This is a guest blog post written by Bob Roudebush, a TSP at Microsoft. Thanks for writing this up and sharing with the community Bob!
This walkthrough was built using the System Center demo virtual machine environment. It assumes that AD is functioning and that both Service Manager (with the SSP) and Orchestrator are installed and functioning and that the appropriate connectors for AD and Orchestrator are configured. Anyone should be able to follow along and do this within their own environment by changing some property values along the way.
1. Create “Add User to Group” Runbook in Orchestrator
2. Create “Add User to Group” Runbook Template in Service Manager
3. Create “Add User to Group” Request Template in Service Manager
4. Create “Add Yourself to a Group” Request Offering in Service Manager
5. Add the Request Offering to a Service Offering Service Manager
6. Test the Request Offering
The first thing that you’ll need to do is to create the runbook which will actually automate the process of adding a user to the appropriate group in Active Directory. This is a fairly straightforward process but does require some knowledge of how “Get Relationship” activities work in Orchestrator and how to, with only the affected user and the group they want to be added to, get all of the objects needed to run the workflow successfully.
Travis Wright has a good blog post about this at http://blogs.technet.com/b/servicemanager/archive/2012/05/22/working-with-relationships-in-the-... which I used as a basis for this walkthrough.
1. From the Orchestrator Runbook Designer, create a new Runbook named “Add User to Group”.
2. In the subsequent steps, we’ll build this runbook activity by activity. For reference, here’s what the final result will look like:
3. First, drag the “Initialize Data” activity onto the runbook from the “Runbook Control” IP.
4. In the properties of the activity, add a parameter Called “ActivityGUID” of data type “String”. This will be used to pass the GUID of the Runbook Activity work item in from Service Manager. When the runbook starts it will now know the context of which runbook activity work item triggered it and from there can figure out which group is related to it .
5. Next, drag the “Get Relationship” activity onto the runbook from the “SC 2012 Service Manager” IP. Rename it to “Get Group Relationship”. Connect the previous activity “Initialize Data” to it.
6. In the properties of the “Get Group Relationship” activity, configure the details as below, configuring the connection to Service Manager, specifying the object class, object GUID and related class fields. The object GUID is obtained from the Orchestrator databus by subscribing to published data from the “Initialize Data” activity. This gets us the GUID of the related group object in the CMDB. Click Finish.
7. Drag the “Get Object” activity from the “SC 2012 Service Manager” IP onto the runbook. Rename the activity “Get Group Object”. Connect the previous activity “Get Group Relationship” to it.
8. In the properties of the “Get Group Object” activity, configure the details as below, configuring the connection to SC 2012 SM, specifying the object class and then creating a filter to pull the SC Object GUID for the Related Object GUID from “Get Group Relationship”. The value to filter with is obtained from the Orchestrator databus by subscribing to published data from the “Get Group Relationship” activity. This uses the GUID of the group object in the CMDB to get that object from the CMDB and all of its properties. Click OK to create the filter. Click Finish to save the activity.
9. Drag the “Get Relationship” activity from the “SC 2012 Service Manager” IP onto the runbook. Rename the activity “Get Parent SR Relationship”. Connect the previous activity “Get Group Object” to it.
10. In the properties of the “Get Parent SR Relationship” activity, configure the details as below, configuring the connection to SC 2012 SM, specifying the object class, object GUID and related class. The value for the object GUID is obtained from the Orchestrator database by subscribing to published data from the “Initialize Data” activity. This allows us to discover the GUID of the Service Request work item which triggered the runbook because that’s how we’ll discover the Affected User later. Click Finish.
11. Drag the “Get Object” activity from the “SC 2012 Service Manager” IP onto the runbook. Rename the activity “Get SR Object”. Connect the previous activity “Get Parent SR Relationship” to it.
12. In the properties of the “Get SR Object” activity, configure the details as below, configuring the connection to SC 2012 SM, specifying the object class and then creating a filter to pull the SC Object GUID for the Related Object GUID from “Get Parent SR Relationship”. The value to filter with is obtained from the Orchestrator databus by subscribing to published data from the “Get Parent SR Relationship” activity. This uses the GUID of the service request work item in the CMDB to get that work item from the CMDB and all of its properties. Click OK to create the filter. Click Finish to save the activity.
13. Drag the “Get Relationship” activity from the “SC 2012 Service Manager” IP onto the runbook. Rename the activity “Get User Relationship”. Connect the previous activity “Get SR Object” to it.
14. In the properties of the “Get User Relationship” activity, configure the details as below, configuring the connection to SC 2012 SM, specifying the object class, object GUID and related class. The value for the object GUID is obtained from the Orchestrator database by subscribing to published data from the “Get SR Object” activity. This is how we discover the GUIDs for all AD user objects related to the service request work item we retrieved earlier. Notice that this is very similar to the “Get Group Relationship” activity except the related class is “Active Directory User” instead of “Active Directory Group”. Click Finish.
15. Drag the “Get Object” activity from the “SC 2012 Service Manager” IP onto the runbook. Rename the activity “Get User Object”. Connect the previous activity “Get User Relationship” to it.
16. In the properties of the “Get User Object” activity, configure the details as below, configuring the connection to SC 2012 SM, specifying the object class and then creating a filter to pull the SC Object GUID for the Related Object GUID from “Get User Relationship”. The value to filter with is obtained from the Orchestrator databus by subscribing to published data from the “Get User Relationship” activity. This activity uses the GUIDs we discovered in the “Get User Relationship” activity to pull all of the user objects from the CMDB that relate to this service request. Among those will be the Affected User which we need. More on that in the next step. Click OK to create the filter. Click Finish to save the activity.
17. Click on the link between “Get User Relationship” and “Get User Object” in the runbook designer and select “Properties”. Select “Exclude” on the left-hand side of the link properties dialog box and click “Add” to add an exclusion filter with the following properties: where “relationship class” from “get user relationship” DOES NOT EQUAL “Affected User”. Since the service request probably has multiple users related to it (Assigned To, Affected, Created By, etc.) this throws away all of the data on the databus EXCEPT the information for the Affected User which is what we need later to add the user to a group. Click Finish.
18. Drag the “Get Group” activity from the “Active Directory” IP onto the runbook. Rename the activity “Get AD Group”. Connect the previous activity “Get User Object” to it.
19. In the properties of the “Get AD Group” activity, configure the details as below, configuring the connection to AD.
20. Select “Filters” on the left-hand side of the Get AD Group Properties dialog box. Add a filter with the settings pictured below, where Sam Account Name EQUALS the user name from “Get Group Object”. The value is obtained from the Orchestrator databus by subscribing to published data from the “Get Group Object” activity. This gets the properties of the group object from AD but only for the group object which equals the group the user selected when the filled out the service request form. We obtained this earlier in the “Get Group Relationship” and “Get Group Objects” activities. Click OK to create the filter. Click Finish to save changes to the AD Group activity.
21. Drag the “Get User” activity from the “Active Directory” IP onto the runbook. Rename the activity “Get User”. Connect the previous activity “Get AD Group” to it.
22. In the properties of the “Get AD Group” activity, specify the connection to AD.
23. Select “Filters” on the left-hand side of the Get User Properties dialog box. Add a filter with the settings pictured below, where Sam Account Name EQUALS the user name from “Get User Object”. The value is obtained from the Orchestrator databus by subscribing to published data from the “Get User Object” activity. This gets the properties of the user object from AD but only for the user object which equals the account name of the Affected User in AD. We obtained this earlier in the “Get User Relationship” and “Get User Objects” activities. Click OK to create the filter. Click Finish to save changes to the AD Group activity.
24. Drag the “Add User to Group” activity from the “Active Directory” IP onto the runbook. Rename the activity “Add User to Group”. Connect the previous activity “Get User” to it.
25. In the properties of the “Add User to Group” object, specify the distinguished names for the user and group. These are obtained from the Orchestrator databus by subscribing to published data from the “Get AD Group” and “Get User” activities. Click Finish.
26. Save the runbook and check it into Orchestrator.
This step assumes you have configured the Orchestrator connector within Service Manager and that it’s properly synchronizing runbooks in Orchestrator 2012 with the Service Manager 2012 CMDB. You may have to manually force a synchronization and/or wait some time for the runbook object you created to appear in Service Manager. Settings for the connector and manual synchronization are configured from the Service Manager console in the Administration pane using the “Connectors” view. You can verify that runbooks are synchronizing by looking in Library -> Runbooks in the Service Manager 2012 console.
1. From the Library pane of the Service Manager console, select the “Runbooks” view and select the “Add User to Group” runbook. If you saved the runbook you created with a different name, select that one instead. Click “Create Runbook Automation Activity Template” in the Tasks pane.
2. Provide a name for the template and select a management pack to save the template in. Make sure the “When I click OK, open the template form” option is selected. Click OK.
3. In the General view of the template form, populate any fields you’d like to have as defaults when a new runbook activity is created. IMPORTANT: Ensure that the option “Is Ready for Automation” is selected or the runbook will not be executed automatically as part of the service request later on!
4. In the Runbook view of the template form, ensure that the ActivityGUID parameter is being mapped properly. To do this, you click on the “Edit Mapping” button and then select “Runbook Automation Activity” and the field “Object -> ID” as below. Click Close. Click OK.
This step assumes that you’ve already created the runbook activity template in Service Manager as outlined previously.
1. In the Library pane of the Service Manager Console, select the “Templates” view. From the task pane, select “Create Template”. Specify a name for the template (Add User to Group Request Template, a class (Service Request) and a management pack where you want to save the template. Make sure the “When I click OK, open the template form” option is selected. Click OK.
5. In the General view of the template form, populate any fields you’d like to have as defaults when a new service request is created. For the purposes of this walkthrough, ensure the title is “Add User to Group”. All other fields are optional.
2. On the “Activities” view of the template form, you can optionally add one or more approval activities to ensure that requests are reviewed before the runbook initiates changes. You also need to add the runbook activity template which was created in the previous step to link the runbook to the request. Click on the ‘+’ icon and select the runbook activity that was previously created. Once the workflow is complete, click OK to save the request template.
This step assumes that you’ve already created the request template in Service Manager as outlined previously.
1. In the Library pane of the Service Manager Console, select the “Service Catalog -> Request Offerings -> All Request Offerings” view. Select “Create Request Offering” from the tasks pane.
2. On the Welcome screen of the request offering wizard, click Next.
3. On the General screen of the request offering wizard, provide a name for the request offering (Add Yourself to a Group) and provide an icon and description. For the Template Name, click the “Select Template” icon and select the request template that was previously created. Click Next.
4. Provide instructions for the form which will be displayed to users on the self-service portal.
5. Configure as many prompts or information text as needed to complete the request or provide enough information during the approval workflow. In the case of this walkthrough, the only required prompt would be for the group to which the user wants to be added.
6. To add a prompt to collect the group to which the user wants to be added, first click the ‘+’ icon on the User Prompts screen. Next, provide a name for the User Prompt – i.e., “Group Name”. Set the response type to “Required” and the prompt type to “Query Results”. This will allow the user to see a list of groups pulled from Active Directory rather than having to type the group name in manually. Click Next.
7. On the Configure Prompts screen, select the “Group Name” prompt and click the “Configure” icon.
8. Ensure that the drop down box next to the search box on the Select Class screen of the query results wizard is set to “All basic classes”. Either narrow the results with the search filter or select the class “Active Directory Group” by browsing through the list of classes. Click the “Configure Criteria” tab.
9. (Optional) To limit the list of groups returned from Active Directory and displayed to the user, place checkmarks next to the properties you wish to filter on and provide criteria to add constraints. Click the “Display Columns” tab.
10. Place checkmarks next to the properties you would like displayed for each group listed for the end user. At a minimum, you should select “Display Name” to display the name of the groups in the query results prompt. Click the “Options” tab.
11. Select the option for “Add user-selected objects to template object as related items” and ensure the drop down below it is set to “Add User to Group – (Service Request)”. Select the option for “Add user-selected objects to template object as affected configuration items” and ensure the drop down below it is set to “Add User to Group – (Runbook Automation Activity)”. IMPORTANT: If you don’t set the latter option then the group which the user selects will not be added to the runbook activity as a configuration item and the runbook you’ve created will have no way to discovering the group the user wants to be added to using its “Get Relationship” activities.
12. Click OK. Click Next.
13. On the Map Prompts screen, map each prompt which was created previously to fields in the service request, review activity or runbook automation activity. In this example, 3 prompts were created (group name, business justification and phone number). Mapping fields like the business justification and phone number to fields in the review activity makes it easier for approvers to see information about the request and the affected user. Click Next.
14. Add any knowledge articles related to this offering. Click Next.
15. Set the status to “Published”. Configure any other properties required for the request offering such as the offering owner and internal notes. Click Next.
16. On the Summary screen, review the information and click Create.
17. Click Close.
This step assumes that you’ve already created the request offering in Service Manager as outlined previously and that a Service Offering has also been previously created in Service Manager.
1. In the Library pane of the Service Manager Console, select the “Service Catalog -> Request Offerings -> All Request Offerings” view. Select the request offering you previously created and select “Add to Service Offering” in the tasks pane.
2. Service Offerings in Service Manager are a way of logically organizing request offerings. If one has not been created, you’ll need to do that first. In this example, select the “Security & Access” service offering from the list and click Add. You can add a request offering to multiple service offerings if desired.
3. Click OK
Visit the Service Manager Self-Service Portal and select the request offering that you’ve just created. Complete the form and submit it. From the Service Manager console, you should see a new service request work item get created and from that work item you should be able to view the status of related activities by highlighting it and selecting “Edit” in the tasks pane.
Note: an export of the runbook is attached to this blog post if you want to import that and take a closer look.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.