals click here : Moveworks native approvals . For adding a custom approval model also refer to this documentation.

5. Enable plugins under AI Assistant Plugin Management

  1. Add user to a group plugin
  2. Remove user from a group plugin
  3. Create a group plugin
  4. Owner of a group plugin
  5. Group membership status plugin

Common Issues

  1. When creating groups in Microsoft365 / Microsoft Graph, pay close attention to the domain of the final group created in the MS Graph API:
    1. By default, Moveworks will use the primary domain set in Tenant Settings when indexing the group after creating it (usually something like <company>.com). However, we have seen that Microsoft Graph sets the group domain independently based on its configuration- and on occasion defaults to <company>.onmicrosoft.com.
      1. **How to fix? **
        1. Based on Microsoft's documentation, you will need to run the following command to set the priority of your email domains in Microsoft Graph:

          New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 1