Copy from after create to after update

Question

Since all the old groups are deleted when a function is changed, we have created an after update for each function so that the user is added to the same groups as if it were an after create. As we have many functions, is it possible to create a script that copies all the "ifs" from the after create to an after update? Or is it possible to run an after update that queries all the after creates?

thank you

Answer 1

Hello,

You can use the below script. It should be execute in Windows PowerShell. When prompted, specify the credentials of the Adaxes service account. In the script:

• $serviceHost - the host name of the computer where Adaxes service is installed.
• $sourceRuleDN - the distinguished name (DN) of the business rule to copy actions/conditions from. For details on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
• $targetRuleDN - the distinguished name (DN) of the business rule to copy actions/conditions to.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"
$sourceRuleDN = "CN=After create user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$targetRuleDN = "CN=After update user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

$sourceRule = $service.OpenObject("Adaxes://$sourceRuleDN", $credential.UserName, $credential.GetNetworkCredential().Password, 0)
$targetRule = $service.OpenObject("Adaxes://$targetRuleDN", $credential.UserName, $credential.GetNetworkCredential().Password, 0)

# Copy actions and conditions
foreach ($set in $sourceRule.ConditionedActions)
{
    # Create a new set of actions and conditions
    $actionsAndConditions = $targetRule.ConditionedActions.Create()
    $actionsAndConditions.ConditionsLogicalOperation = 
        $set.ConditionsLogicalOperation
    $actionsAndConditions.SetInfo()

    # Copy conditions
    foreach ($condition in $set.Conditions)
    {
        $newCondition = $actionsAndConditions.Conditions.CreateEx($condition.Class)
        $newCondition.SetCondition($condition.GetCondition())
        $newCondition.SetInfo()
        $actionsAndConditions.Conditions.Add($newCondition)
    }

    # Copy actions
    foreach ($action in $set.Actions)
    {
        $newAction = $actionsAndConditions.Conditions.CreateEx($action.Class)
        $newAction.ExecutionOptions = $action.ExecutionOptions
        $actionObj = $action.GetAction()

        # 'add to group' -> 'remove from group'
        if ($actionObj.IsOperationOfType($null, "change membership") -and
            $actionObj.ActionType -eq "ADM_CHANGEGROUPMEMBERSHIPACTION_ADD")
        {
            $actionObj.ActionType = "ADM_CHANGEGROUPMEMBERSHIPACTION_REMOVE"
        }
        $newAction.SetAction($actionObj)
        $newAction.SetInfo()
        $actionsAndConditions.Actions.Add($newAction)
    }

    # Add the set to the custom command
    $targetRule.ConditionedActions.Add($actionsAndConditions)
}

Comments

that's nice thank you very much. Now that we have the two variables $sourceRuleDN and $targetRuleDN limiting the whole thing, is it possible that the two variables can be set to take the path of the create and in the same place the update is updated? So that I don't have to create the script for each function. And is it possible that the if are only copied if something has been changed? If I run the code twice, then it also copies everything twice. So it only copies what has been changed or what is new?

Thanks a lot

---

Hello,

is it possible that the two variables can be set to take the path of the create and in the same place the update is updated?

Sorry for the confusion, but we are not sure what exactly you mean. Please, describe the desired behavior in all the possible details with live examples.

And is it possible that the if are only copied if something has been changed?

Unfortunately, there is no such possibility. The only option is to fully replace all the action sets in the destination business rule. If that meets your needs, we will update the script accordingly.

---

Sorry for the confusion, but we are not sure what exactly you mean. Please, describe the desired behavior in all the possible details with live examples.

Currently, the two variables are fixed to one function, e.g. Create IT Specialist is to be copied to Update IT Specialist. So: $sourceRuleDN = "CN=Create - IT,CN=Direction,CN=Test,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" to $targetRuleDN = "CN=Update - IT,CN=Direction,CN=Test,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes". Now if I have 50 functions, then I need to make 50 scripts with 50 $sourceRuleDN and $targetRuleDN and customise them for each function. Can't this be done automatically that the way of create , so CN=Direction,CN=Test,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes is followed and the update is updated in the same place?

Unfortunately, there is no such possibility. The only option is to fully replace all the action sets in the destination business rule. If that meets your needs, we will update the script accordingly.

That would be nice if the code can be updated that way. I think then all if are deleted first and then copied again?

And can the user query with password be removed?

---

Hello,

is followed and the update is updated in the same place?

Thank you for clarifying. Unfortunately, there is no such possibility.

I think then all if are deleted first and then copied again?

Yes, that is correct.

And can the user query with password be removed?

It is possible, but the credentials will then have to be explicitly defined in the script. As an alternative, the script can use the credentials of the logged on account, but it than has to be the one with corresponding permissions in Adaxes.

---

If the script is created to take the data from the logged user, and the script is run as a scheduled task in adaxes, will the user be taken from adaxes if nothing else is specified? if so, could you send me the script like this? i.e. that the script use the logged user and that everything is first deleted and then copied?

---

Hello,

Yes, it is possible. However, the script can be made much simpler if you are going to execute it in Adaxes (e.g. using a scheduled task). Is that your intension?

---

Yes the script is executed directly in adaxes. If it is possible otherwise, I am open for recommendations

---

Hello,

Thank you for the confirmation. Below is the updated script. It can only be executed in Adaxes (e.g. in a scheduled task). The target object type does not matter for the script.

$sourceRuleDN = "CN=After create user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$targetRuleDN = "CN=After update user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

$sourceRule = $Context.BindToObjectByDNEx($sourceRuleDN, $True)
$targetRule = $Context.BindToObjectByDNEx($targetRuleDN, $True)

$targetRule.ConditionedActions.Clear()

# Copy actions and conditions
foreach ($set in $sourceRule.ConditionedActions)
{
    # Create a new set of actions and conditions
    $actionsAndConditions = $targetRule.ConditionedActions.Create()
    $actionsAndConditions.ConditionsLogicalOperation = 
        $set.ConditionsLogicalOperation
    $actionsAndConditions.SetInfo()

    # Copy conditions
    foreach ($condition in $set.Conditions)
    {
        $newCondition = $actionsAndConditions.Conditions.CreateEx($condition.Class)
        $newCondition.SetCondition($condition.GetCondition())
        $newCondition.SetInfo()
        $actionsAndConditions.Conditions.Add($newCondition)
    }

    # Copy actions
    foreach ($action in $set.Actions)
    {
        $newAction = $actionsAndConditions.Conditions.CreateEx($action.Class)
        $newAction.ExecutionOptions = $action.ExecutionOptions
        $actionObj = $action.GetAction()

        # 'add to group' -> 'remove from group'
        if ($actionObj.IsOperationOfType($null, "change membership") -and
            $actionObj.ActionType -eq "ADM_CHANGEGROUPMEMBERSHIPACTION_ADD")
        {
            $actionObj.ActionType = "ADM_CHANGEGROUPMEMBERSHIPACTION_REMOVE"
        }
        $newAction.SetAction($actionObj)
        $newAction.SetInfo()
        $actionsAndConditions.Actions.Add($newAction)
    }

    # Add the set to the custom command
    $targetRule.ConditionedActions.Add($actionsAndConditions)
}

---

Hello, can you adapt the code, that the add is not replaced by remove from group? So copy from create to update, add to group remains add to group. And is it possible to create an array for the $targetRuleDN, that I can copy from one function to all other functions in the array? Thank you!

---

so I have this code, but it delete all the if in all configurations. whats the error?

$sourceRuleDN = "CN=After create user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$targetRuleDNs = @(
    "CN=After update user1,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes",
    "CN=After update user2,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes",
    "CN=After update user3,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"
) # TODO: modify me with multiple target DNs

$sourceRule = $Context.BindToObjectByDNEx($sourceRuleDN, $True)

foreach ($targetRuleDN in $targetRuleDNs) {
    $targetRule = $Context.BindToObjectByDNEx($targetRuleDN, $True)
    $targetRule.ConditionedActions.Clear()

    # Copy actions and conditions
    foreach ($set in $sourceRule.ConditionedActions) {
        # Create a new set of actions and conditions
        $actionsAndConditions = $targetRule.ConditionedActions.Create()
        $actionsAndConditions.ConditionsLogicalOperation = $set.ConditionsLogicalOperation
        $actionsAndConditions.SetInfo()

        # Copy conditions
        foreach ($condition in $set.Conditions) {
            $newCondition = $actionsAndConditions.Conditions.CreateEx($condition.Class)
            $newCondition.SetCondition($condition.GetCondition())
            $newCondition.SetInfo()
            $actionsAndConditions.Conditions.Add($newCondition)
        }

        # Copy actions
        foreach ($action in $set.Actions) {
            $newAction = $actionsAndConditions.Actions.CreateEx($action.Class)
            $newAction.ExecutionOptions = $action.ExecutionOptions
            $actionObj = $action.GetAction()

            # 'add to group' -> 'remove from group'
            if ($actionObj.IsOperationOfType($null, "change membership") -and
                $actionObj.ActionType -eq "ADM_CHANGEGROUPMEMBERSHIPACTION_ADD") {
                $actionObj.ActionType = "ADM_CHANGEGROUPMEMBERSHIPACTION_REMOVE"
            }

            $newAction.SetAction($actionObj)
            $newAction.SetInfo()
            $actionsAndConditions.Actions.Add($newAction)
        }

        # Add the set to the custom command
        $targetRule.ConditionedActions.Add($actionsAndConditions)
    }
}

---

Hello,

The thing is that you did not only add the foreach portion and the array for target business rules. You also changed a part of the code that was copying actions and conditions. We updated the script accordingly:

$sourceRuleDN = "CN=After create user,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me
$targetRuleDNs = @(
    "CN=After update user1,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes",
    "CN=After update user2,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes",
    "CN=After update user3,CN=User,CN=Business Rules,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"
) # TODO: modify me with multiple target DNs

$sourceRule = $Context.BindToObjectByDNEx($sourceRuleDN, $True)

foreach ($targetRuleDN in $targetRuleDNs)
{
    $targetRule = $Context.BindToObjectByDNEx($targetRuleDN, $True)
    $targetRule.ConditionedActions.Clear()

    # Copy actions and conditions
    foreach ($set in $sourceRule.ConditionedActions)
    {
        # Create a new set of actions and conditions
        $actionsAndConditions = $targetRule.ConditionedActions.Create()
        $actionsAndConditions.ConditionsLogicalOperation = $set.ConditionsLogicalOperation
        $actionsAndConditions.SetInfo()

        # Copy conditions
        foreach ($condition in $set.Conditions) {
            $newCondition = $actionsAndConditions.Conditions.CreateEx($condition.Class)
            $newCondition.SetCondition($condition.GetCondition())
            $newCondition.SetInfo()
            $actionsAndConditions.Conditions.Add($newCondition)
        }

        # Copy actions
        foreach ($action in $set.Actions)
        {
            $newAction = $actionsAndConditions.Conditions.CreateEx($action.Class)
            $newAction.ExecutionOptions = $action.ExecutionOptions
            $actionObj = $action.GetAction()

            # 'add to group' -> 'remove from group'
            if ($actionObj.IsOperationOfType($null, "change membership") -and
                $actionObj.ActionType -eq "ADM_CHANGEGROUPMEMBERSHIPACTION_ADD") {
                $actionObj.ActionType = "ADM_CHANGEGROUPMEMBERSHIPACTION_REMOVE"
            }

            $newAction.SetAction($actionObj)
            $newAction.SetInfo()
            $actionsAndConditions.Actions.Add($newAction)
        }

        # Add the set to the custom command
        $targetRule.ConditionedActions.Add($actionsAndConditions)
    }
}

---

Hello thank you for the code, but the code does not work. when we start the script, it deletes all the if. And now the actions in the if are changed to remove from group but it should rest add to group. thanks

---

Hello,

That is something that was present in the previous version of the script. There are only two options here:

1. Full replace of the actions/conditions in the target business rules (the way the script works).
2. Keep the existing actions/conditions in the target rules and add the ones from the source rule. If this is what you need, just remove line $targetRule.ConditionedActions.Clear() from the script. Keep in Mind that each time the script runs, all the actions/conditions will be copied and that is not something you can avoid.

---

Hello,

1. We agree with this. However, we now have a after create in the $sourceRuleDN with 3 if. these 3 if should be copied into 3 after update with the script. when i run the script, it deletes all the if in the $sourceRuleDN and copies nothing into the three $targetRuleDNs.

2. if the script would work, it changes the actions in the if from add to group to remove from group. however, add to group should remain add to group.

Thank you

---

Hello,

As per our tests, the script works exactly as it should for option one. The source rule remains untouched. Please, make sure to use the last version of the script and change nothing in it except for the variable values.

---

Thank you very much! I have found the error. I have about 60 positions in the $targetRuleDNs and one of them was the same as $sourceRuleDN. So everything was deleted and then copied... Which is also correct :D Thanks a lot!