0 votes

image.png

I have business rule that is NOT applied to group license_AAD_PREMIUM_P2_internal group even it should according activity scope. Scope for this group was added through PowerShell code mentioned here https://adaxes.com/sdk/DefiningScopeOfActivity/#example-4-include-a-specific-group-object-not-members-of-the-group

What can be the cause of this?

Code looks like this image.png

PS: I encountered same behaviour for security roles (also modified by PS script)

by (910 points)
edited by
0

Hello,

For troubleshooting purposes, please, do the following:

  • Specify the triggering operation of the business rule (e.g. After updating a group).
  • Provide the script you are using in TXT format.
  • Specify all the parameter values you use to execute the script.
0

trigger can be anything (if I add scope bind to the same group manually, rule gets triggered)

script + parameters:

$ruleADSPath = '<ADSPathOfTheAdaxesRule>'
$baseObjectDN = '<DNofTheADObject>'
$type = 'ADM_SCOPEBASEOBJECTTYPE_GROUP'
$exclude = $false
$inheritance = 'ADS_SCOPE_BASE'

$null = [Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# connect to the Adaxes service
$adaxesService = "localhost"
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($adaxesService)

# get base object
$baseObj = $admService.OpenObject("Adaxes://$baseObjectDN", $null, $null, 0)

# get business rule
$rule = $admService.OpenObject($ruleADSPath, $null, $null, 0)

# add new scope to the business rule
$scopeItem = $rule.ActivityScopeItems.Create()
$scopeItem.BaseObject = $baseObj
$scopeItem.Type = $type
$scopeItem.Inheritance = $inheritance
$scopeItem.Exclude = $exclude
$scopeItem.SetInfo()
$rule.ActivityScopeItems.Add($scopeItem)
$rule.SetInfo()

I am guessing that problem is in the "save" action, but I've tried setOption() too without any luck.

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello,

Thank you for the provided details. The issue occurs because the $type variable is set incorrectly. As it is specified in the example you referenced, the variable must be set to ADM_SCOPEBASEOBJECTTYPE_CONTAINER. Changing the variable value will remedy the issue.

0

You are right. Usage of ADM_SCOPEBASEOBJECTTYPE_CONTAINER indeed solved the problem.

Can you clarify why? Or maybe when should I use ADM_SCOPEBASEOBJECTTYPE_GROUP type?

From official documentation it is not very clear (at least for me)

+1

Hello,

Or maybe when should I use ADM_SCOPEBASEOBJECTTYPE_GROUP type?

Whenever you need to add an item as this object only, the ADM_SCOPEBASEOBJECTTYPE_CONTAINER type should be used. The ADM_SCOPEBASEOBJECTTYPE_GROUP one should only be used when it is about group members.

From official documentation it is not very clear (at least for me)

Thank you for pointing this out. We will consider updating the documentation accordingly.

0

aka

if ADS_SCOPE_ONELEVEL or ADS_SCOPE_SUBTREE use ADM_SCOPEBASEOBJECTTYPE_GROUP

if ADS_SCOPE_BASE use ADM_SCOPEBASEOBJECTTYPE_CONTAINER

is that correct?

Related questions

0 votes
1 answer

Hi team, I have a follow up to this question https://www.adaxes.com/questions/14234/business-after-adding-members-powershell-script-executed Let me explain my setup A rule- ... area% failed due to the following exception: $($_.Exception.Message)", "Error") }

asked Feb 13 by wintec01 (1.1k points)
0 votes
1 answer

Hi, I have a business rule setup to perform actions after user creation. First action is to run a powershell script which works and it sets a required AD attribute ( ... new user sits in the original OU and does not move Am i missing something here?

asked Feb 6 by Lewis (40 points)
0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.1k points)
0 votes
1 answer

I need a way of triggering a business rule based on the user (and not the group) being added or removed from a group. The reason I would like this triggered on the user is so ... prefer not to do that. I am checking to see if there is another way to do this.

asked May 16, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

I have created a Business Rule (call it BR1) that occurs After adding or removing a member from a group . For testing purposes, it currently runs a PowerShell script ... the Business Rule I created. Is this expected behavior? Or am I doing something wrong?

asked Apr 12, 2023 by alex.vanderwoude (60 points)
3,326 questions
3,026 answers
7,727 comments
544,679 users