0 votes

Can you think of a way to allow ADAxes users the ability to enter a help desk ticket number, and then have this information passed along in the workflow approval?

Thanks

by (950 points)
0

Hello,

Can you provide more details on what you are trying to achieve?

1 Answer

0 votes
by (18.0k points)

I think I understood what you mean.

Recently (14/06/2012) we released a minor update for 2012.1 that allows using custom properties when managing AD objects.

Here is what you can do:

  1. Provide a custom display name for the property called adm-CustomAttributeInt1. For example, name it Ticked Number. For details, see Customizing Display Names for AD Properties.
    adm-CustomAttributeInt1 is a virtual property that is not stored in Active Directory but you can use it in Adaxes like a regular property of AD objects.
  2. Customize the Web Interface forms to allow users to edit the adm-CustomAttributeInt1 property. For details, see Customize Forms for User Creation and Editing.
  3. If necessary, make the property required using Property Patterns.

If the property was filled in during an operation that requires an approval, the approver will see it in the request details.

0

Thanks Eugene. That is precisely what I was looking for. How weird is it that this release is today?

0

Oops, the release date is wrong. That feature was introduced on 08/06/2012.
14/06/2012 we released another minor update that fixes an issue related to home folder creation.

0

Thanks - I think I need a little more assistance...

I added the "adm-CustomAttributeInt1" to the AttributeFriendlyNames2.eng.xml file like this:

.
.
.
<friendlyNameItem>
<ldapName>extensionAttribute2</ldapName>
<friendlyName>Web Filtering Level</friendlyName>
</friendlyNameItem>
<friendlyNameItem>
<ldapName>adm-CustomAttributeInt1</ldapName>
<friendlyName>Ticket Number</friendlyName>
</friendlyNameItem>
</friendlyNames>

When I add this to the web interface, I get"

"Fatal Error: Information about the property 'ticket number' was not fetched."

0

Hello,

I guess you clicked Add Extra in the Add Field dialog and entered the display name of the adm-CustomAttributeInt1 property.
You need to use LDAP property name instead of the display name.

In the Add Filed dialog, enable the Show all properties option, and select the adm-CustomAttributeInt1 property.


It is impossible to use display names when configuring forms and views in the Web Interface because multiple properties may have the same display name, or you can change the display name of a property in the future...

0

You are correct. In our testing lab, there is the following problem that does not happen in our production environment (which is why I selected the "Add Extra" button):


The environment works ok, except for this. Unfortunately, it does prevent the web customization from rendering the selectable fields.

0

OK, click Add Extra and type adm-CustomAttributeInt1 in the Property name field.

You are correct. In our testing lab, there is the following problem that does not happen in our production environment

That's strange...
Are you sure the Adaxes service that is installed in the testing lab is running?
Does the Web Interface work correctly?

0

Yes - its running. I can interact with the web interface also. I think the issue is that we have a forest root domain (vul) and a child domain. The child domain contains the objects we want to manage.

0

Not sure what else to try. Where can I tell the web customization interface to connect to the child domain, rather than the root domain? I've restored both the service and web configuration from our production environment, but test continues to throw the same error.

Thanks

0

To work around the problem, I went to the Administration Console, and added the root domain (even though we are not managing this).

Once that entry was present, the web interface customization tool started without error. I was able to add the customattribute, and get it to appear in the web interface.

Still not sure this is the answer to the challenge I have been presented with. For example, even though we can set adding a user to a group to be routed for workflow approval, our support staff uses another system to explain "why" someone needed to be added to that group. They want ADAxes to be able to pass the ticket number from this system along with the workflow so that the approving person can cross reference this as they approve the ADAxes workflow.

Thanks

0

To work around the problem, I went to the Administration Console, and added the root domain (even though we are not managing this).

It looks like you logged in to the computer in the test lab environment using a user account from the root domain. The Web Interface Configuration tool searches for available Adaxes services in the domain of the currently logged on user. If the domain is not managed by Adaxes, the tool fails to find the service. Try logging in using an account from the child domain.

Still not sure this is the answer to the challenge I have been presented with. For example, even though we can set adding a user to a group to be routed for workflow approval, our support staff uses another system to explain "why" someone needed to be added to that group.

Passing the ticket number along with adding users to groups is not simple, but possible. Here is what you need to do:

  1. Launch the Web Interface Configuration tool and select the desired Web Interface type in the Interface type drop-down list.

  2. On the General tab, click Configure Home Page Actions.

  3. Click Add and select the Modify User action.

  4. On the Form Customization step of the wizard, select Use customized form, and click Customize Form.

  5. Customize the form to contain only two fields - Member Of and adm-CustomAttributeInt1.

  6. Click OK, then click Finish, and then click Apply.

  7. Launch Adaxes Administration Console.

  8. Create a Business Rule that is executed before updating a user.

  9. Add the Run PowerShell script action to the Business Rule. Configure the action to execute the following script:

     function ConvertToHashSet($values)
     {
         $hashSet = new-object "System.Collections.Generic.HashSet[string]" @([System.StringComparer]::OrdinalIgnoreCase)
         if ($values -ne $NULL)
         {
             foreach($value in $values)
             {
                 $hashSet.Add($value) | Out-Null
             }
         }
         ,$hashSet
     }
    
     function ConvertToAdsPropertyValues($values)
     {
         $adsPropertyValues = New-Object "System.Collections.Generic.List[Softerra.Adaxes.Adsi.AdsPropertyValue]"
         foreach ($value in $values)
         {
             $adsPropertyValue = New-Object "Softerra.Adaxes.Adsi.AdsPropertyValue"
             $adsPropertyValue.DNString = $value
             $adsPropertyValues.Add($adsPropertyValue) | Out-Null
         }
         return ,$adsPropertyValues.ToArray();
     }
    
     $memberOfValues = $Context.GetModifiedPropertyValues("memberOf")
     $memberOfValuesHashSet = ConvertToHashSet($memberOfValues)
    
     try
     {
         $originalMemberOfValues = $Context.TargetObject.GetEx("memberOf")
     }
     catch
     {
         $originalMemberOfValues = $NULL;
     }
    
     $originalMemberOfValuesHashSet = ConvertToHashSet($originalMemberOfValues)
    
     $groupsToAdd = new-object "System.Collections.Generic.HashSet[string]" @([System.StringComparer]::OrdinalIgnoreCase)
     $groupsToAdd.UnionWith($memberOfValuesHashSet)
     $groupsToAdd.ExceptWith($originalMemberOfValuesHashSet)
    
     $groupsToRemove = new-object "System.Collections.Generic.HashSet[string]" @([System.StringComparer]::OrdinalIgnoreCase)
     $groupsToRemove.UnionWith($originalMemberOfValuesHashSet)
     $groupsToRemove.ExceptWith($memberOfValuesHashSet)
    
     $ticketNumber = $Context.GetModifiedPropertyValue("adm-CustomAttributeInt1")
     $E_PENDING = 0x8000000A;
     $approvalRequestsCount = 0;
     $userDN = "%distinguishedName%"
     foreach ($groupDN in $groupsToAdd)
     {
         $group = $Context.BindToObjectEx("Adaxes://" + $groupDN, $true)
         $group.PutEx("ADS_PROPERTY_APPEND", "member", @($userDN))
         $group.Put("adm-CustomAttributeInt1", $ticketNumber)
         try
         {
             $group.SetInfo();
         }
         catch [System.Runtime.InteropServices.COMException]
         {
             if ($_.Exception.ErrorCode -eq $E_PENDING)
             {
                 $approvalRequestsCount++
             }
         }
     }
     foreach ($groupDN in $groupsToRemove)
     {
         $group = $Context.BindToObjectEx("Adaxes://" + $groupDN, $true)
         $group.PutEx("ADS_PROPERTY_DELETE", "member", @($userDN))
         $group.Put("adm-CustomAttributeInt1", $ticketNumber)
         try
         {
             $group.SetInfo();
         }
         catch [System.Runtime.InteropServices.COMException]
         {
             if ($_.Exception.ErrorCode -eq $E_PENDING)
             {
                 $approvalRequestsCount++
             }
         }
     }
     if ($approvalRequestsCount -ne 0)
     {
         $Context.LogMessage("Your request has been submitted for approval.", "Warning")
     }
     $Context.Action.PropertyList.ResetPropertyItem("memberOf")
     $Context.Action.PropertyList.ResetPropertyItem("adm-CustomAttributeInt1")
    
     $Context.TargetObject.Put("adm-CustomAttributeInt1", $NULL)
     $Context.TargetObject.SetInfoEx(@("adm-CustomAttributeInt1"))
    
  10. Add the If the 'Member Of' property has changed condition to the Business Rule.

  11. Create another Business Rule that will be executed before adding or removing group members.

  12. Add two actions to the Business Rule:

    • Send operation for approval
    • Run a program or PowerShell script

    Type the following PowerShell script for the second action:

     $Context.Action.PropertyList.ResetPropertyItem("adm-CustomAttributeInt1")
     $Context.TargetObject.Put("adm-CustomAttributeInt1", $NULL)
     $Context.TargetObject.SetInfoEx(@("adm-CustomAttributeInt1"))
    

That's it. Hope this helps.

0

Thanks for putting this together. I'm testing with this model.

It occurred to me that a simple solution may be to add a standard function in the custom command area that would allow you to trigger a prompt for a "transient" value based on a Business Rule. For example, you could define a Business Rule that was like:

Before updating a user (group, etc), prompt for value. The prompt could be in the form of a new window/form. The value could have property enforcements, etc. and could be passed along to the workflow, etc.

Thanks,

Brad

0

Yes, we are thinking about something like that. But what to do if an operation is performed via a script?

0

I was thinking something similar to the messages that can pop up as confirmations for custom commands, only with the addition of an entry field:

0

Hello,

I've submitted this feature to our Sandbox. We'll be discussing the possibility to implement it.
Thanks for the suggestion.

0

Thanks!

Related questions

0 votes
1 answer

I would like to have the possibility to use different icons for AD groups. I have groups for file permissions, applications, mailboxes, etc. For each group type I ... do this without schema extension? or will this be possible in the future? regards pudong

asked May 6, 2022 by pudong (670 points)
0 votes
1 answer

Thanks for the info. I'm now grabbing the %adm-ManagerUserName% value, but need to remove the final 21 characters of it so it contains only their username and not our ... this in the PowerShell Script Editor for my business rule, I get the following error:

asked Mar 11, 2021 by mkvidera (60 points)
0 votes
1 answer

As part of our HR onboarding process, they need to specify non-AD integrated software requirements. Is there a way to have a customised field on the form that when ticked or ... say the name of the software and have it linked to a particular field in AD.

asked Apr 15, 2020 by russmerriman (40 points)
0 votes
1 answer

Hello, Is it possible to have a variable or custom field that I could use and reference from multiple PowerShell scripts? For example, I want to have two custom commands, ... It could be something system wide or maybe local to the scheduled task? Thanks! Ryan

asked Jun 4, 2019 by ryan_breneman (920 points)
0 votes
1 answer

Hello, We have modified the Active Directory schema to include some custom fields. I am trying to read/write to those custom fields through the Adaxes API and am getting an ... .Put("customFieldName", "value"); user.SetInfo(); Any help would be appreciated.

asked Oct 31, 2013 by mbcalvin (140 points)
3,326 questions
3,026 answers
7,727 comments
544,681 users