0 votes

Hi,

I'm wondering if I can implement a delegate system in Adaxes for approvals?
What I was thinking was using the "seealso" property to set another user as your assigned delegate and when any approval is raised for someone to process, it also goes to that user's delegate (seealso).
This would probably mean processing all approval requests in powershell but I can't figure out how to get (say) the email address of the user named in seealso of the manager of the initiator. Bit convoluted for me :)
But, if that could be done, I would really like the delegate adding as an approver from minute one of the approval submission but not send the delegate an email yet, I'd rather use a scheduled task to iterate through pending approvals on a daily basis and find ones that are say 3 days old and THEN send the email more as a reminder.

So, I have the idea but not the skills..........
Is anything like this possible?

by (4.3k points)
0

Hello,

Something like this is possible, but with a couple of limitations. You are right that you'll need a script for this. It is possible to create a script that pulls all possible approvers of an Approval Request, get the See Also of each possible approver and add them to the Approval Request. A Scheduled Task that runs the script can be executed, say, each 1 hour or something like that to add new if a request has not been processed yet.

However, there can be an issue with groups. What should the script do if an AD group is an approver? An AD group can hold hundreds of users, and each of them can have several users in See Also. This can cause issues. Is such a scenario possible in your environment?

I'd rather use a scheduled task to iterate through pending approvals on a daily basis and find ones that are say 3 days old and THEN send the email more as a reminder.

This is also possible with the help of a script.

We'll help you with the scripts, however we'd like you to clarify the aforementioned issue with groups. What should the script do in that case?

0

Thanks, I think it would be best if groups were ignored, just process users.

0

Hello,

We've assigned the task to our script guys. We'll update you as soon as they come up with a script for this.

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

The necessary script is ready, find it below.

To create a Scheduled Task that adds approval delegates if an Approval Request hasn't been processed during 3 days:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

  3. Select the Domain-DNS object type. Running the Task on a domain allows to run the script only once per a Task run.

  4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $requestExpirationDays = 3 # TODO: modify me
    
     # Sets new aprovers for the request and sends out e-mail notifications
     function HandleExpiredRequest($request)
     {
         $approversInfo = $request.GetApproversInfo()
         $approvers = $approversInfo.GetApproversEx($request.Requestor, $request.TargetObject)
         $trustee = $approversInfo.ApproverTrustees
         foreach ($approver in $approvers)
         {
             try
             {
                 $newApproverDNs = $approver.Get("seeAlso")
             }
             catch
             {
                 return # No new approvers specified
             }
    
             foreach ($approverDN in $newApproverDNs)
             {
                 $approver = $Context.BindToObjectByDN($approverDN)
                 if ($approversInfo.IsApproverEx($approver, $request.Requestor, $request.TargetObject))
                 {
                     continue
                 }
                 $trustee.Add($approver)
             }
         }
         $request.SetApproversInfo($approversInfo)
         $request.SetInfo()
     }
    
     # Bind to the Approval Requests container
     $containerPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
     $container = $Context.BindToObject($containerPath)
    
     # Get all pending approval requests
     $requests = $container.GetApprovalRequests("ADM_APPROVALSTATE_PENDING")
    
     foreach ($requestID in $requests)
     {
         # Bind to the approval request
         $guid = [Guid]$requestID
         $request = $Context.BindToObject("Adaxes://<GUID=$guid>")
    
         # Check whether the request has expired
         $requestExpDate = $request.CreationDate.AddDays($requestExpirationDays)
    
         if ([System.DateTime]::Now -lt $requestExpDate)
         {
             continue
         }
    
         HandleExpiredRequest($request)
    
         # Send additional email to approvers
         $request.NotifyApprovers()
     }
    
  5. In the script $requestExpirationDays specifies the number of days an Approval Request needs to remain pending to become outdated. Modify it as necessary.

  6. Add a short description for the script and click OK.

  7. On the 5th step, assign the Scheduled Task over any of your AD domains.

  8. Click Finish.

0

Thanks again for the help, think I'm nearly there....

Can you confirm that the script ignores groups in the approvers list?
Also, can we use the count property of GetApproversEx to limit the number of delegates that get added, e.g. only the delegate of the original approver? In reality this is just a test (for the approval being examined) that there is currently only 1 approver and we are just going to add another (the delegate). If there are already more than one approver, then the delegate has already been added at a previous schedule or it has enough approvers anyway!

I've also split out the delegate addition steps and the email reminder steps into 2 separate tasks to give myself more flexibility with email reminders.

thanks again.

0

Hello,

Can you confirm that the script ignores groups in the approvers list?

Confirmed.

If there are already more than one approver, then the delegate has already been added at a previous schedule or it has enough approvers anyway!

The script should not add more approvers if there are more than 1 approvers to a request. Do we get you right? This can be done.

0

Thanks for the confirmation. :)

You are right, "The script should not add more approvers if there are more than 1 approvers to a request"

Much appreciated.

0

Hello,

Here you are an updated version of the script that will do the job. Use it instead of the script that you have.

$requestExpirationDays = 3 # TODO: modify me

# Sets new aprovers for the request and sends out e-mail notifications
function HandleExpiredRequest($request)
{
    $approversInfo = $request.GetApproversInfo()
    $approvers = $approversInfo.GetApproversEx($request.Requestor, $request.TargetObject)
    $trustee = $approversInfo.ApproverTrustees

    if ($approvers.Count -gt 1)
    {
        return
    }

    $approver = $approvers.GetObject(0)
    try
    {
        $newApproverDNs = $approver.Get("seeAlso")
    }
    catch
    {
        return # No new approvers specified
    }

    foreach ($approverDN in $newApproverDNs)
    {
        $approver = $Context.BindToObjectByDN($approverDN)
        if ($approversInfo.IsApproverEx($approver, $request.Requestor, $request.TargetObject))
        {
            continue
        }
        $trustee.Add($approver)
    }

    $request.SetApproversInfo($approversInfo)
    $request.SetInfo()
}

# Bind to the Approval Requests container
$containerPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$container = $Context.BindToObject($containerPath)

# Get all pending approval requests
$requests = $container.GetApprovalRequests("ADM_APPROVALSTATE_PENDING")

foreach ($requestID in $requests)
{
    # Bind to the approval request
    $guid = [Guid]$requestID
    $request = $Context.BindToObject("Adaxes://<GUID=$guid>")

    # Check whether the request has expired
    $requestExpDate = $request.CreationDate.AddDays($requestExpirationDays)

    if ([System.DateTime]::Now -lt $requestExpDate)
    {
        continue
    }

    HandleExpiredRequest($request)

    # Send additional email to approvers
    $request.NotifyApprovers()
}
0

Great, that works perfectly. Thanks again for all your help.

Related questions

0 votes
1 answer

I am attempting something a little complicated. I have done approvals for a group membership but what I want to do is approvals for a sub group membership. The ... approvals only seem to work for direct membership additions. Do you have any suggestions?

asked May 9, 2019 by adowns (480 points)
0 votes
1 answer

Hi everyone! Is there a way to force a particular language (in this case English) for the Password Reset web page(s)? Background: Up to recently we have used the Self- ... number of non-German users, we would like to switch the pages to English. Thanks Erik

asked Jun 1, 2016 by eventit (1.1k points)
0 votes
1 answer

Hi, I have tried to rename a Boolean attribute as below: -&lt;friendlyNameItem&gt; &lt;ldapName&gt; adm-CustomAttributeBoolean1&lt;/ldapName&gt; &lt;friendlyName&gt;Is A Contractor&lt; ... as the ldap name after iis restart etc. Would appreciate any help.

asked Mar 3, 2015 by bistromath (4.3k points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22 by RayBilyk (480 points)
0 votes
1 answer

Hello If a user manager is on vacation, how can I delegate approval tasks to the managers manager ? Delegation can for example be timebased (not answered within 2 days) ... value. Just guide me to documentation on this issue. Do not describe a solution.

asked Mar 11 by Boxx.dk (11.9k points)
2,221 questions
1,983 answers
5,448 comments
6,566 users