0 votes

Hello Adaxes Support

I created an automatic task, which first disabled and then deletes the user. To delete the User is a approval required :) .
For deleting the user I use a custom command.
The problem is now, that every time when the custom command to delete the user is executed and the approval has not yet been approved, we receive everytime when the custom command run a apporval request for user deleting. So we have many apporval request for the same User.
Is there a contitions to proof the approval state?

by (700 points)
0

Hello,

Can you clarify what behavior do you expect? Do you want the Custom Command to somehow 'bypass' the Approval workflow and delete the user anyway or do you want the Custom Command to check whether there is an Approval Request pending that requires user deletion, and if such a Request exists, not create a new Request.

0

Hi,

Yes, I want check whether there is an Approval Request pending that requires user deletion, and if such a Request exists, not create a new Request for this User.

friendly greeting

1 Answer

0 votes
by (215k points)

Hello,

There are two solutions that you can use.

Option 1
It is possible to check, with a PowerShell script, whether there are any Approval Requests where the target object of the Request is the User. However, it is impossible to check the type of the operation that is requested.

So, you can create a PowerShell script that will check whether there are any pending Approval Requests requesting operations on the target user. The script will return True if there are any Requests related to the user or False if there aren't any. Then, you can use the script in the If PowerShell script returns True condition to create a user deletion request only when there are no Approval Request where the user is the Target Object.

However, the disadvantage of such an approach is that a Request to delete the user will only be created when there are no pending Approval Requests where the user is the Target Object. Even if that Request requires to perform any operation, not only a Request to delete the user.

Option 2
Alternatively, you can use the following workaround. You can add one more action to your Scheduled Task and your Custom Command. This action should be added before creating a request to delete the user. This action will set a certain property of the user account (say, CustomAttributeBoolean1) to a certain value (say, True). CustomAttributeBoolean1 is an Adaxes virtual property that can store boolean (True/False) values. Adaxes virtual properties are not stored in AD, but you can use them as any other properties of AD objects. Thus, CustomAttributeBoolean1 will be used as a 'flag' that will tell that a user deletion request has already been created, and there's no need to create another one.

Then, you also need to add a condition to execute both the actions (setting CustomAttributeBoolean1) to True and creating a user deletion Request) only when CustomAttributeBoolean1 is not equal to True.

Finally, you will need to create a Business Rule executed after denying an Approval Request. That Business Rule will clear CustomAttributeBoolean1 for the user. This will clear the flag in case the Request to delete the user is denied, so that it would be possible to request deletion of the same user again in the future.

If any of the two solutions is OK with you, we will provide more details on how to implement it.

0

Hello Support,

I think Option two is the right solution. Can you explaine me how can I create a Business Rule executed after denying an Approval Request.

0

Hello,

To implement the solution in Option 2, you need to do the following:

  1. First, you need to update your Scheduled Task and your Custom Command with an action that will set the user deletion request flag and also with a condition to create a new deletion Request only if the flag is not set for the user. To do this:

    • Launch Adaxes Administration Console.
    • Navigate to and select the Scheduled Task that deletes users and sends the operation for approval.
    • Select the set of actions and conditions where the Delete the User action is located.
    • Click the Add Action button.
    • Select the Update the User action.
    • Click Add.
    • In the dialog box that appears, expand the Property to modify drop-down list and select the Show all properties option.
    • Select CustomAttributeBoolean1. This property will be used as a flag that a request to delete the user has already been created.
    • In the Update value drop-down list, select True.
    • Click OK two times.
    • Now, you need to make sure that the Update the User action that you've just created is executed before user deletion. For this purpose, place the action one step earlier the Delete the User action by clicking the up and down arrows below the list of actions and conditions of the Task.
    • Now, you need to add a condition to create a new Approval Request only when the flag is not set to True. Click the Add Condition button.
    • Select the If <property> <relation> <value> condition type.
    • In the dialog box that appears, expand the <property> drop-down list and select the Show all properties option.
    • Select CustomAttributeBoolean1.
    • Select does not equal and True.
    • Click OK and save the Scheduled Task.
    • Repeat steps 2-17 for the Custom Command that deletes users with approval.
  2. Now, you need to create a Business Rule that will be executed after denying an Approval Request to clear the flag in CustomAttributeBoolean1. Such a Business Rule cannot be created with the User Interface, however you can accomplish the task with a PowerShell script. To do this:

    • Copy the following PowerShell script and save it to a file with a .ps1 extension.

        ```powershell
      
        $ruleName = "My Rule" # TODO: Modify me
        $scriptDescription = "Clear user deletion flag after denying Request" # TODO: Modify me
        $scriptBlock = @"
        `$approvalState = `$Context.TargetObject.ApprovalState
        if ((`$approvalState -eq `"ADM_APPROVALSTATE_DENIED`") -or (`$approvalState -eq `"ADM_APPROVALSTATE_CANCELED`"))
        {
            `$targetObjectOfApproval = `$Context.TargetObject.TargetObject
            `$targetObjectOfApproval.Put(`"adm-CustomAttributeBoolean1`", `$NULL)
            `$targetObjectOfApproval.SetInfo()
        }
        "@
      
        # Connect to the Adaxes service
        $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
        $admService = $admNS.GetServiceDirectly("localhost")
      
        # Bind to the 'Business Rules' container
        $businessRulesPath = $admService.Backend.GetConfigurationContainerPath(
            "BusinessRules")
        $businessRulesContainer = $admService.OpenObject($businessRulesPath,
            $NULL, $NULL, 0)
      
        # Create a new Business Rule
        $rule = $businessRulesContainer.Create("adm-BusinessRule", "CN=$ruleName")
      
        # Triggering Operation: After updating an Approval Request
        $rule.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_AFTER"
        $rule.ObjectType = "adm-ApprovalRequest"
        $rule.OperationType = "set properties"
        $rule.Disabled = $False
        $rule.SetInfo()
      
        # Create a set of actions and conditions
        $actionsAndConditionsSet = $rule.ConditionedActions.Create()
      
        # Combine conditions with AND
        $actionsAndConditionsSet.ConditionsLogicalOperation =
            "ADM_LOGICALOPERATION_AND"
      
        # Save the set
        $actionsAndConditionsSet.SetInfo()
      
        # Add the Run PowerShell Script action
        $runScriptAction = $actionsAndConditionsSet.Actions.CreateEx("adm-RunScriptAction")
        $runScriptAction.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
        $runScriptActionObj = $runScriptAction.GetAction()
        $runScriptActionObj.ScriptType = "ADM_SCRIPTTYPE_POWERSHELL"
      
        # Set the script and script description for the action
        $runScriptActionObj.ScriptDescription = $scriptDescription
        $runScriptActionObj.Script = $scriptBlock
      
        # Save the action
        $runScriptAction.SetAction($runScriptActionObj)
        $runScriptAction.SetInfo()
      
        # Add the action to the set
        $actionsAndConditionsSet.Actions.Add($runScriptAction)
      
        # Add the set to the Business Rule
        $rule.ConditionedActions.Add($actionsAndConditionsSet)
      
        # Include All Objects in the Activity Scope of the Business Rule
        $scopeItem = $rule.ActivityScopeItems.Create()
        $scopeItem.BaseObject = $NULL
        $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
        $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
        $scopeItem.Exclude = $False
        $scopeItem.SetInfo()
        $rule.ActivityScopeItems.Add($scopeItem)
      
        # Save the Business Rule
        $rule.SetInfo()
      
        ```
    • In the script, $ruleName specifies the name of the Business Rule that will be created. Also, since the Business Rule will use a script to perform the task, $scriptDescription specifies the description for the script as it will appear in the Business Rule. Modify the script to your requirements.

    • Copy the saved script to the computer where Adaxes service is installed.

    • On the computer where Adaxes service is installed, launch Windows PowerShell.

    • Navigate to the directory where you copied the PS1 file. For example, if you copied the script to the C:\Scripts folder, type:

        ```powershell
        cd C:\Scripts
        ```
    • Run the script using the following command:

        ```powershell
        .\Myscript.ps1
        ```
      
        where **Myscript.ps1** is the name of the **PS1** file created on the **1st** step.

Related questions

0 votes
1 answer

Hello, I have a problem regarding approval, the case is I will send approval to the admin if there are additional users. The process has been successful and the approval ... " in "custom command" and then executed it in "business rule" before creating user.

asked Feb 15 by systech (100 points)
0 votes
0 answers

As the title mentions, I'm trying to figure out a way to have HR apply multiple modifications on a user's account (change of position, title, department, phone, etc...) ... phone number (in the same form), it sends two approval requests. Thanks for your help!

asked Jan 26 by lw.fa (60 points)
0 votes
1 answer

Hi, I was just wondering if there was a way to force the format of the date picker value in the web approval interface. We have operation that are very time specific ... like that in the web interface. Example of the problem: Thank you, Jean-Simon Tremblay

asked Dec 3, 2021 by jsimon.tremblay (20 points)
0 votes
1 answer

I turned on the option to have "Approve" and "Deny" links sent in the approval request email. It seems to not be working through. Here is a screenshot of what it ... the link. I also tried using incognito mode in chrome. Same look. Appreciate the assistance!

asked Mar 29, 2021 by mark.it.admin (1.8k points)
0 votes
1 answer

Adaxes seems to want to use the Manager field to specify who gets approval confirmation emails. What do you do about a user without a manager, such as the CEO? Let's assume they're not tech saavy, and the IT department needs to confirm their requests.

asked Feb 10, 2020 by Liam (20 points)
2,740 questions
2,474 answers
6,475 comments
1,372,018 users