Workflows & Event Handling

this document details how workflows and event handling operate in activate security group compliance manager (sgcm) these define how the product interprets active directory changes, determines policy relevance, and executes appropriate actions overview workflows and event handlers form the operational core of sgcm when a change is detected in active directory (ad), sgcm determines if it violates compliance policy and then executes a defined workflow to remediate, notify, or log the event workflow types sgcm includes several standard workflow templates designed to handle ad synchronisation, change processing, and group membership monitoring workflow description importworkflow imports detected changes from ad into the connector space changeworkflow processes updates and triggers corresponding compliance events groupmemberworkflow handles group membership additions and removals fullworkflow runs the import and change workflows in sequence fullworkflowwithgroups combines import, change, and group member workflows for continuous monitoring polling configuration sgcm runs periodic background polling through the activate job service this process checks for new changes and executes the configured workflow parameters controlling polling parameter description default connector polltime interval between active directory checks (seconds) 600 pollworkflow name of the workflow executed on each poll none example to enable continuous monitoring, copy the fullworkflowwithgroups parameter and rename it to pollworkflow under resources > active directory change handlers change handlers define how sgcm processes specific types of changes two main change handlers are used change handler description adchangehandler processes standard ad object changes such as user or computer updates adgroupmemberchangehandler manages changes to group membership and triggers compliance responses adchangehandler the adchangehandler is used for directory object changes and provides integration points to other activate roles or linked data it supports linking to objects such as managers or departments through defined xml configuration example \<links> \<manager> \<scope>=//roles/system roles/users\</scope> \<match when="managerdomainname"> (samaccountname=%=//current/managerdomainname%) \</match> \</manager> \</links> these links can then be accessed within workflows using global variables (for example, =//links/manager) adgroupmemberchangehandler this handler monitors group membership changes and determines what type of group event has occurred it classifies groups by purpose and executes the corresponding event definition group type description service group linked to a service using the mastergroup parameter primary control point for service access distribution list detected if the group synchronises under resources/distribution lists security group detected if the group synchronises under resources/security groups event handling sgcm event handlers define the response when a monitored event occurs each event type corresponds to a specific state change within ad event description create triggered when a new object or group is created add triggered when a user is added to a group deny triggered when an unauthorised membership addition is detected remove triggered when a user is removed from a group example service group event definition \<services> \<events> \<deny> \<removemember>\</removemember> \</deny> \<add> \<createservice>\</createservice> \</add> \<remove> \<deleteservice>\</deleteservice> \</remove> \</events> \</services> this workflow automatically removes unauthorised additions, creates service instances for valid ones, and deletes services when users are removed notifications and logging event handlers can send notifications or log details for audit example notification event \<notify> \<users>=//groupresource/securitygroupmanagers\</users> \<message> \<subject>group membership added alert\</subject> \<body>\<!\[cdata\[ notification a user %=//member% has been added to %=//groupresource/group% outside activate the user has been removed from the group please advise them to request access via activate ]]>\</body> \</message> \</notify> notifications can be directed to roles, teams, or security groups specified in the securitygroupmanagers parameter global variables global variables are accessible within event handlers and workflows for dynamic data mapping variable description user represents a user object if applicable group represents a group object if applicable computer represents a computer object contact represents a contact entry links collection of linked directory objects (for example, manager) rolelinks collection of activate roles related to the current object audit and troubleshooting all sgcm events are recorded within activate’s audit log, allowing administrators to trace every detected change, workflow execution, and resulting action for troubleshooting confirm polling frequency under the domain resource check activate job service logs for workflow execution errors review event configuration within connector events parameters summary sgcm workflows and event handling deliver automated, policy driven enforcement of security group compliance by linking change detection with configurable workflows, sgcm ensures all active directory modifications are validated, logged, and remediated according to organisational policy