0 votes

Hello Support,

You guys rock at figuring out these things so I am hoping this is something that can be done. We have a process here due to compliance called Entitlement Reviews. It requires the owners of a group to review the membership and then approve the action to set an adaxes custom attribute with the date.

I need to report on this action for multiple groups that the initiator of the report will pick. I need two columns: 1) The action taken when approved. 2) Who Approved the action.

I looked at the logging reports and the approval reports and didn't see a way to be able to pick just certain approvals and certain groups. Thank you for your help!

Here is a screenshot of the Approval. image.png

by (2.0k points)
0

Hello Mark,

You guys rock at figuring out these things so I am hoping this is something that can be done.

Thank you for your good words, it is much appreciated! The desired report can be created.

I need to report on this action for multiple groups that the initiator of the report will pick. I need two columns: 1) The action taken when approved. 2) Who Approved the action.

Please, clarify the following:

  • What version of Adaxes are you currently using? For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/HowDoI.ManageService.CheckAdaxesServiceVersion.html.
  • Should the report contain only the approval requests on the Modify operations that update the Entitlement Reviewed On property? If yes, please, clarify whether the operation is initiated manually or using a Scheduled Task.
  • Is it a group whose property is updated or the group members?
  • Is there a necessity to generate the report for a specified period only? If there is, please, clarify whether the period should be specified as a number of days before present or using date/time parameters.
0
  • Version: 3.13.18106.0
  • Yes. It is a scheduled Task. We will have it run every 90 days.
  • A property/attribute on a group.
  • I was writing it with a date range but not required. That way they could pull history if need be or just see the operation being approved for the compliance period.

Thank you so much for your help!

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello Mark,

Thank you for the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. On the first step of the Create Report wizard, specify a report name and select Script in the Generate the report using section. image.png
  5. Click Next twice.
  6. Click New. image.png
  7. Select AD object picker. image.png
  8. Click Next.
  9. Specify a parameter name and display name (e.g. Groups).
  10. Click Next.
  11. Click Configure. image.png
  12. In the Display only objects that match the following LDAP filter field, enter the following: (objectCategory=group)
  13. Select the Allow multiple selection checkbox. image.png
  14. Click OK.
  15. In the Value separator field, specify a character (e.g. ";"). Do not specify a character that can be used in distinguished names (e.g. comma, equality mark, etc.). image.png
  16. Click Finish.
  17. Click Next.
  18. In the Report-specific columns section, click Add. image.png
  19. Specify a Display name for the column (e.g. Processed By) and select Active Directory object. image.png
  20. Click Next.
  21. Paste the below script into the Script field.
$request = $Context.GetADObject()

try{
    $initiator = $request.ProcessedBy
    $Context.Value = $initiator.ObjectInfo.Path.DN
}
catch
{
     # empty value
}

image.png

  1. Click Finish.
  2. Remove the Description column from the Default columns list.
  3. Click Next.
  4. Paste the below script into the corresponding field. In the script:
  • $initiatorGUID – Specifies the GUID of the Scheduled Task that initiates the groups update. To get the GUID:
    1. Navigate to the task and right-click it.
    2. In the context menu, click Properties. image.png
    3. Click Advanced. image.png
    4. Copy the value from the Object GUID row. image.png
  • $groupsParamName – Specifies the name of the parameter entered on step 9 with the param- prefix.
  • $groupsSeparator – Specifies the character entered on step 15.
$initiatorGUID = [GUID]"{3856D87B-93A8-4A40-B446-C49C9A34F6CA}" # TODO: modify me
$groupsParamName = "param-Groups" # TODO: modify me
$groupsSeparator = ";" # TODO: modify me

# Build filter
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(objectClass=adm-ApprovalRequest)(adm-ApprovalState=1)")

# Add initiator GUID to the filter
$initiatorGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-ApprovalRequestorGuid", $initiatorGUID)
[void]$filter.Append($initiatorGuidFilter)
[void]$filter.Append("(|")

# Add group GUIDs to the filter
$groupDNs = $Context.GetParameterValue($groupsParamName)
$groupDNsArray = $groupDNs.Split($groupsSeparator)
foreach ($groupDN in $groupDNsArray)
{
    $group = $Context.BindToObjectByDN($groupDN)
    $groupGuid = [GUID]$group.Get("objectGUID")
    $targetObjectGuidFilter = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-TargetObjectGuid", $groupGuid)
    [void]$filter.Append($targetObjectGuidFilter)
}

# Finish building filter
[void]$filter.Append("))")

# Generate report
$Context.DirectorySearcher.BaseObjectPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$Context.DirectorySearcher.AppendFilter($filter.ToString())
$Context.Items.Add($Context.DirectorySearcher)
  1. Click Next twice and finish creating the report.
0

And Adaxes Support does it again. You guys really do rock!! Report worked like a charm.

0

Hello Mark,

Thank you for the confirmation and your good words, it is much appreciated!

Related questions

0 votes
1 answer

Hello I need some help to implement the following task: In a business rule "Before adding a member to a group" an approval should be sent to the manager of the member who will be added to the group. Do you have an example for this? Thanks and greetings Pudong

asked Jun 14 by pudong (560 points)
0 votes
1 answer

Hello, we want to setup a scheduled report with all our teams (security groups) and their respective team-leader (specified in "managedBy" of security group). I get the name of ... the team-leader. And this is my problem... Can you help me with this problem?

asked Oct 9, 2020 by lohnag (100 points)
0 votes
1 answer

Hello, we create reports for every group in every OU. But what i need is, that the Description is also shown from the group, a user is in. For example: This is how my ... . but what i need is the description of the group. Is this possible? Thank you in advance

asked Oct 5, 2020 by m_st (200 points)
0 votes
0 answers

As the title mentions, I'm trying to figure out a way to have HR apply multiple modifications on a user's account (change of position, title, department, phone, etc...) ... phone number (in the same form), it sends two approval requests. Thanks for your help!

asked Jan 26 by lw.fa (60 points)
+1 vote
1 answer

Hello Everybody, I want approvers to be able to add information to an Object. Because my preferred Joiner Process looks like this: 1 - HR Department creates a ... for editing approval request, just Approve or Deny. Appreciate your support, regards Patrick

asked Dec 27, 2020 by patrick.faust (30 points)
2,779 questions
2,511 answers
6,574 comments
25,621 users