For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Service Management
    • Overview
    • Concierge & Ticketing Capabilities Overview
    • Forms
    • Forms - Integration Specific Guides
    • Live Agent Chat / Handoff
    • Triage
    • Approval Mirroring
    • Ticket Interception
    • Generic Ticketing Integration: Ticket Gateway
  • Administration
    • MyMoveworks
    • Organization Information
    • Roles and Permissions
    • MyMoveworks SSO
  • Moveworks Setup
    • Accessing Moveworks Setup
    • First-Time Login via Magic Link
    • Moveworks Setup Modules
    • Moveworks Setup: Module How To Guides
    • Plugin Management
    • Monitor Alerts
    • Audit Logs
    • DSL Fields Defaults
    • Data Crawling View
    • API Playground
    • Setup Homepage
    • Troubleshooting Hub
    • Security and Privacy Settings
    • Configuration Delete
    • Advanced Config Editor
    • Identity configuration
    • Onboarding Stage
  • Security
    • Security
    • Hyperlink & Button Expiry
    • Attachment Handling
    • Moveworks Subprocessors
  • Provision Management
    • Overview
    • Access Software
    • Access Groups
      • Configure Access Groups
      • How To Guide for Access Groups Plugin
    • Access Account
  • Access Requirements
    • Overview
    • Update Set Modules
    • Ticketing Systems & ITSMs Access
    • Identity and Access Management Systems Access
    • Multi-Factor Authentication (MFA) Systems Access
    • Knowledge Access Requirements
    • Email Distribution List Systems Access
    • Facilities Management Access
    • Live Agent Chat Access
    • HR Information System Access
    • Expense Management Access
    • Calendar Management Access
  • Core Platform
    • User Identity
    • Moveworks On-Prem Agent
    • Approvals Engine
    • Entity Catalog
    • Configuration Languages
    • Moveworks Data Objects
    • SIEM
  • Employee Experience Insights
    • Overview
    • Breaking Down the Dashboard
    • Understanding Industry Benchmarks
    • Apps & Services
    • Impact Module
    • EXI Common Use Cases
    • Configure EXI
    • Ticket Backpolling
  • Knowledge Studio
    • Overview
    • Knowledge Studio Configuration
    • AI Powered Recommendations
    • Inspecting & Verifying Sources
    • Publishing Articles
    • Creating Knowledge Articles
    • Resolving IT Tickets Guidance
DeveloperAcademyCommunityStatus
On this page
  • How To Configure Integration with Exchange On-Prem
  • High-Level Overview
  • Sample Script
  • Considerations
  • How to enforce naming conventions when creating a group
  • How do I enable the create DL skill/ Add user to DL skill/ Remove user from DL skill ?
  • How do I select the approval model for the create DL skill/ Add user to DL skill/ Remove user from DL skill ?
Provision ManagementAccess Groups

How To Guide for Access Groups Plugin

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Access Account

Next
Built with

How To Configure Integration with Exchange On-Prem

The Moveworks Group Access plugin integrates directly with Active Directory, however groups created through the plugin may not automatically be Exchanged mail-enabled, based on your individual organization’s setup.

In order to make Moveworks-created groups Exchange mail-enabled, the following sample script can be used.

High-Level Overview

  1. Moveworks creates group in a temporary OU in Active Directory.
  2. Powershell script is set to run nightly, and queries all groups in this temporary OU. (You can use AD Task Scheduler on AD Server to execute this script.)
  3. Script then adds attribute to make each group mail-enabled.
  4. Script moves groups into final OU

Sample Script

Sample AD -> Exchange On-Prem Sync
#  1.  Connect to local exchange environment
#  2.  Query groups in the Temp OU.
#  3.  Store all groups in an array
#  4.  Run "Enable-DistributionGroup -Identity groupname" on each group in the array
#  5.  Move groups to OU=User Created Distribution Lists,DC=org,DC=com when done
#  6.  Schedule this to run every night.
# Load AD Module
Import-Module ActiveDirectory
# Load Exchange Snapin
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://sv2wnexmb01.global.company.com/PowerShell/ -Authentication Kerberos
Import-PSSession $Session
# Get list of Groups not Mail Enabled from the Temp OU
$groupsToProcess = Get-ADGroup -SearchBase "OU=Temp,OU=Distribution Lists,DC=company,DC=com" -Filter *
ForEach ($ADGroup in $groupsToProcess) {
    $grpDistName = $ADGroup.DistinguishedName
    # Enable email for each group
    Enable-DistributionGroup -Identity $ADGroup.DistinguishedName
    # Delivery management
    Set-DistributionGroup -Identity $ADGroup.DistinguishedName -RequireSenderAuthenticationEnabled $false
    # move group to final OU
    Move-ADObject -Identity $grpDistName -TargetPath "OU=Distribution Lists,DC=company,DC=com"
}

Considerations

  • When creating the DL in-bot, group additions can happen immediately and this gets carried over when the group is picked up by the nightly job.
  • Be sure to replace the placeholder values with actual values. This script may require additional modifications based on your company’s setup.

How to enforce naming conventions when creating a group

  1. Navigate to Group Access > Plugin Settings
  2. Scroll down to the DL validation JSON bender configuration.
  3. Here you can write a configuration like the one below to enforce naming conventions e.g:
Example DL validation JSON bender configuration
{
  "email": {
    "CONDITIONAL()": {
      "context": {
        "val": {
          "EVAL()": {
            "expression": "$REPLACE(val OR \"\", \"[\\\\~#%&*,{}$\\/:<>?|\\\"]\", \"\") OR NULL",
            "args": {
              "val": {
                "CONDITIONAL()": {
                  "context": {
                    "val": "$SPLIT(email OR \"\", \"@\")[0] OR NULL"
                  },
                  "condition": "val",
                  "on_pass": "val.$REPLACE(\"\\.pdl\", \"\").$REPLACE(\"_\", \"-\")"
                }
              }
            }
          }
        }
      },
      "condition": "val",
      "on_pass": "$CONCAT([val, \".pdl@company.com\"])"
    }
  }
}

This Moveworks DSL configuration transforms an email address by extracting and cleaning the username portion, then reconstructing it with a standardized company domain. The process works by first splitting the input email on ”@” to get the username, then conditionally cleaning it by removing special characters (like backslashes, tildes, hashes, etc.) and replacing underscores with hyphens while also stripping any existing “.pdl” suffix. If the cleaned username exists after this sanitization, it concatenates the result with “.pdl@company.com” to create a standardized email format, otherwise it returns null - essentially converting various email formats into a consistent company email structure with “.pdl” as a prefix to the company domain.

How do I enable the create DL skill/ Add user to DL skill/ Remove user from DL skill ?

Plugin controls can be used to enable or disable a skill.

  1. Navigate to the AI Assistant Plugin Management config and go through the available plugin controls.
  2. Enable the plugin for the respective skill using the plugin control.

How do I select the approval model for the create DL skill/ Add user to DL skill/ Remove user from DL skill ?

By default, the Moveworks Platform contains pre-built approval expressions that can be referenced by skills to implement consistent approval behavior. These expressions define who can approve requests and under what conditions.

Key Approval Models

  1. Basic Approvals
  • APP_ADMIN: Routes approval to application administrators
  • MANAGER: Routes approval to the requestor’s manager
  • AUTO_APPROVE: Automatically approves the request
  1. Trust-Based Models
  • STANDARD_TRUST_MODEL: Auto-approves for users with OWNER/MANAGER/MEMBER roles, or if requestor is the manager, otherwise requires DL owner approval
  • MOST_RESTRICTIVE_TRUST_MODEL: Only auto-approves for DL owners, requires DL owner approval for all others
  • LEAST_RESTRICTIVE_TRUST_MODEL: Auto-approves for open GSuite groups, role holders, and managers
  1. Fallback Models
  • STANDARD_WITH_FALLBACK_TO_MANAGER: Uses standard trust model but falls back to manager approval if DL owners not found
  • MOST_RESTRICTIVE_WITH_FALLBACK_TO_MANAGER: Uses most restrictive model with manager fallback
  • MOST_RESTRICTIVE_WITH_FALLBACK_TO_DL_MANAGER: Uses most restrictive model with DL manager fallback
  1. Sequential Approvals
  • APP_ADMIN_THEN_MANAGER: Requires both app admin AND manager approval
  • MANAGER_THEN_DL_OWNER: Requires manager approval followed by DL owner approval

If you would like to modify the approvals logic, you will need to override the approval logic in the approvals module by creating a new approval record with the same key name corresponding with the approvals module for the skill:

  1. Navigate to Access Management > Approvals Engine
  2. Select Create on the top right
  3. Provide the name for approval workflow.
    1. CREATE_DL_APPROVAL
    2. ADD_TO_DL_APPROVAL
    3. REMOVE_FROM_DL_APPROVAL