0 votes

Hello Adaxes Support

I created an automatic task, which first disabled and then deletes the user. To delete the User is a approval required :) .
For deleting the user I use a custom command.
The problem is now, that every time when the custom command to delete the user is executed and the approval has not yet been approved, we receive everytime when the custom command run a apporval request for user deleting. So we have many apporval request for the same User.
Is there a contitions to proof the approval state?

by (700 points)
0

Hello,

Can you clarify what behavior do you expect? Do you want the Custom Command to somehow 'bypass' the Approval workflow and delete the user anyway or do you want the Custom Command to check whether there is an Approval Request pending that requires user deletion, and if such a Request exists, not create a new Request.

0

Hi,

Yes, I want check whether there is an Approval Request pending that requires user deletion, and if such a Request exists, not create a new Request for this User.

friendly greeting

1 Answer

0 votes
by (216k points)

Hello,

There are two solutions that you can use.

Option 1
It is possible to check, with a PowerShell script, whether there are any Approval Requests where the target object of the Request is the User. However, it is impossible to check the type of the operation that is requested.

So, you can create a PowerShell script that will check whether there are any pending Approval Requests requesting operations on the target user. The script will return True if there are any Requests related to the user or False if there aren't any. Then, you can use the script in the If PowerShell script returns True condition to create a user deletion request only when there are no Approval Request where the user is the Target Object.

However, the disadvantage of such an approach is that a Request to delete the user will only be created when there are no pending Approval Requests where the user is the Target Object. Even if that Request requires to perform any operation, not only a Request to delete the user.

Option 2
Alternatively, you can use the following workaround. You can add one more action to your Scheduled Task and your Custom Command. This action should be added before creating a request to delete the user. This action will set a certain property of the user account (say, CustomAttributeBoolean1) to a certain value (say, True). CustomAttributeBoolean1 is an Adaxes virtual property that can store boolean (True/False) values. Adaxes virtual properties are not stored in AD, but you can use them as any other properties of AD objects. Thus, CustomAttributeBoolean1 will be used as a 'flag' that will tell that a user deletion request has already been created, and there's no need to create another one.

Then, you also need to add a condition to execute both the actions (setting CustomAttributeBoolean1) to True and creating a user deletion Request) only when CustomAttributeBoolean1 is not equal to True.

Finally, you will need to create a Business Rule executed after denying an Approval Request. That Business Rule will clear CustomAttributeBoolean1 for the user. This will clear the flag in case the Request to delete the user is denied, so that it would be possible to request deletion of the same user again in the future.

If any of the two solutions is OK with you, we will provide more details on how to implement it.

0

Hello Support,

I think Option two is the right solution. Can you explaine me how can I create a Business Rule executed after denying an Approval Request.

0

Hello,

To implement the solution in Option 2, you need to do the following:

  1. First, you need to update your Scheduled Task and your Custom Command with an action that will set the user deletion request flag and also with a condition to create a new deletion Request only if the flag is not set for the user. To do this:

    • Launch Adaxes Administration Console.
    • Navigate to and select the Scheduled Task that deletes users and sends the operation for approval.
    • Select the set of actions and conditions where the Delete the User action is located.
    • Click the Add Action button.
    • Select the Update the User action.
    • Click Add.
    • In the dialog box that appears, expand the Property to modify drop-down list and select the Show all properties option.
    • Select CustomAttributeBoolean1. This property will be used as a flag that a request to delete the user has already been created.
    • In the Update value drop-down list, select True.
    • Click OK two times.
    • Now, you need to make sure that the Update the User action that you've just created is executed before user deletion. For this purpose, place the action one step earlier the Delete the User action by clicking the up and down arrows below the list of actions and conditions of the Task.
    • Now, you need to add a condition to create a new Approval Request only when the flag is not set to True. Click the Add Condition button.
    • Select the If <property> <relation> <value> condition type.
    • In the dialog box that appears, expand the <property> drop-down list and select the Show all properties option.
    • Select CustomAttributeBoolean1.
    • Select does not equal and True.
    • Click OK and save the Scheduled Task.
    • Repeat steps 2-17 for the Custom Command that deletes users with approval.
  2. Now, you need to create a Business Rule that will be executed after denying an Approval Request to clear the flag in CustomAttributeBoolean1. Such a Business Rule cannot be created with the User Interface, however you can accomplish the task with a PowerShell script. To do this:

    • Copy the following PowerShell script and save it to a file with a .ps1 extension.

        ```powershell
      
        $ruleName = "My Rule" # TODO: Modify me
        $scriptDescription = "Clear user deletion flag after denying Request" # TODO: Modify me
        $scriptBlock = @"
        `$approvalState = `$Context.TargetObject.ApprovalState
        if ((`$approvalState -eq `"ADM_APPROVALSTATE_DENIED`") -or (`$approvalState -eq `"ADM_APPROVALSTATE_CANCELED`"))
        {
            `$targetObjectOfApproval = `$Context.TargetObject.TargetObject
            `$targetObjectOfApproval.Put(`"adm-CustomAttributeBoolean1`", `$NULL)
            `$targetObjectOfApproval.SetInfo()
        }
        "@
      
        # Connect to the Adaxes service
        $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
        $admService = $admNS.GetServiceDirectly("localhost")
      
        # Bind to the 'Business Rules' container
        $businessRulesPath = $admService.Backend.GetConfigurationContainerPath(
            "BusinessRules")
        $businessRulesContainer = $admService.OpenObject($businessRulesPath,
            $NULL, $NULL, 0)
      
        # Create a new Business Rule
        $rule = $businessRulesContainer.Create("adm-BusinessRule", "CN=$ruleName")
      
        # Triggering Operation: After updating an Approval Request
        $rule.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_AFTER"
        $rule.ObjectType = "adm-ApprovalRequest"
        $rule.OperationType = "set properties"
        $rule.Disabled = $False
        $rule.SetInfo()
      
        # Create a set of actions and conditions
        $actionsAndConditionsSet = $rule.ConditionedActions.Create()
      
        # Combine conditions with AND
        $actionsAndConditionsSet.ConditionsLogicalOperation =
            "ADM_LOGICALOPERATION_AND"
      
        # Save the set
        $actionsAndConditionsSet.SetInfo()
      
        # Add the Run PowerShell Script action
        $runScriptAction = $actionsAndConditionsSet.Actions.CreateEx("adm-RunScriptAction")
        $runScriptAction.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
        $runScriptActionObj = $runScriptAction.GetAction()
        $runScriptActionObj.ScriptType = "ADM_SCRIPTTYPE_POWERSHELL"
      
        # Set the script and script description for the action
        $runScriptActionObj.ScriptDescription = $scriptDescription
        $runScriptActionObj.Script = $scriptBlock
      
        # Save the action
        $runScriptAction.SetAction($runScriptActionObj)
        $runScriptAction.SetInfo()
      
        # Add the action to the set
        $actionsAndConditionsSet.Actions.Add($runScriptAction)
      
        # Add the set to the Business Rule
        $rule.ConditionedActions.Add($actionsAndConditionsSet)
      
        # Include All Objects in the Activity Scope of the Business Rule
        $scopeItem = $rule.ActivityScopeItems.Create()
        $scopeItem.BaseObject = $NULL
        $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
        $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
        $scopeItem.Exclude = $False
        $scopeItem.SetInfo()
        $rule.ActivityScopeItems.Add($scopeItem)
      
        # Save the Business Rule
        $rule.SetInfo()
      
        ```
    • In the script, $ruleName specifies the name of the Business Rule that will be created. Also, since the Business Rule will use a script to perform the task, $scriptDescription specifies the description for the script as it will appear in the Business Rule. Modify the script to your requirements.

    • Copy the saved script to the computer where Adaxes service is installed.

    • On the computer where Adaxes service is installed, launch Windows PowerShell.

    • Navigate to the directory where you copied the PS1 file. For example, if you copied the script to the C:\Scripts folder, type:

        ```powershell
        cd C:\Scripts
        ```
    • Run the script using the following command:

        ```powershell
        .\Myscript.ps1
        ```
      
        where **Myscript.ps1** is the name of the **PS1** file created on the **1st** step.
0

Hi,

I am getting the below error when attempting to use the script

New-Object : Cannot find type [Softerra.Adaxes.Adsi.AdmNamespace]: verify that the assembly containing this type is loaded. At C:\Users\garetha\BusinessRule.ps1:14 char:12

  • $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
  • 
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

You cannot call a method on a null-valued expression. At C:\Users\garetha\BusinessRule.ps1:15 char:3

  • $admService = $admNS.GetServiceDirectly("localhost")
  • 
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression. At C:\Users\garetha\BusinessRule.ps1:18 char:3

  • $businessRulesPath = $admService.Backend.GetConfigurationContainerP ...
  • 
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression. At C:\Users\garetha\BusinessRule.ps1:20 char:3

  • $businessRulesContainer = $admService.OpenObject($businessRulesPath ...
  • 
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression. At C:\Users\garetha\BusinessRule.ps1:24 char:3

  • $rule = $businessRulesContainer.Create("adm-BusinessRule", "CN=$rul ...
  • 
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

The property 'ExecutionMoment' cannot be found on this object. Verify that the property exists and can be set. At C:\Users\garetha\BusinessRule.ps1:27 char:3

  • $rule.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_AFTER"

Is there an updated way of creating a business rule for denied approvals?

+1

Hello Gareth,

I am getting the below error when attempting to use the script

The error occurs because the script is being executed on a computer with no Adaxes components installed. You need to have at least the Adaxes ADSI provider on a computer for a script establishing connection to Adaxes service to work.

Is there an updated way of creating a business rule for denied approvals?

Yes, you can manually create a business rule like below. There is no need to use scripts for its creation. In the rule script, use the following:

$targetObjectOfApproval = $Context.TargetObject.TargetObject
$targetObjectOfApproval.Put("adm-CustomAttributeBoolean1", $NULL)
$targetObjectOfApproval.SetInfo()

image.png

Related questions

0 votes
1 answer

Hi Are there any plans to allow the creation of approval requests via PowerShell? My client has a requirement to allow staff to request new Teams, but the Team needs to ... could be a balance of both automated approval emails and not as required. Thanks Matt

asked Oct 12, 2023 by chappers77 (2.0k points)
0 votes
1 answer

Hi if a request is send to the supervisor of the requester and he does not approve in 7 days can the request be forwarded to the supervisors manager for approval?

asked Sep 29, 2023 by johanpr (80 points)
0 votes
1 answer

HI ! I would like to include in my approvals the parameters selected by the user. For example, the user could ask to run a specific powershell custom command with a ... The approver, should be able to see the 3 parameters selected before approving it. Thanks

asked Feb 20, 2023 by raphaelgagnon (20 points)
0 votes
1 answer

Hello I need some help to implement the following task: In a business rule "Before adding a member to a group" an approval should be sent to the manager of the member who will be added to the group. Do you have an example for this? Thanks and greetings Pudong

asked Jun 14, 2022 by pudong (670 points)
0 votes
1 answer

Hello, I have a problem regarding approval, the case is I will send approval to the admin if there are additional users. The process has been successful and the approval ... " in "custom command" and then executed it in "business rule" before creating user.

asked Feb 15, 2022 by systech (100 points)
3,326 questions
3,025 answers
7,724 comments
544,678 users