0 votes

I am trying to create a process where a user can request access to one or more groups via a web form that also prompts for a date/time to be added (custom date attribute) and a number of hours before being removed from the group (custom integer attribute).

I thought I could do this by creating a business rule that would require approval before executing a powershell to set up a scheduled task to add the user to the group and another to remove the user after the specified number of hours. There are great examples of scripts that do parts of this, including setting up a scheduled task.

I created a modify user form to capture the date, duration, and select the groups. It works fine capturing all the information except the group. Using an example script, I am at a point where I can create the scheduled job after approval, but I have not figured out a good way to allow someone to select a group and pass that into the script?

Maybe creating a scheduled task to add membership and a second task to remove after the duration has expired is not the right approach. I am open to ideas and would appreciate the help.

$user = "%distinguishedName%"
$AODStart="%adm-CustomAttributeDate1%"
$AODLength="%adm-CustomAttributeInt1%"
$AODEnd = "%adm-CustomAttributeDate1%,$AODLength"
$group = "??????"
$actiont = %action%

# Scheduled task settings
$containerName = "AOD - Auto Tasks" # Where to create scheduled task
$taskName = "AOD - Start - %username%" # Name Task
$taskDescription = "AOD Start Access" # Description of Task
$deleteTaskAfterExecution = $False # Set to $false for testing and $true for normal use

# Script for action
$scriptDescription = "Start AOD" 

$scriptToExecute = "Add-AdmGroupMember $group $user -ErrorAction SilentlyContinue"

function CheckNameForUnique($taskPath)
{
    try
    {
        $task = $Context.BindToObject($taskPath)
        return $False
    }
    catch
    {
        return $True
    }
}

# Bind to the Scheduled Tasks container
$scheduledTasksPath = $Context.GetWellKnownContainerPath("ScheduledTasks")
$scheduledTasksPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $scheduledTasksPath
$containerPath = $scheduledTasksPathObj.CreateChildPath("CN=$containerName")
$container = $Context.BindToObject($containerPath)

$Context.LogMessage("task | " + $container , "Error")

# If the task name is not unique, generate a unique one
$uniqueName = $taskName
for ($i = 1; $True; $i++)
{
    $taskPath = $containerPath.CreateChildPath("CN=$uniqueName")
    if (CheckNameForUnique $taskPath)
    {
        break
    }
    $uniqueName = "$taskName`_$i"
}

# Create a Scheduled Task
$task = $container.Create("adm-ScheduledTask", "CN=$uniqueName")

$task.ObjectType = "domainDNS"
$task.Description = $taskDescription
$task.Disabled = $False
$task.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_BEFORE"
$task.OperationType = "none"
$task.DeleteTaskAfterExecution = $deleteTaskAfterExecution

$recurrencePattern = $task.GetRecurrencePattern()
$recurrencePattern.RecurrenceType = "ADM_RECURRENCEPATTERNTYPE_ONCE"
$recurrencePattern.PatternStartDateTime = ($AODStart)
$task.SetRecurrencePattern($recurrencePattern)

$task.SetInfo()

# Define actions and conditions

# Create a new set of actions and conditions
$actionsAndConditions = $task.ConditionedActions.Create()
$actionsAndConditions.ConditionsLogicalOperation = "ADM_LOGICALOPERATION_AND"
$actionsAndConditions.SetInfo()

# Add Run PowerShell Script action
$action = $actionsAndConditions.Actions.CreateEx("adm-RunScriptAction")
$action.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
$scriptAction = $action.GetAction()
$scriptAction.ScriptType = "ADM_SCRIPTTYPE_POWERSHELL"
$scriptAction.ScriptDescription = $scriptDescription
$scriptAction.Script = $scriptToExecute.ToString()
$action.SetAction($scriptAction)
$action.SetInfo()
$actionsAndConditions.Actions.Add($action)

# Add the set to the Scheduled Task
$task.ConditionedActions.Add($actionsAndConditions)

# Set the scope of activity to All Objects
$scopeItem = $task.ActivityScopeItems.Create()
$scopeItem.BaseObject = $NULL
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$task.ActivityScopeItems.Add($scopeItem)
by (420 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

Using a Business Rule triggered after updating a user, you won't be able to get the groups a user selected on your custom form. Adding a user to a group means modifying the group, not the user. In such a case, the Distinguished Name (DN) of the user is added to the Member property of the group.

To work around this, on your custom form, instead of the Member Of section, you can add a certain property of the user account that can store multiple DN values. Users will be able to specify the groups they need using that property. There are 2 properties that you can use for this purpose: See Also or Secretary.

Thus, when a user requests access to a group:

  1. On your custom form, the user picks a date (custom date/time attribute), number of hours (custom integer attribute) and the groups they need (See Also or Secretary).
  2. Using a Business Rule triggered before updating a user, the modification is submitted for approval.
  3. If approved, another Business Rule triggered after updating a user updates a certain multi-valued string (text) attribute of the user. It adds 1 line for each group. Each line contains: group DN, date and time when to add the user to the group, date and time when to remove the user.
  4. A Scheduled Task run once an hour will check the multi-valued attribute of each user and will add/remove them from the groups based on the information specified in the attribute.

If you are OK with such a solution, we will provide you with detailed instructions on how to achieve it.

0

Yes, this sounds like an approach that would be very beneficial. I will send a PM with some additional context for your consideration.

Related questions

0 votes
1 answer

Hi, I am trying to write a PS script for a business rule, that would cancel operation when user tries to remove the "last" RBAC group. Say the group structure is like that: ... "Main RBAC" - but I can't figure out how to do it properly. Thanks for suggestiong

asked Oct 15, 2018 by KIT (520 points)
0 votes
1 answer

Hello, I have a large number of groups, one for each branch in the company - named BR_%branchname%. We have staff move from branch to branch frequently, and need to ... to start with this request, and any help or insight would be appreciated. Thanks, Dan

asked Dec 7, 2012 by Dbradford (170 points)
0 votes
1 answer

Hi there, I am trying creating a report in Adaxes a set of users and looking to add a few group names as column with value 'Yes' or 'No' based on if user is member of ... Value = "Yes" } else{ $Context.Value = "No" } Would appreciate any help in this aspect.

asked May 6 by Vish539 (120 points)
0 votes
1 answer

Receive "Index operation failed; the array index evaluated to null. Stack trace: at <ScriptBlock>, <No file>: line 104>" and "Index operation failed; the ... $GroupName, $GroupDN." } } #foreach write-output "" Write-Output "" Stop-Transcript

asked Apr 14 by jbahou (20 points)
0 votes
1 answer

Update group membership based on one property values. I am trying to find a script that resembles "Update group membership based on two property value" but just for one value.

asked Apr 7 by lee_thomas (20 points)
2,761 questions
2,495 answers
6,538 comments
1,483,163 users