0 votes

Are there any APIs or Powershell options that would allow me to pull out the exact action that is being approved in workflow?

Thanks!

by (950 points)

1 Answer

0 votes
by (216k points)

Hello,

You can get a description of the operation that is being approved. See the article called Managing Approval Requests in our SDK.

Can you specify more information on what you are trying to accomplish so that we could provide you with more specific guidance?

0

Thank you. I'm trying to get a complete listing to show specifically what original request is being approved in the workflow.

In our main log, this is all we get (example):

The approval:
{8a3ac21e-ecfc-4f23-9abd-52bd43b95c64} Modify '60889293-cba5-48e6-9154-2073a2a3d84d (Adaxes\Adaxes Configuration\Configuration Objects\Approval Requests)': approve the request, set 'adm-ProcessedByGuid' to '64 94 B1 20 84 8E AC 46 BB 91 5B E4 2B E8 5B 09', set 'adm-ProcessedByObjectDomain' to 'xx.xx.xxx'

The action taken:
Add 'hausr (xx.xx.com\tst)' to 'test-User (xx.xx.xxx\tst)'

When there are multiple approvals, you cannot easily link the approval to the original request and/or final action applied.

What I'm looking for is the ability to show exact linkage between what was submitted and what was approved.

0

Hello,

In our main log, this is all we get (example):

Yes, not too human-friendly. :)
I've added the task to display approvals in logs in a more human-readable format to our TODO list. I think, this will be implemented in one of our nearest releases.

For now, we have 2 options for you:

  1. A script that would add a record to the execution log of the operation containing a description of the initial operation, the name of the initiator and the name of the user who initiated the operation.
  2. A script that would, on request, output a list of all approvals. Each line in this list would contain a description of the initial operation, the name of the initiator, the name of the user who initiated the operation and the time when the action was approved.
0

Option 2 sounds like it would work for us. Can you post an example?

Thanks!

0

Hello,

OK. We'll make this script and I'll post it here as soon as it is ready.

0

Hello,

This script outputs the following information for approved requests that were initiated during the last 30 days: the description of the initial operation, the name of the initiator and the name of the user who initiated the operation:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Approval Requests container
$containerPath = $admService.Backend.GetConfigurationContainerPath("ApprovalRequests")
$container = $admService.OpenObject($containerPath.ToString(), $NULL, $NULL, 0)

# Get approval requests
$state = "ADM_APPROVALSTATE_APPROVED"
#$state = "ADM_APPROVALSTATE_DENIED"
#$state = "ADM_APPROVALSTATE_CANCELED"
$requests = $container.GetApprovalRequests($state)

$startDateTime = (Get-Date).AddDays(-30)

# Iterate through the requests
foreach ($requestID in $requests)
{
    # Bind to the approval request
    $guid = New-Object "System.Guid" (,$requestID)
    $guid = $guid.ToString("B")
    $requestPath = "Adaxes://<GUID=$guid>"
    $request = $admService.OpenObject($requestPath, $NULL, $NULL, 0)

    if ($request.CreationDate -gt $startDateTime)
    {
        Write-Host "Operation:" $request.DescriptionOfOperationToApprove
        Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")
        Write-Host "Requestor:" $request.Requestor.Get("name")
        Write-Host
    }
}
0

I'm doing something incorrect. When I execute the Powershell you provided (thanks), it iterates through a record set, but this is all that is returned for each record:

Write-Host "Operation:" $request.DescriptionOfOperationToApprove
Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")
Write-Host "Requestor:" $request.Requestor.Get("name")
Write-Host

Any ideas what I'm missing?

0

Hello,

How do you launch this script? Do you launch it from Adaxes or from the PowerShell environment?

0

I open a Powershell (as administrator).

0

That's very strange. Can you send us a screenshot of the window?

0

Here you go:

0

Hello,

Did you modify the script in any way? Can you attach the script that you launch in a file?

0

Here is the code. The only modification I made was to comment out the "# if ($request.CreationDate -gt $startDateTime)" restriction. If this is left in, the script runs for a minute and then stops with no output. If you comment this out, you get the results I posted.

[Reflection.Assembly\]::LoadWithPartialName("Softerra.Adaxes.Adsi")  

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")  
$admService = $admNS.GetServiceDirectly("localhost")  

# Bind to the Approval Requests container  
$containerPath = $admService.Backend.GetConfigurationContainerPath("ApprovalRequests")  
$container = $admService.OpenObject($containerPath.ToString(), $NULL, $NULL, 0)  

# Get approval requests  
$state = "ADM\_APPROVALSTATE\_APPROVED"  
#$state = "ADM\_APPROVALSTATE\_DENIED"  
#$state = "ADM\_APPROVALSTATE\_CANCELED"  
$requests = $container.GetApprovalRequests($state)  

$startDateTime = (Get-Date).AddDays(-30)  

# Iterate through the requests  
foreach ($requestID in $requests)  
{  
 # Bind to the approval request  
 $guid = New-Object "System.Guid" (,$requestID)  
 $guid = $guid.ToString("B")  
 $requestPath = "Adaxes://<GUID=$guid>"  
 $request = $admService.OpenObject($requestPath, $NULL, $NULL, 0)  

# if ($request.CreationDate -gt $startDateTime)  
 {  
 Write-Host "Operation:" $request.DescriptionOfOperationToApprove  
 Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")  
 Write-Host "Requestor:" $request.Requestor.Get("name")  
 Write-Host  
 }  
}
0

Hello,

The only modification I made was to comment out the "# if ($request.CreationDate -gt $startDateTime)" restriction.

Please, uncomment the line. That is why the script behaves like this.

If this is left in, the script runs for a minute and then stops with no output.

Can you send us a screenshot of the window after it stops?

0

If you leave the line in, the script returns nothing. If I'm reading the logic correctly, this line would only restrict the output to the records matching the date.

I've uploaded a screenshot of the file and it's output.

Thanks.

0

Hello,

Then this means that you do not have any approved requests that were initiated during the last 30 days.

If you want to output the information for all requests that were approved, you should use the following script:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Approval Requests container
$containerPath = $admService.Backend.GetConfigurationContainerPath("ApprovalRequests")
$container = $admService.OpenObject($containerPath.ToString(), $NULL, $NULL, 0)

# Get approval requests
$state = "ADM_APPROVALSTATE_APPROVED"
#$state = "ADM_APPROVALSTATE_DENIED"
#$state = "ADM_APPROVALSTATE_CANCELED"
$requests = $container.GetApprovalRequests($state)

# Iterate through the requests
foreach ($requestID in $requests)
{
    # Bind to the approval request
    $guid = New-Object "System.Guid" (,$requestID)
    $guid = $guid.ToString("B")
    $requestPath = "Adaxes://<GUID=$guid>"
    $request = $admService.OpenObject($requestPath, $NULL, $NULL, 0)

    Write-Host "Operation:" $request.DescriptionOfOperationToApprove
    Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")
    Write-Host "Requestor:" $request.Requestor.Get("name")
    Write-Host
}
0

Ok - I found the problem with the script. The inner "{" had to be commented out also, then it is just like your "all" script. If the inner "{" are left in, the result is the output I posted earlier.

But, there is another issue - this still does not return all the approvals in that have taken place. We do have many approvals in the last 30 days.

It only returned items in this range: 5/21/2012 12:00:00 AM to 6/26/2012 12:00:00 AM

Is there a resultsize limitation?

[Reflection.Assembly\]::LoadWithPartialName("Softerra.Adaxes.Adsi")  

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")  
$admService = $admNS.GetServiceDirectly("localhost")  

# Bind to the Approval Requests container  
$containerPath = $admService.Backend.GetConfigurationContainerPath("ApprovalRequests")  
$container = $admService.OpenObject($containerPath.ToString(), $NULL, $NULL, 0)  

# Get approval requests  
$state = "ADM\_APPROVALSTATE\_APPROVED"  
#$state = "ADM\_APPROVALSTATE\_DENIED"  
#$state = "ADM\_APPROVALSTATE\_CANCELED"  
$requests = $container.GetApprovalRequests($state)  

$startDateTime = (Get-Date).AddDays(-30)  

# Iterate through the requests  
foreach ($requestID in $requests)  
{  
 # Bind to the approval request  
 $guid = New-Object "System.Guid" (,$requestID)  
 $guid = $guid.ToString("B")  
 $requestPath = "Adaxes://<GUID=$guid>"  
 $request = $admService.OpenObject($requestPath, $NULL, $NULL, 0)  

# if ($request.CreationDate -gt $startDateTime)  
# {  
 Write-Host "Date: " $request.CreationDate  
 Write-Host "Operation:" $request.DescriptionOfOperationToApprove  
 Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")  
 Write-Host "Requestor:" $request.Requestor.Get("name")  
 Write-Host  
# }  
}
0

Hello,

Please check if you have any approved requests that were initiated since 6/26/2012. To do this:

  1. Login to Adaxes Administration Console under the credentials of a Service Administrator.
  2. Expand the service node that represents your service and select the Approval Requests node.
  3. In the Results Pane, click the arrow inside the Show field and select All requests.
  4. Click the arrow inside the Status field and select Approved.
  5. Click the Apply Filter button.
  6. Check if you have any requests with a Request Date that is later than 6/26/2012.
0

In this interface, it shows the same dates, but only shows 1000 records:


In the security log, there are thousands of additional approvals up through today.

0

Hello,

The thing is that Adaxes can output 1000 approval requests only. It should output the latest approval requests, but, instead, it outputs the first 1000 requests. This is a bug. Thank you for the bugreport. We'll fix it in one of our future releases.

For now, you can use a modified version of the above script. It outputs all approved requests that were initiated during the last X days. The number of days is specified by the $daysNumber variable. Here it is:

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$daysNumber = 30 # TODO: modify me

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Approval Requests container
$containerPath = $admService.Backend.GetConfigurationContainerPath("ApprovalRequests")
$searcher = $admService.OpenObject($containerPath.ToString(), $NULL, $NULL, 0)

# Get approval requests
$state = 1 # Approved request
#$state = 2 # Denied request
#$state = 3 # Canceled request

$startDateTime = ((Get-Date).AddDays(-$daysNumber)).ToFileTime()

$searcher.SearchFilter = "(&(objectCategory=adm-ApprovalRequest)(adm-ApprovalState=$state)(adm-ApprovalRequestCreationTime>=$startDateTime))"
$searcher.PageSize = 500

$requests = $searcher.ExecuteSearch()

# Iterate through the requests
foreach($request in $requests.FetchAll())
{
    $request = $admService.OpenObject($request.AdsPath, $NULL, $NULL, 0)

    Write-Host "Date: " $request.CreationDate
    Write-Host "Operation:" $request.DescriptionOfOperationToApprove
    Write-Host "ProcessedBy:" $request.ProcessedBy.Get("name")
    Write-Host "Requestor:" $request.Requestor.Get("name")
    Write-Host
}

$requests.Dispose()

Related questions

0 votes
1 answer

When will this function/feature be available?

asked Jun 5, 2023 by wintec01 (1.1k points)
0 votes
1 answer

Can you clarify the answer as it's a bit confusing? Will there be new major release available this month?

asked Nov 17, 2022 by ColinB (180 points)
0 votes
1 answer

Thanks very helpful. one further question, how do I get the 2. action "Modify the user"? I do not have this choice:

asked Oct 5, 2022 by boris (450 points)
0 votes
1 answer

I am looking for a way to have approvers modify a tentative user account before approval. Is this feature available yet?

asked Nov 11, 2020 by mkvidera (60 points)
0 votes
1 answer

We are using a rolling number for Contract Resource accounts, contract0001, contract0002 and so on. We would like a script that parses the Contractor OU and assigns the ... Directors to create the accounts by themselves with just an approval from the IT dept.

asked Dec 6, 2017 by willy-wally (3.2k points)
3,326 questions
3,026 answers
7,727 comments
544,678 users