I am assigning security on documents to 30+ AD groups depending on the document type. If the user changes the document type I am then having to remove any security and re-add the appropriate security. As the ability remove all non-inherited security for all turstees at once is not currently an option, I am looping through all 30+ AD groups to make sure they get removed properly. Right now those AD groups I loop through are hard coded into a token in the Workflow which works fine but I would like to make it a bit more dynamic so the client isn't having to update the values whenever anything changes. Is there a way to query the trustees for all groups (plural) that match a format and then run the for each on that token? Thus I would search the LF trustees and find any that are AD\LF_Test_* which would return AD\LF_Test_123, AD\LF_Test_456, and AD\LF_Test_789 but not return AD\LF_HR. Anyone found a way to search LF Trustees and return multiple values?
Question
Question
Replies
I found work around as I could not find a way to query the trustee's directly for all group using a dynamic value. This work around uses the naming convention for the AD groups partially matching the doc types they have access to. Thus if it is an HR department and I want to grant them access to the Confidential doc type I would name the AD group something like LF_HR_Confidential_Add whereas if it was the Hiring it would be LF_HR_Hiring_Add. The workflow then looks like this:
- Query my external table for the distinct values (since we are using dynamic dropdowns)
- Loop through those distinct values removing the matching trustee for each
- It does this for both my Add and View groups as can be seen in the screenshot below
It's not the most elegant solution as it relies on AD names following a precise naming convention and Doc Types not being changed but overall it works in this situation as it allows the customer to add new doc types and matching AD groups without having to change the workflow. The nice thing about doing it this way is I can also dynamically assign the new security using the same method (without the looping).
Please let me know if you've found a better way to have workflow dynamically add and remove document level security based on AD groups without having to update workflow when new doc types are added.