How to configure a single service to add users to a user group in their own domain

summary this approach allows a single activate service to work across two or more domains, while ensuring the requested user is added to the correct active directory group in their own domain it is useful when users from multiple domains can access activate a service can be ordered for the requester or another user the target user may exist in the same domain or a different domain each domain requires membership in a different ad group scenario users in two or more domains can order user group based services through activate when the service request is approved, activate should add the target user to an ad group in that user’s domain a user in either domain can order the service for themselves another user in the same domain a user in a different domain high level approach to support this configuration create a separate delivery method for each target domain secure each delivery method so only the relevant users can access it configure the service to use all relevant delivery methods add service parameters that define the correct group for each domain how it works when activate provisions the service instance, it will read the availabledeliverymethods parameter on the service identify which delivery method resources the target user can access read the usergroupname parameter from the applicable delivery method look for a service parameter with that name add the user to the group defined in that parameter if no matching group parameter exists for the target user’s domain, activate will not add the user to a group the job will not error configuration steps 1\ create a delivery method for each domain under //resources/services/delivery methods, create a new delivery method resource for each domain the target users belong to 2\ secure each delivery method apply security so that only administrators users from the applicable domain can access that delivery method resource this ensures the correct delivery method is available based on the target user’s domain 3\ configure the usergroupname parameter on each delivery method on each delivery method, set a string parameter named usergroupname this parameter should contain the name of the service parameter that activate will look for when determining which group to use 4\ update the service delivery methods on the service, configure availabledeliverymethods to include both of the new domain specific delivery methods the existing user based delivery method for example, if the service is also used for azure users, keep the existing user based delivery method enabled unless you are certain it is no longer required 5\ add group reference parameters to the service on the service, create a groupreference parameter for each domain that requires its own group the parameter names must match the values defined in the usergroupname parameter on the relevant delivery methods example logic a service might include one delivery method for domain a one delivery method for domain b one existing standard user delivery method each domain specific delivery method would define a different usergroupname value, such as domainagroup domainbgroup the service would then contain matching parameters such as domainagroup = cn=service group a,ou=groups,dc=domaina,dc=local domainbgroup = cn=service group b,ou=groups,dc=domainb,dc=local when the service is provisioned, activate uses the target user’s accessible delivery method to determine which parameter to read, then adds the user to the corresponding group important behaviour the target user’s domain determines which delivery method is used the delivery method determines which service parameter activate reads the service parameter determines which group the user is added to if the expected group parameter does not exist, the job does not fail because of this, service security should be configured carefully to avoid unexpected outcomes where a user can order a service but no group assignment occurs configuration guidance use security on both the delivery method resources the service itself to ensure only valid combinations of users, services, and target domains are available