0 votes

Hello Support,

You guys rock at figuring out these things so I am hoping this is something that can be done. We have a process here due to compliance called Entitlement Reviews. It requires the owners of a group to review the membership and then approve the action to set an adaxes custom attribute with the date.

I need to report on this action for multiple groups that the initiator of the report will pick. I need two columns: 1) The action taken when approved. 2) Who Approved the action.

I looked at the logging reports and the approval reports and didn't see a way to be able to pick just certain approvals and certain groups. Thank you for your help!

Here is a screenshot of the Approval. image.png

by (5k points)
0

Hello Mark,

You guys rock at figuring out these things so I am hoping this is something that can be done.

Thank you for your good words, it is much appreciated! The desired report can be created.

I need to report on this action for multiple groups that the initiator of the report will pick. I need two columns: 1) The action taken when approved. 2) Who Approved the action.

Please, clarify the following:

  • What version of Adaxes are you currently using? For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/HowDoI.ManageService.CheckAdaxesServiceVersion.html.
  • Should the report contain only the approval requests on the Modify operations that update the Entitlement Reviewed On property? If yes, please, clarify whether the operation is initiated manually or using a Scheduled Task.
  • Is it a group whose property is updated or the group members?
  • Is there a necessity to generate the report for a specified period only? If there is, please, clarify whether the period should be specified as a number of days before present or using date/time parameters.
0
  • Version: 3.13.18106.0
  • Yes. It is a scheduled Task. We will have it run every 90 days.
  • A property/attribute on a group.
  • I was writing it with a date range but not required. That way they could pull history if need be or just see the operation being approved for the compliance period.

Thank you so much for your help!

1 Answer

0 votes
by (217k points)
selected by
Best answer

Hello Mark,

Thank you for the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. On the first step of the Create Report wizard, specify a report name and select Script in the Generate the report using section. image.png
  5. Click Next twice.
  6. Click New. image.png
  7. Select AD object picker. image.png
  8. Click Next.
  9. Specify a parameter name and display name (e.g. Groups).
  10. Click Next.
  11. Click Configure. image.png
  12. In the Display only objects that match the following LDAP filter field, enter the following: (objectCategory=group)
  13. Select the Allow multiple selection checkbox. image.png
  14. Click OK.
  15. In the Value separator field, specify a character (e.g. ";"). Do not specify a character that can be used in distinguished names (e.g. comma, equality mark, etc.). image.png
  16. Click Finish.
  17. Click Next.
  18. In the Report-specific columns section, click Add. image.png
  19. Specify a Display name for the column (e.g. Processed By) and select Active Directory object. image.png
  20. Click Next.
  21. Paste the below script into the Script field.
$request = $Context.GetADObject()

try{
    $initiator = $request.ProcessedBy
    $Context.Value = $initiator.ObjectInfo.Path.DN
}
catch
{
     # empty value
}

image.png

  1. Click Finish.
  2. Remove the Description column from the Default columns list.
  3. Click Next.
  4. Paste the below script into the corresponding field. In the script:
  • $initiatorGUID – Specifies the GUID of the Scheduled Task that initiates the groups update. To get the GUID:
    1. Navigate to the task and right-click it.
    2. In the context menu, click Properties. image.png
    3. Click Advanced. image.png
    4. Copy the value from the Object GUID row. image.png
  • $groupsParamName – Specifies the name of the parameter entered on step 9 with the param- prefix.
  • $groupsSeparator – Specifies the character entered on step 15.
$initiatorGUID = [GUID]"{3856D87B-93A8-4A40-B446-C49C9A34F6CA}" # TODO: modify me
$groupsParamName = "param-Groups" # TODO: modify me
$groupsSeparator = ";" # TODO: modify me

# Build filter
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectClass=adm-ApprovalRequest)(adm-ApprovalState=1)")

# Add initiator GUID to the filter
$initiatorGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-ApprovalRequestorGuid", $initiatorGUID)
[void]$filter.Append($initiatorGuidFilter)
[void]$filter.Append("(|")

# Add group GUIDs to the filter
$groupDNs = $Context.GetParameterValue($groupsParamName)
$groupDNsArray = $groupDNs.Split($groupsSeparator)
foreach ($groupDN in $groupDNsArray)
{
    $group = $Context.BindToObjectByDN($groupDN)
    $groupGuid = [GUID]$group.Get("objectGUID")
    $targetObjectGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-TargetObjectGuid", $groupGuid)
    [void]$filter.Append($targetObjectGuidFilter)
}

# Finish building filter
[void]$filter.Append("))")

# Generate report
$Context.DirectorySearcher.BaseObjectPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$Context.DirectorySearcher.AppendFilter($filter.ToString())
$Context.Items.Add($Context.DirectorySearcher)
  1. Click Next twice and finish creating the report.
0

And Adaxes Support does it again. You guys really do rock!! Report worked like a charm.

0

Hello Mark,

Thank you for the confirmation and your good words, it is much appreciated!

Related questions

0 votes
1 answer

Hello, we want to setup a scheduled report with all our teams (security groups) and their respective team-leader (specified in "managedBy" of security group). I get the name of ... the team-leader. And this is my problem... Can you help me with this problem?

asked Oct 9 by lohnag (1.1k points)
0 votes
1 answer

Hello, we create reports for every group in every OU. But what i need is, that the Description is also shown from the group, a user is in. For example: This is how my ... . but what i need is the description of the group. Is this possible? Thank you in advance

asked Oct 5 by m_st (1.3k points)
0 votes
0 answers

Hi Forum, i have a custom command which requires approval. I need to modify the Approval Notification Email (this Mail is send to external recipients (Approved | Deny | ... in the Administration Console (see Attachment). Again, Thanks a lot for your help

asked Nov 4, 2015 by esoAdxAdmin (3.6k points)
0 votes
1 answer

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (650 points)
+1 vote
1 answer

I am attempting to build out a report that shows all user accounts were approved by two different persons before being created. I have the workflow running correctly, ... this data stored in a specific location thats accessible by the reporting engine? Thanks!

asked Dec 16, 2019 by hendersonw (830 points)
2,352 questions
2,107 answers
5,746 comments
131,010 users