0 votes

Hi Team,

We are using a set of form/business rules/custom commands for user creation that move user account to the right OU given the Office attribute value.
I would like to check during On Before User creation BR if the the operator has the right on the target OU before creating the user account. Right now, if he hasn't got the rights, the account is created in the default OU and not moved, which is not exactly what we expect.
I'm sure it will be easy to do through a script, but can't find valuable information on the web site.

Thanks in advance

Regards

Stephen

by (800 points)
0

Stephan,

We were hitting something like this as well, but we decided that Adaxes logs everything and we could reduce the visibility of AD, so being strict with the OU access was kind of a mute point. We set up home page actions for our help desk techs to be able to create users in a very specific OU. They do have the right to create in the other user OUs, but they do not see the AD organization or the OUs. We set different rules on office and company name to move the objects to other OUs after they have been created.

0

Well, that's more or less what we are doing right now in Europe but we are hitting the limits now for some of our affiliates.
Of course Adaxes logs everything but we want to prevent errors/misuse of the forms.
I'm sure that through a pre processing BR, it should be possible to check operator's role and then cancel the operation if needed, i just need the object model/script logic.

Thanks for your answer

1 Answer

0 votes
by (215k points)

Hello Stephen.

The issue is not in Security Roles. When an object is moved with a Business Rule, the permissions of the user who performed the initial operation are not checked. My guess is that something is wrong with the Business Rule (for example, there exist offices, for which no conditions are met).

0

I think you misunderstood me (which is perfectly normal, it's not very clear :-) )

I'm not facing an issue, i'm just trying to implement something.
I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

Quite simple on the paper.

Thanks

Stephen

0

Hello Stephen,

Yes, I misunderstood you, sorry. :)

I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

You can check if the initiator of the operation is assigned to a certain role with the help of a PowerShell script. You can use such a script in the If PowerShell script returns true condition to determine when to cancel the operation.

As to the actual script, our script guy is working on it. As soon as he comes up with something, I will post the script in this topic and provide you with more detailed instructions.

0

Hello Stephen,

To accomplish your task, you need to create a Business Rule that is triggered before creating a user. In this Business Rule, you can check whether the initiator of the operation has sufficient permissions to create users in the OU, to which the user will be moved after creation. The checking is performed by a PowerShell script using the If PowerShell script returns true condition. If the initiator does not have sufficient permissions, the Business Rule will cancel the operation. To create such a Business Rule:

  1. Create a new Business Rule.

  2. On the 2nd step of the Create Business Rule wizard, select User and Before Creating a User.

  3. On the 3rd step, add the Cancel this operation action.

  4. Specify the reason for cancelling, if necessary, and click OK.

  5. Double-click Always.

  6. Add the If PowerShell script returns true condition and paste the following script:

     # TODO: Specify offices in the following format: "Office name"="Office OU DN", each office should be followed by a semicolon
     # Example: $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
     $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
    
     $Context.ConditionIsMet = $False
     $targetUserOffice = $Context.GetModifiedPropertyValue("physicalDeliveryOfficeName")
    
     if($targetUserOffice -ne $NULL)
     {
         $ouDN = $officesInfo[$targetUserOffice]
     }
    
     if($ouDN -ne $NULL)
     {
         $targetOU = $Context.BindToObjectEx("Adaxes://"+ $officesInfo[$targetUserOffice], $True)
         $objectTypesAllowedToCreate = $targetOU.ObjectTypesAllowedToCreate
    
         if (-not($objectTypesAllowedToCreate -contains "user"))
         {
             $Context.ConditionIsMet = $True
         }
     }
    

    In the script, $officesInfo specifies a list of offices. Each office should be be specified in the "Office name"="Office OU DN" format,
    where:

    • "Office name" - the name of the office,
    • "Office OU DN" - the Distinguished Name (DN) of the OU, to which newly created users are moved when this office is specified.

    Each office should be followed by a semicolon, for example:
    $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}

    To get the DN of an Organizational Unit:

    • Right-click the OU you need in the Console Tree (Adaxes Administration Console).
    • In the context menu, open the submenu of the Copy item.
    • Click Copy DN. The DN of the selected OU will be copied to the clipboard.
  7. Click OK and finish creation of the Business Rule.

0

Excellent, this exactly what i need.

Thanks !

Related questions

0 votes
1 answer

Hi there we use personal identity number in one of our customattribute. How would you script this so it checks that the number that we specify when filling out the form ... process should be interupted and we then know that that user already has an account.

asked Jun 19, 2019 by ahok (50 points)
0 votes
1 answer

Hi, Was wondering if there's a nice way to manually or automatically check if a username or an extension is in use before creating a user? What do other people do? ... in the results, deleting the user and starting again - but would rather the checks first.

asked Feb 25, 2016 by AdamFowlerIT (120 points)
0 votes
1 answer

All, I was wondering if there is a way to add check boxes that correspond to custom commands. Ie if I as the administrator want to give another user the ability to create ... to specific groups. All this would be avaliable from the new user form. Thanks, Tony

asked Nov 5, 2015 by cyspry (480 points)
0 votes
1 answer

Hello, Is it possible to capture properties of a user before and after it is changed and put both entries in an email? For example: Joe User has his title ... that user with the previous title (Accounting Clerk) and the new title (Accounting Supervisor)?

asked Mar 9, 2020 by sgordon213 (110 points)
0 votes
1 answer

Hi, I need to run a schedule task only if a customattribute is not empty. Can I use ConditionIsMet?

asked Oct 7, 2021 by Simone.Vailati (270 points)
2,803 questions
2,535 answers
6,605 comments
62,597 users