Request approval for self-password reset

Adaxes enables users to reset their passwords by answering predefined security questions and entering a verification code provided via SMS, email, or authenticator app. To increase the security of privileged accounts, you can go further and add an approval step to the process. Approval can be requested from the user's manager, fellow employees, administrators, etc.

In this tutorial, you will learn how to create a business rule to request an approval for self-service password reset.

  1. Launch Adaxes Administration console.

     How {id=launchConsole}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Business Rule.

  3. Enter a name for the new business rule and click Next.

  4. To trigger the business rule before self-resetting passwords:

    • Select User.

    • Select Before and then select self-resetting password.

    Click Next.

  5. Click Add an action.

  6. Select the Send this operation for approval action.

  7. In the Action Parameters section, specify the approvers for the operation.

    • Click Add to select specific users and groups.

    • Select Manager of the requestor to allow the manager of the user whose password is reset to approve or deny the operation. The manager is specified in the Manager property of user accounts.

    • Select Owners of the requestor's OU to allow any owner of the Organizational Unit where the user account is located to approve or deny the operation. For more details about object ownership in Adaxes, see Object owners.

    • When done, click OK.

    Adaxes service administrators have the rights to approve or deny any request.

    Using scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.

     How { #use_script_to_request_approval}
    • In the Add Action dialog, select the Run a program or PowerShell script action.

    • Click Edit.

      Click the button to provide a custom description for the action.

    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a user and members of a group.

      $approvers = @(
              "CN=John Smith,CN=Users,DC=example,DC=com",
              "CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      
       How to get the DN of an object { #how_to_get_object_dn}
      • Launch Adaxes Administration console.

      • Right-click the object you need.

      • In the context menu, open the submenu of the Copy item.

      • Click Copy DN. The DN of the selected object will be copied to the clipboard.

      You can use value references in the script (e.g. %department%). Value references will be replaced with the corresponding property values of the user whose password is being reset.

      The following example submits an approval request to members of a group. The group name consists of the user department plus Managers.

      $approvers = @("CN=%department%Managers,CN=Users,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      

      The following example submits an approval request to the user secretary and members of the Admins group located in the user's Organizational Unit.

      $approvers = @(
              "%secretary%",
              "CN=Admins,%adm-InitiatorParentDN%")
      $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
      

      For information on how to create scripts for business rules, custom commands, and scheduled tasks, see Server-side scripting.

    • When done, click OK two times.

  8. To request an approval only if certain conditions are met, right-click the action and then click Add Condition.

    For example, an approval can be requested only if the user is a member of a specific group, the Job Title property of the user account contains the word Manager etc.

    When done, click Next.

  9. On the Activity Scope step, click Add.

    Select from the following items:

    • All Objects – select to execute the business rule for all users in all domains managed by Adaxes.

    • Domain – select to execute the business rule for all users within a specific domain.

    • OU or Container – select to execute the business rule for the users located under an Organizational Unit or container.

    • Group – select to execute the business rule for the users that are members of a group.

    • Business unit – select to execute the business rule for the users that are members of a business unit. To select a business unit, open the Look in drop-down and select the Business Units item.

    You can exclude specific users, groups, Organizational Units and business units from the activity scope of the business rule. For example, if you assigned the rule over all objects in a domain, but do not want it to be executed for members of a certain group, you can exclude the group from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog box.

     Step by step { #exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

    When done, click OK and then click Finish.

See also