The script creates an LDAP filter that allows finding all the groups where subordinates of the user are members and saves the filter to the attribute of the user account. To run the script, create a business rule, custom command or scheduled task configured for the User object type.
For an object to be a subordinate, a user must be specified in the Manager property of the object.
Parameter:
-
$propertyForLDAPFilter - Specifies the LDAP property name of the property that will be used to store the LDAP filter.
PowerShell
$propertyForLDAPFilter = "adm-CustomAttributeText1" # TODO: modify me
try
{
# Get GUIDs of user subordinates
$directReportDNs = $Context.TargetObject.GetEx("directReports")
}
catch
{
# Set an empty GUID as the filter
$Context.TargetObject.Put($propertyForLDAPFilter, "(objectGuid=\00)")
$Context.TargetObject.SetInfo()
return
}
# Build filter
$ldapFilter = New-Object "System.Text.StringBuilder"
[Void]$ldapFilter.Append("(&(objectCategory=group)")
[Void]$ldapFilter.Append("(|")
foreach ($dn in $directReportDNs)
{
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("member", $dn)
[Void]$ldapFilter.Append($filterPart)
}
[Void]$ldapFilter.Append("))")
# Save the filter
$Context.TargetObject.Put($propertyForLDAPFilter, $ldapFilter.ToString())
$Context.TargetObject.SetInfo()
For example, you can use it in a Web interface action to limit the object selection.
Thanks for the clarification! This works great and is my last piece of my onboarding puzzle. Thanks!
/Kristoffer