Add a User to Security Groups

This is an interactive task that allows the user to add an Active Directory user to one or more Security Groups.

Playbook Files

This playbook was built for PPA version 3.1.x

# The task was built to work with these plugin versions.
plugins:
  active_directory: ^12.1
  hashicorp_vault: ^7.1
  ppa: ^10.0
  ppa_tools: ^10.4

set:
  search_scope: null # This gets overwritten if an Organizational Unit is selected.

steps:

  - name: Greeting
    actions:
      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.active_directory.full }}


            #### Active Directory - Add User to Groups


            Use this task to add an Active Directory user to one or more groups.


            You will need to:

            - Search for the Active Directory user

            - Search for and select one or more Active Directory groups

            - Confirm the selection

            - Submit an email approval request


            __Note:__ If the user is already a member of any selected groups, their membership to those groups will not be modified.

      - ppa.ui.input_accept:
          text: Start


  - name: Get Secrets
    actions:
      - hashicorp_vault.key_value.read_secret_keys:
          secret: active_directory
          reason: Getting Active Directory details
          keys:
            - name: address
            - name: domain
            - name: username
            - name: password
              sensitive: true
          create_missing: true
        save: domain_controller


  - name: Search for Active Directory User
    actions:
      - active_directory.users.get_interactive:
        load:
          domain_controller: domain_controller
        save: active_directory_user


  - name: Ask For Organizational Unit
    actions:
      - ppa.ui.output_markdown:
          doc: >
            ### Group Search


            PPA will now audit groups from Active Directory.


            You can narrow the audit down to an Organizational Unit if required.

      - ppa.ui.input_confirm:
          text: Please choose an option
          confirm: Choose Organizational Unit
          cancel: Get All Groups
        save: search


  - name: Choose Organizational Unit
    when: search
    actions:
      - active_directory.organizational_units.get_all:
        load:
          domain_controller: domain_controller
        save: organizational_units

      - active_directory.organizational_units.select_one:
          text: Select an Organizational Unit
        load:
          organizational_units: organizational_units
        save: organizational_unit

      - set:
          name: search_scope
        load:
          value: organizational_unit.distinguishedName


  - name: Search for Groups
    actions:
      - ppa.ui.output_progress:
          text: Finding Active Directory groups...
          percent: null
          element_id: finding_groups

      - active_directory.groups.get_all:
        load:
          search_base: search_scope
          domain_controller: domain_controller
        save: all_groups

      - ppa.ui.output_progress:
          text: Found Active Directory groups
          percent: 100
          element_id: finding_groups

  - name: Select Groups
    while:
      name: confirm
      value: false
    actions:
      - active_directory.groups.select:
          text: Select one or more groups
          minimum: 1
        load:
          groups: all_groups
        save: group_selection

      - active_directory.groups.display:
          text: Selected groups
        load:
          groups: group_selection.all

      - ppa.ui.input_confirm:
          text: Add user to {{ group_selection.total }} group(s)?
          confirm: Yes
          cancel: No
        save: confirm

      - ppa.ui.output_error:
          text: Please select the groups again.
        when: not confirm


  - name: Provide Reason
    actions:
      - ppa.ui.input_text:
          text: Reason for access
          required: true
        save: reason


  - name: Create Groups Email Table
    actions:
      - ppa_tools.generate.table_from_dictionaries:
          header:
            - Common Name
            - Group Type
            - Description
          keys:
            - cn
            - groupType
            - description
        load:
          dictionaries: group_selection.all
        save: groups_table

      - ppa_tools.generate.html_table:
        load:
          header: groups_table.header
          rows: groups_table.rows
        save: groups_html_table

  - name: Submit for Approval
    actions:
      - ppa.events.create_approval_request:
        save: approval_request

      - ppa_tools.files.read_text_file:
          name: email.html
        save: email

      - format_template:
          key_values:
            user_common_name: '{{ active_directory_user.cn }}'
            reason: '{{ reason }}'
            groups_table: '{{ groups_html_table }}'
            approve_url: '{{ approval_request.approve_url }}'
            reject_url: '{{ approval_request.reject_url }}'
            icon: '{{ globals.icons.ppa.full }}'
        load:
          template: email
        save: email

      - ppa.ui.input_email:
          text: Approval email address
        save: approval_email_address

      - ppa.ui.output_progress:
          text: Sending approval email...
          percent: null
          element_id: generating_approval_request

      - ppa.events.send_email:
          subject: Active Directory - Group Membership Request
          reason: Sending approval request email
          recipients:
            - '{{ approval_email_address }}'
        load:
          html: email
        rescue:
          - ppa.ui.output_progress:
              text: Failed to send approval email
              percent: 0
              element_id: generating_approval_request

          - ppa.ui.output_error:
              text: Failed to send email report. SMTP is not configured in PPA.
            when: rescue.type == "EventNotConfigured"

          - exit:
              exit_code: 2
            when: rescue.type == "EventNotConfigured"

          - ppa.ui.output_error:
              text: Failed to send email report. Please view the logs for more information.
          - exit:
              exit_code: 2

      - ppa.ui.output_progress:
          text: Sent approval email
          percent: 100
          element_id: generating_approval_request

      - ppa.events.wait_approval_response:
          reason: true
          text: Waiting for approval response...
          approved_message: The requested changes will now be applied.
          rejected_message: The requested changes will be cancelled.
        load:
          approval_request: approval_request
        save: approval_response

  - name: Exit if Request Rejected
    when: not approval_response.approved
    actions:
      - ppa.ui.output_error:
          text: The request was rejected by {{ approval_response.responder }}.

      - ppa.ui.output_error:
          text: "Reason: {{ approval_response.reason }}"

      - exit:
          exit_code: 4

  - name: Add Memberships if Request Approved
    actions:
      - ppa.ui.output_progress:
          text: Adding user to {{ group_selection.total }} group(s)...
          percent: null
          element_id: adding_to_groups

      - active_directory.users.add_to_group:
        load:
          user_distinguishedName: active_directory_user.distinguishedName
          group_distinguishedName: group.distinguishedName
          domain_controller: domain_controller
        for_each:
          items: group_selection.all
          name: group

      - ppa.ui.output_progress:
          text: The user has been added to {{ group_selection.total }} group(s)
          percent: 100
          element_id: adding_to_groups

      - ppa.ui.output_info:
          text: All operations completed successfully!

Running this Playbook

Click download playbook
Import the playbook on the Playbooks page in PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

Integrations

PPA User Interface
Hashicorp Vault Key-Value engine
Active Directory Users & Groups

Auditing Active Directory Groups

By default this task will audit all groups in Active Directory before asking the user to choose.

This can take a long time on large domains, & you may want to narrow down the search for operational & security reasons.

You can target the search at a specific Container or Organizational Unit by supplying a distinguishedName on line 10.

Required Vault Details

Active Directory

IP/DNS address of a Domain Controller
Domain FQDN
Username
Password

As this is a privileged task, the Active Directory credentials require the permission to add a user to one or more groups.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

Email Configuration

This task contains an email approval step that requires SMTP to be configured in the PPA appliance.

What the Task Does

Once started, this task allows the operator to:

Search for and select an Active Directory user
Choose one or more Security Groups to add the user to
Confirm the selection
Prompt for an approval email address (see below for more information)
Add the selected user to the chosen groups if the request was approved

Approval Request

This task requires email approval before the chosen group memberships are applied.

For demo purposes the task will ask the user for an email address to send the approval request to.

In production this should be changed to an alternative method, such as…

Configuring a list of approvers in the playbook
Looking up the user's manager in Active Directory (via the manager attribute)
Sending the approval email to members of an Active Directory security group
Using a private Slack channel

… or many others.

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.