I’ve run into an interesting problem but am trying to solve it a different way


Badge

I’ve run into an interesting problem (again) but am trying to solve it a different way.
I would like to create a workflow like this:
WHEN: User is added to Google Group
IF: Google Group is one that is intended for FTE’s only (in this case all@ )
AND IF: User is already member of a different group (either in Google or OneLogin) that is indicative of being a non-FTE
THEN: Perform some custom action I made with a webhook post to Slack.
It seems that such functionality isn’t possible.

Since BetterCloud does not recognize the “Employee Type” field in Google, we thought it best to leverage Google Group and/or OneLogin Group membership to indicate within various tooling if someone is a contractor or other non-FTE job role. But it seems that this is a fruitless endeavor as well.

We even attempted a slightly hackier workaround with this:
WHEN: User is added to Google Group
IF: Google Group is one that is intended for FTE’s only (in this case all@ )
AND IF: Google User’s email contains a prefix that we assign to all contractors
THEN: Perform some custom action I made with a webhook post to Slack.
This also doesn’t work due to the AND IF statement about the User only has operators for “is” or “is not” and must be fully filled out.

It has been suggested that we use the “User’s Region” or “User’s Building ID” or “User’s Cost Center” and populate those with the word “Contractor” or some other such thing. Is that really the best fix in this situation? Seems like some pretty basic functionality here…


This topic has been closed for comments

11 replies

But now that I think on it more, I wonder if you'd need to have a different ... OU to work around this


Open Thread in Slack

Hmm, an interesting problem. I would probably need to consider solving this with either a regular check, or using a combination of a script + GAM to look for if/this/then issues.

edit: changed you to I, as it came off more prescriptive than intended.


Open Thread in Slack
Badge

all@ is really just a moniker for “all FTEs”. We have a separate contractors@ group. The issue really is that we have no way of reporting/alerting if a contractor is accidentally added to the all@ group…


Open Thread in Slack

The same goes for something like Okta as well, with the cursed everyone group


Open Thread in Slack

I would say that I strongly recommend you move away from using the all@ group at some point. Depending on what you'll want to do, it'll make some workflows potentially impossible or difficult to pull off. Splitting something like all-fte@ and all-contractors@ etc will mean you can do a lot more things in the future.


Open Thread in Slack
Badge

yea better to just keep pushing OneLogin to get the features you want


Open Thread in Slack
Badge

Yeah, I think if we were able to start over again, we’d go with Okta, but we’re pot-committed with OneLogin now. The migration would kill us.


Open Thread in Slack
Badge

We’re working on getting the G Suite Directory Connector configured as well as the enabled, which might give us this functionality…


Open Thread in Slack
Badge

Ah makes sense, have not used OneLogin in years. At least with Okta the 'push group' functionality is pretty good, works on a few other apps to like slack and AWS


Open Thread in Slack
Badge

That’s an idea. Currently, we don’t have any direct integration between OneLogin and Google, other than what BetterCloud can facilitate for us.


Open Thread in Slack
Badge

Why not put the logic for group membership in OneLogin? I do this on Okta because their expression language for the group membership rules supports many operators. Then Okta pushes the Okta group to Google.


Open Thread in Slack