AD-Group in SP-Group: Workaround for verifying membership

Change log
January 12, 2016
Fixed a bug with using “getByTitle” and not the correct “getByName” in the SP 2010 code example.

This is a workaround for verifying membership in a SharePoint group when the user is added to the group as a member in an AD-group, and not as an individual user.

For this to work, the SharePoint group must be set up to only allow members to view membership in the group:

You find two code examples below. The first one will work in SP 2013 only, but the last will work in both SP 2010 and SP 2013 (not SP 2007).

Disclaimer: I have NOT been able to test this as I don’t have any AD groups to add in my SP 2013 Office 365 test site.

Based on this post by Eric Alexander

How to set up a trigger in DFFS

In DFFS backend – add this code to the Custom JS:

SharePoint 2013:

function spjs_isCurrentUserInGroup(groupIdOrName){
 var endpoint;
 if(typeof groupIdOrName === "string"){
 endpoint = _spPageContextInfo.webAbsoluteUrl+"/_api/web/sitegroups/getbyname('"+groupIdOrName+"')/CanCurrentUserViewMembership" 
 }else{
 endpoint = _spPageContextInfo.webAbsoluteUrl+"/_api/web/sitegroups("+groupIdOrName+")/CanCurrentUserViewMembership" 
 }
 return jQuery.ajax({ 
 "url":endpoint,
 "type":"GET", 
 "contentType":"application/json;odata=verbose",
 "headers":{ 
 "Accept": "application/json;odata=verbose"
 }
 });
}

function checkADGroupMembership(){
 // 18 is the ID of the SharePoint group
 spjs_isCurrentUserInGroup(18).success(
 function(data){
 if(data.d.CanCurrentUserViewMembership){
 setTimeout(function(){
 spjs.dffs.triggerRule(["isInADGroup"]);
 },10);
 }
 }
 );
}

SharePoint 2010:

function spjs_isCurrentUserInGroup(groupIdOrName){
 var cc, gc, g, u;
 cc = new SP.ClientContext.get_current();
 gc = cc.get_web().get_siteGroups();
 if(typeof groupIdOrName === "string"){
 g = gc.getByName(groupIdOrName);
 }else{
 g = gc.getById(groupIdOrName);
 } 
 u = g.get_users();
 cc.load(u);
 cc.executeQueryAsync(
 function(sender, args){
 setTimeout(function(){
 spjs.dffs.triggerRule(["isInADGroup"]);
 },10);
 },
 function(sender, args){
 // No access
 }
 );
}

function checkADGroupMembership(){
 // 18 is the ID of the SharePoint group
 spjs_isCurrentUserInGroup(18);
}

The number 18 in the function “checkADGroupMembership” is the SharePoint group id, but you can also use the display name of the group – change it to match your group.

Add a rule to DFFS with the “Rule friendly name”:

isInADGroup

This rule is set up with the trigger “No trigger (must be triggered manually), and with all the actions you want to apply if the rule is triggered.

As this is a “manual trigger rule”,  you must add another rule to trigger this one when the form has loaded. This is necessary because the REST call cannot be used with the trigger “Custom JavaScript functions” directly.

To trigger the REST call / JSOM query, and the following trigger of the DFFS rule if the user is member of the group is done by another DFFS rule triggering on “The form is ready”.

Set this one up with the function name “checkADGroupMembership” in the “Run these functions / trigger these rules” field.

If the logged in user is member of the SharePoint group as a member in an AD-group, the rule “isInADGroup” will be triggered.

I hope this makes sense, and if not – post a comment below or in the forum.

Alexander

10 thoughts on “AD-Group in SP-Group: Workaround for verifying membership”

  1. Hi,
    To do something if the user is NOT in the group, look at the code for:

    cc.executeQueryAsync(...

    The first function is for “success = is in group”, the last function is for “fail = not in group”.

    Hope this helps,
    Alexander

    1. How do I trigger a different rule if the user gets an access denied error in response, i.e. the ajax calls ends in an error/fail condition instead of success?

      1. Just add an else on the first if and call another rule from there – something like this:

        if (data.d.CanCurrentUserViewMembership) {
            setTimeout(function () {
                spjs.dffs.triggerRule(["isInADGroup"]);
            }, 10);
        }else{
            setTimeout(function () {
                spjs.dffs.triggerRule(["isNOTInADGroup"]);
            }, 10);
        }

        Alexander

      2. Maybe I am just not understanding the functionality behind the ajax call but this code is inside the ‘success’ function. I was asking how you would handle the ‘failure’ function of the ajax call. Thanks!

      3. The function will not trigger the error function if the user is not member of this group – it will still end up in the success function but the variable data.d.CanCurrentUserViewMembership will be false and not true.

        If it ends up in the error function it is not because the user doesn’t belong to the group, but because he or she does not have the necessary rights so perform the query.

        If you need to use the error function you can try it like this:

        function checkADGroupMembership() {
            // 18 is the ID of the SharePoint group
            spjs_isCurrentUserInGroup(18)
            .success(
                function (data) {
                    if (data.d.CanCurrentUserViewMembership) {
                        setTimeout(function () {
                            spjs.dffs.triggerRule(["isInADGroup"]);
                        }, 10);
                    }
                }
            )
            .error(
                function(err){
                    console.log(err);
                }
            );
        }

        Alexander

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.