0 votes

Hello,

Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business unit, but I would like to have members of the business unit be able to run a command.
Or, create a task/rule that will add members of a business unit to a security group that can run the command.

I've not been successful with any of my attempts to do so.

by (100 points)

1 Answer

0 votes
by (284k points)
selected by
Best answer

Hello,

Is it possible to grant members of a business unit permission to run a custom command?

There is no such possibility.

Or, create a task/rule that will add members of a business unit to a security group that can run the command.

Yes you need to create a Scheduled Task that will add members of a Business Unit to a group and remove users from the group if they are no longer members of the Business Unit. To grant permissions to execute Custom Commands to members of the group, check the following tutorial:http://www.adaxes.com/tutorials_Delegat ... mmands.htm.

To create the Scheduled Task:

  1. Launch Adaxes Administration Console

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of the Create Scheduled Task wizard select User Object type.

  4. Click Add Action, select Add the User to a group and click Select Group.

  5. Select a group and click OK twice.

  6. Double-click Always and select If PowerShell script returns true.

  7. Enter a short description and paste the following code into the Script field.

     $businessUnitName = "My Unit" # TODO: modify me
    
     # Search Business Units
     $Context.ConditionIsMet = $False
     $businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
     $searcher = $Context.BindToObject($businessUnitsPath)
     $searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.PageSize = 500
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $units = $searchResult.FetchAll()
         if ($units.Count -eq 0)
         {
             $Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
             return
         }
    
         foreach ($unit in $units)
         {
             # Bind to the Business Unit
             $unitObject = $Context.BindToObject($unit.AdsPath)
    
             # Check whether the target object is a member
             if ($unitObject.IsMember($Context.TargetObject))
             {
                 $Context.ConditionIsMet = $True
                 return
             }
         }
    
     }
    
     finally
     {
         # Release resources used by the search
         $searchResult.Dispose()
     }
  8. Click OK.

  9. Right-click the set you have created and click Add Condition.

  10. Select If is a member of <Group> and click Select Group.

  11. Select the same group as in step 5 and click OK.

  12. Select is not and click OK.

  13. Right-click the set again and click Copy.

  14. Right-click the free space and click Paste.

  15. Double-click the first condition in the second set and input the following code into the Script field.

     $businessUnitName = "My Unit" # TODO: modify me
    
     # Search Business Units
     $Context.ConditionIsMet = $True
     $businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
     $searcher = $Context.BindToObject($businessUnitsPath)
     $searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.PageSize = 500
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $units = $searchResult.FetchAll()
         if ($units.Count -eq 0)
         {
             $Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
             return
         }
    
         foreach ($unit in $units)
         {
             # Bind to the Business Unit
             $unitObject = $Context.BindToObject($unit.AdsPath)
    
             # Check whether the target object is a member
             if ($unitObject.IsMember($Context.TargetObject))
             {
                 $Context.ConditionIsMet = $False
                 return
             }
         }
    
     }
    
     finally
     {
         # Release resources used by the search
         $searchResult.Dispose()
     }
    
  16. Click OK and double-click the second condition in the second set.

  17. Select If the user is member of and click OK.

  18. Double-click the action in the second set and select Remove the User from a group.

  19. Click Select Group and select the same group as in steps 5 and 11.

  20. Click OK twice.

  21. Click Next and finish creating the Scheduled Task.

You Should have something like the following:

0

That looks like it'll work for us. Thank you very much!

Related questions

0 votes
1 answer

Hi, I'm trying to create a web console only for sending SMS using adaxes 2018.2. The SMS-users that are going to use the console should only be able to view users, not edit ... which removes a lot of OUs that the users should not see or be able to browse to.

asked Sep 2, 2020 by eirikza (120 points)
0 votes
0 answers

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have ... from their groups without granting them the ability to remove users from all security groups?

asked Mar 25, 2020 by sirslimjim (480 points)
0 votes
1 answer

Greetings. When I create the parameters to make a business rule that looks for users whose Email Proxy Adresses does not contain 'SMTP:%userPrincipalName%', it still generates profiles ... and primary SMTP address don't match. Version is 2023 How rule is set

asked Dec 19, 2022 by MShep (80 points)
0 votes
1 answer

We are replacing our Namescape rDirectory product with Adaxes because of the very flexible automation components. I've been able to replicate some of the pages previously ... vast majority of our users, that would function as the default company directory.

asked Aug 5, 2022 by MRBruce (110 points)
0 votes
1 answer

Hello, I want service desk to be able to select from the web interface only groups that are specified in a Business Unit. it is possible to do it (Adaxes 2009.1)? Thanks you.

asked Sep 2, 2020 by tentaal (1.1k points)
3,504 questions
3,196 answers
8,148 comments
547,418 users