0 votes

Hello,

Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business unit, but I would like to have members of the business unit be able to run a command.
Or, create a task/rule that will add members of a business unit to a security group that can run the command.

I've not been successful with any of my attempts to do so.

by (100 points)

1 Answer

0 votes
by (203k points)
selected by
Best answer

Hello,

Is it possible to grant members of a business unit permission to run a custom command?

There is no such possibility.

Or, create a task/rule that will add members of a business unit to a security group that can run the command.

Yes you need to create a Scheduled Task that will add members of a Business Unit to a group and remove users from the group if they are no longer members of the Business Unit. To grant permissions to execute Custom Commands to members of the group, check the following tutorial:http://www.adaxes.com/tutorials_Delegat ... mmands.htm.

To create the Scheduled Task:

  1. Launch Adaxes Administration Console

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of the Create Scheduled Task wizard select User Object type.

  4. Click Add Action, select Add the User to a group and click Select Group.

  5. Select a group and click OK twice.

  6. Double-click Always and select If PowerShell script returns true.

  7. Enter a short description and paste the following code into the Script field.

     $businessUnitName = "My Unit" # TODO: modify me
    
     # Search Business Units
     $Context.ConditionIsMet = $False
     $businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
     $searcher = $Context.BindToObject($businessUnitsPath)
     $searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.PageSize = 500
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $units = $searchResult.FetchAll()
         if ($units.Count -eq 0)
         {
             $Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
             return
         }
    
         foreach ($unit in $units)
         {
             # Bind to the Business Unit
             $unitObject = $Context.BindToObject($unit.AdsPath)
    
             # Check whether the target object is a member
             if ($unitObject.IsMember($Context.TargetObject))
             {
                 $Context.ConditionIsMet = $True
                 return
             }
         }
    
     }
    
     finally
     {
         # Release resources used by the search
         $searchResult.Dispose()
     }
  8. Click OK.

  9. Right-click the set you have created and click Add Condition.

  10. Select If is a member of <Group> and click Select Group.

  11. Select the same group as in step 5 and click OK.

  12. Select is not and click OK.

  13. Right-click the set again and click Copy.

  14. Right-click the free space and click Paste.

  15. Double-click the first condition in the second set and input the following code into the Script field.

     $businessUnitName = "My Unit" # TODO: modify me
    
     # Search Business Units
     $Context.ConditionIsMet = $True
     $businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
     $searcher = $Context.BindToObject($businessUnitsPath)
     $searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.PageSize = 500
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $units = $searchResult.FetchAll()
         if ($units.Count -eq 0)
         {
             $Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
             return
         }
    
         foreach ($unit in $units)
         {
             # Bind to the Business Unit
             $unitObject = $Context.BindToObject($unit.AdsPath)
    
             # Check whether the target object is a member
             if ($unitObject.IsMember($Context.TargetObject))
             {
                 $Context.ConditionIsMet = $False
                 return
             }
         }
    
     }
    
     finally
     {
         # Release resources used by the search
         $searchResult.Dispose()
     }
    
  16. Click OK and double-click the second condition in the second set.

  17. Select If the user is member of and click OK.

  18. Double-click the action in the second set and select Remove the User from a group.

  19. Click Select Group and select the same group as in steps 5 and 11.

  20. Click OK twice.

  21. Click Next and finish creating the Scheduled Task.

You Should have something like the following:

0

That looks like it'll work for us. Thank you very much!

Related questions

0 votes
1 answer

Hi, I'm trying to create a web console only for sending SMS using adaxes 2018.2. The SMS-users that are going to use the console should only be able to view users, not edit ... which removes a lot of OUs that the users should not see or be able to browse to.

asked Sep 2, 2020 by eirikza (120 points)
0 votes
0 answers

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have ... from their groups without granting them the ability to remove users from all security groups?

asked Mar 25, 2020 by sirslimjim (330 points)
0 votes
1 answer

Hello, I want service desk to be able to select from the web interface only groups that are specified in a Business Unit. it is possible to do it (Adaxes 2009.1)? Thanks you.

asked Sep 2, 2020 by tentaal (1.1k points)
0 votes
1 answer

Hi, I do not find where in the web config file we change this limit. Thanks for your help

asked Jul 28, 2011 by sroux (800 points)
0 votes
1 answer

How do change the display name of a custom attribute in version 2017.2? All the information I am finding contains links that bring me to 2018 version

asked Nov 1, 2018 by hgletifer (1.2k points)
2,518 questions
2,263 answers
6,059 comments
487,305 users