Subworkflow: Check a User's Group Memberships to Proceed in a Workflow Crate

What does the Subworkflow: Check a User's Group Memberships to Proceed in a Workflow Crate do?

Use this subworkflow in your workflows and option generators to check to see if a user is a member of one of a list of provided group. This is useful for form-triggered workflows where you may wish to limit the functionality based on a form submitter's role.

How the Crate works

The Crate uses the Microsoft Graph API Request action to get all groups a user belongs to.

1. Makes a GET request to the Microsoft Graph API

2. The response will include all groups the user is a member of

3. Checks if your target group is in the returned list

Workflow breakdown

1. The workflow begins with the microsoft_graph_list_groups task, which executes the List Groups action to search for Azure AD groups that match the provided group names from the input.

2. The microsoft_graph_list_groups task uses a filter to find groups where the display name equals any of the group names provided in the input, selecting only the id and displayName fields for efficiency.

3. If the List Groups action succeeds and returns matching groups, the workflow transitions to the make_group_id_list task, which executes the noop action to create a list of group IDs from the search results.

4. The make_group_id_list task publishes a group_id_list variable containing the extracted group IDs and then transitions to the check_member_groups task.

5. The check_member_groups task executes the Graph API Request action to call the Microsoft Graph checkMemberGroups endpoint, passing the username and the list of group IDs to determine if the user is a member of any of those groups.

6. If the check_member_groups task succeeds, it publishes two key variables: member_group_ids containing the group IDs the user belongs to, and user_in_group set to true or false based on whether any group membership was found, then transitions to the checks_successful task.

7. The checks_successful task executes the noop action and serves as the successful completion point of the workflow.

8. If any task fails or if no matching groups are found in step 2, the workflow transitions to the errors_in_processing task, which executes the noop action and publishes any accumulated errors to the workflow output.

9. The workflow concludes by outputting three values: user_in_group indicating membership status, member_group_ids containing the specific group IDs the user belongs to, and errors containing any error messages encountered during processing.

Crate prerequisite

The Microsoft Cloud integration bundle, which contains our Microsoft Graph integration, must successfully be installed before unpacking this Crate.

Example Jinja template for checking membership

Unpack the Subworkflow: Check a User's Group Memberships to Proceed in a Workflow Crate

1. Navigate to Crates > Crate Marketplace in the left side menu Rewst platform.

2. Search for Sub-workflow: Check a User's Group Memberships to Proceed in a Workflow.

   

3. Click on the Crate tile to begin unpacking.

4. Click Unpack Crate.

5. Click Continue.

6. Enter Time Saved under Crate Configuration.

7. Click Unpack.

Use the subworkflow

1. Navigate to Automations > Workflows in the left side menu of your Rewst platform.

2. Click into the workflow where you would like to use the subworkflow, or create a new workflow.

3. Search in your actions list for Check if a User is in an AzureAD Group.

4. Click and drag the action to the Workflow Builder canvas.

5. Enter the required information into the following fields of the task's configuration menu:

   1. groups: the name or ID of AzureAD Groups to check the user's membership against

   2. username: use CTX.username to capture the form submitter