0 votes

Hello,

We have a script that checks for expiring accounts (temp/contractor) and emails the users manager requesting that they respond to the email either approving an extension of the account for another 90 days, or the termination of the account.

We also have a custom task that our security group uses to extend the account for 3 months.

What we would like to do, is use Adaxes to generate an approval request to the manager, have the manager log into the self service website, then click approve or deny. I can see how to do the approval, but is there any way to trigger an action if the manager clicks deny? If they do deny it we want to deprovision the account after it has expired, or at least send an email to the security group to do so.

by (710 points)

1 Answer

0 votes
by (215k points)

Hello,

Since, if the Approval Request is denied. the account will expire, you can create a Scheduled Task that will run, say, daily and that will execute the Custom Command used for deprovisioning on every user, whose account has expired. To implement such a solution:

  1. Create a new Scheduled Task.
  2. On the 3rd step of the Create Scheduled Task wizard, select the User object type.
  3. On the 4th step, add the Execute a Custom Command action.
  4. Click Select.
  5. In the dialog box that appears, select the Custom Command that you use for user deprovisioning and click OK two times.
  6. Click the Add Condition button.
  7. Select the If account/password <expiration status> condition.
  8. Select If the User account has expired.
  9. Click OK and finish creation of the Scheduled Task.
0

What if the approval is not denied and is just ignored? Will it be removed with the object?

I was thinking about this post on my way to lunch today. Wouldn't it be easier for it to be in one scheduled task?

use an available attribute

Action 1
1. Look for expiring accounts that will expire in ** days and where attribute is blank
2. Set attribute to {something}
3. Set account expiration to +3 months (Require Approval)

Action 2
1. Look for accounts that expired * days ago and where attribute is not blank
2. Deprovision account

With this, if the manager does not approve or does deny the request for the account, then it is deprovisioned. The only concern I have here is that when you get over 1000 pending approvals, Adaxes gets slower and if you have managers\users like I do, then they will ignore requests that they are not concerned with.

0

Hello,

The only issue here is that you cannot find the specific Approval Request that requires to approve a specific action. However, it is possible to find all pending requests that require approval of operations on a specific user. So, I suggest a Scheduled Task with two sets of actions and conditions:

    • If account will expire in less than ** days
    • Set account expiration to +3 months (Requires Approval)
    • If account has expired ** days ago
    • Deprovision account
    • Run a PowerShell script that finds all pending Approval Requests that request approval for operations on the account and deny them.

If this solution is OK with you, see Managing Approval Requests for information on how to manage Approval Requests in scripts. If you need assistance with the script, we will help you.

Related questions

0 votes
1 answer

I have an issue we don't fully understand. We are running Adaxes v2018.2. Last night I logged in to unlock a user account. Under the "User Management" section I clicked " ... been made to any of our accounts. Any suggestions as to where to look next? Thanks.

asked Apr 24, 2019 by mjewison (50 points)
0 votes
1 answer

Since upgrading to 2019.2 I am no longer able to run scheduled reports, either automatically or manually. When looking at the log I see it fails at the "generate report ... is attempting. I can run the report directly with no problem. Can anyone help? Thanks,

asked Nov 21, 2019 by rossb (20 points)
+1 vote
1 answer

When an approver approves or denies an approval request, they are prompted for a reason, but this field can be left blank. Is there a way to make this field required?

asked Mar 3 by KelseaIT (320 points)
0 votes
1 answer

I would like users to use Adaxes to add themselves or others to a group, but instead of it just working, it has to go thru an approval process and be approved by the group owner before they are added. Thanks!

asked Jun 30, 2021 by RayBilyk (200 points)
0 votes
1 answer

Hello, I'm looking for a way to receive a notification/approval request when a new user is created and the business rule attempts to assign O365 licensing, however ... dependent on the license being assigned. Looking for any suggestions! Thanks so much!

asked Jul 1, 2019 by ryan_breneman (920 points)
2,761 questions
2,494 answers
6,537 comments
1,482,426 users