0 votes

I am attempting to update a business rule using PowerShell to include additional approves. This is what I have so far

$account = "username"

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Connect to Business Role Object
$businessRolesPath = $admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$businessRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRolesPath
$businessRoleObj = $businessRolesPathObj.CreateChildPath( "CN=Account Manager")
$businessRole = $admService.OpenObject($businessRoleObj, $NULL, $NULL, 0)

# Create Business Role Assignment
$businessRoleAssignment = $businessRole.Assignments.Create()
$businessRoleAssignment.Trustee = "DOMAIN\" + $account
$businessRoleAssignment.SetInfo()
$businessRole.Assignments.Add($businessRoleAssignment)

# Connect to Business Unit Object
$businessUnitsPath = $admService.Backend.GetConfigurationContainerPath("BusinessUnits")
$businessUnitsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessUnitsPath
$businessUnitAdsPath = $businessUnitsPathObj.CreateChildPath("CN=" + $Department + ",CN=Departments")
$businessUnitObj = $admService.OpenObject($businessUnitAdsPath, $NULL, $NULL, 0)

# Apply Scope to Business Role
$businessRoleScope = $businessRoleAssignment.ActivityScopeItems.Create()
$businessRoleScope.BaseObject = $businessUnitObj
$businessRoleScope.Type = "ADM_SCOPEBASEOBJECTTYPE_BUSINESSUNIT"
$businessRoleScope.Inheritance = "ADS_SCOPE_SUBTREE"
$businessRoleScope.Exclude = $False
$businessRoleScope.SetInfo()
$businessRoleAssignment.ActivityScopeItems.Add($businessRoleScope)

# Connect to Business Rule Object
$businessRulesPath = $admService.Backend.GetConfigurationContainerPath("BusinessRules")
$businessRulesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRulesPath
$businessRuleAdsPath = $businessRulesPathObj.CreateChildPath("CN=" + $Department + " Group Rule,CN=Departments")
$businessRuleObj = $admService.OpenObject($businessRuleAdsPath, $NULL, $NULL, 0)

After that I have this code:

$actionsAndConditions = $businessRuleObj.ConditionedActions
$approvalAction = $actionsAndConditions.GetAction() | ?{$_.ApproversInfo}
$approvalUser = $admService.OpenObject("Adaxes://" + $user.DistinguishedName, $NULL, $NULL, 0)
$approvalAction.ApproversInfo.ApproverTrustees.Add($approvalUser)

At this point I can access the object and get the correct number of ApproverTrustees.

$approvalAction.ApproversInfo.ApproverTrustees.Count

But I'm unable to save it (SetInfo). I think I am not defining something correctly in the second code block. Any assistance would be appreciated.

(love the powershell!)

by (70 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The 1st part of your code looks OK, however the 2nd part doesn't seem to be functional at all.

To locate an action that creates an Approval Request, you need to iterate through all the sets of actions and conditions of the Business Rule. In each set, you need to check whether an action performs an operation of the "approval request info" type. Here's a script that does what you need. Replace the 2nd part of your script with this code.

$approvalUser = $admService.OpenObject("Adaxes://" + $user.DistinguishedName, $NULL, $NULL, 0)
foreach ($actionsAndConditions in $businessRuleObj.ConditionedActions)
{
    $actions = $actionsAndConditions.Actions
    foreach ($action in $actions)
    {
        $actionObj = $action.GetAction()
        if (($actionObj.IsOperationOfType($NULL, "approval request info")) -and (-not($actionObj.ApproversInfo.IsApprover($approvalUser, $NULL))))
        {
            $actionObj.ApproversInfo.ApproverTrustees.Add($approvalUser)
            $action.SetAction($actionObj)
            $action.SetInfo()
        }
    }
}
0

Yes - that 2nd part was certainly not working.

Thank you!

Related questions

0 votes
1 answer

We have a rule setup that when a user requests membership into a group it will email approvers of the group for approval. I would like to create a report that sends out a list of ALL approvers for every group we have approvals setup for.

asked Dec 18, 2023 by jujones79 (20 points)
0 votes
1 answer

I'm in the process of creating a Web interface for requesting IT accounts. Upon submission, I want to run a Powershell script that will create an item in a Sharepoint task list.

asked May 14, 2021 by sandramnc (870 points)
0 votes
1 answer

We are working with an HR package that will send us a CSV file every 4 hours with a list of users that need to be created, modified or deleted from our environment. The CSV ... change, etc.) Is there a script that can manage all of that on a scheduled basis?

asked Sep 2, 2020 by RayBilyk (230 points)
0 votes
1 answer

we used the adaxes "move home directory" tool, but after all the directories were moved, they were all set to the default security of the parent folder. The per user ... there a way to go through each user and assign their rights to the home directory?

asked Feb 27, 2017 by mdedmon (150 points)
0 votes
1 answer

This note is found in the documentation on how to configure allowed domains in Adaxes 2023. Allowed domain names can only be selected from the alternative UPN suffixes for on- ... required to pick up the change, or is there another way to trigger the update?

asked Jan 31, 2023 by dtb147 (290 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users