Skip to content

Defining the scope of activity

This article describes how to define the scope of activity for Business Rules, Scheduled Tasks, Property Patterns, and Password Self-Service Policies.

The scope of activity is represented as a collection of items, each of which defines which directory objects are included in the scope. To access the collection, use the ActivityScopeItems property of the object, for which you want to define the scope of activity.

To access the activity scope items of a Business Rule and Scheduled Task, use the ActivityScopeItems property of the IAdmBusinessRule interface. The IAdmScheduledTask interface is inherited from the IAdmBusinessRule interface, which means that the ActivityScopeItems property is also available for Scheduled Tasks. To access the activity scope items of a Property Pattern and Password Self-Service Policy, use the ActivityScopeItems property of the IAdmPropertyPattern and IAdmPasswordSelfServicePolicy interfaces.

The ActivityScopeItems property exposes the IAdmCollection interface. To create a new activity scope item, call the IAdmCollection::Create method. The method will return an instance of the IAdmActivityScopeItem interface.

  • Use the IAdmActivityScopeItem::Type property to specify whether you want the scope to include a specific object, objects located in an Organizational Unit or container, members of a group or Business Unit, all objects in all managed AD domains, etc. The ADM_SCOPEBASEOBJECTTYPE_ENUM enumeration specifies the scope types you can use.

  • Use the IAdmActivityScopeItem::Exclude property to specify whether you want the scope item to be included or excluded from the activity scope.

  • Use the IAdmActivityScopeItem::BaseObject property to specify the object defining the scope. For example, if you want to include all objects located in a specific Organizational Unit to the activity scope, set that OU as the base object. If you want to include all members of a group to the activity scope, set that group as the base object.

  • The meaning of the IAdmActivityScopeItem::Inheritance property depends on the scope type that is specified in the IAdmActivityScopeItem.Type property. For example, if the Type property is set to ADM_SCOPEBASEOBJECTTYPE_GROUP, meaning that the scope will include members of a group, the Inheritance property will define whether only direct members or all members (including the members of the nested groups) will be included in the activity scope. Or, if the Type property is set to ADM_SCOPEBASEOBJECTTYPE_CONTAINER, meaning that the scope will include objects located under an Organizational Unit, the Inheritance property will define whether only direct children or all descendants of the Organizational Unit will be included to the activity scope. The ADS_SCOPEENUM enumeration specifies the inheritance types you can use.

The following table shows which values must be set for the properties of the IAdmActivityScopeItem interface for different scopes of activity.

Activity Scope
Type
Inheritance
BaseObject
All objects ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY ADS_SCOPE_SUBTREE NULL
All objects in a domain ADM_SCOPEBASEOBJECTTYPE_CONTAINER ADS_SCOPE_SUBTREE An ADSI object representing the domain partition.
How to bind to the domain partition
All descendants of an OU ADM_SCOPEBASEOBJECTTYPE_CONTAINER ADS_SCOPE_SUBTREE An ADSI object representing the OU.
Immediate children of an OU ADM_SCOPEBASEOBJECTTYPE_CONTAINER ADS_SCOPE_ONELEVEL An ADSI object representing the OU.
All members of a group (including nested members) ADM_SCOPEBASEOBJECTTYPE_GROUP ADS_SCOPE_SUBTREE An ADSI object representing the group.
Direct members of a group ADM_SCOPEBASEOBJECTTYPE_GROUP ADS_SCOPE_ONELEVEL An ADSI object representing the group.
Members of a Business Unit ADM_SCOPEBASEOBJECTTYPE_BUSINESSUNIT ADS_SCOPE_SUBTREE An ADSI object representing the Business Unit.
How to bind to Adaxes-specific objects
Specific object ADM_SCOPEBASEOBJECTTYPE_CONTAINER ADS_SCOPE_BASE An ADSI object representing the specific object.
Adaxes Configuration Objects ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION ADS_SCOPE_SUBTREE NULL

Example 1: Include All Objects

# The $obj variable refers to a Business Rule, Scheduled Task,
# Property Pattern or Password Self-Service Policy

$scopeItem = $obj.ActivityScopeItems.Create()
$scopeItem.BaseObject = $NULL
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$obj.ActivityScopeItems.Add($scopeItem)
// The obj variable refers to a Business Rule, Scheduled Task,
// Property Pattern or Password Self-Service Policy

IAdmActivityScopeItem scopeItem =
(IAdmActivityScopeItem)obj.ActivityScopeItems.Create();
scopeItem.BaseObject = null;
scopeItem.Type =
ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY;
scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
scopeItem.Exclude = false;
scopeItem.SetInfo();

obj.ActivityScopeItems.Add(scopeItem);

Example 2: Include all objects that belong to a specific AD domain, and exclude members of a group

# The $obj variable refers to a Business Rule, Scheduled Task,
# Property Pattern or Password Self-Service Policy

# Include all objects in the domain 'example.com'

# Bind to the domain object
$domain = "example.com"
$domainObj = $admService.OpenObject("Adaxes://$domain", $NULL, $NULL, 0)

$scopeItem = $obj.ActivityScopeItems.Create()
$scopeItem.BaseObject = $domainObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$obj.ActivityScopeItems.Add($scopeItem)

# Exclude members of the group 'IT Staff'

# Bind to the group object
$groupDN = "CN=IT Staff,DC=example,DC=com"
$groupObj = $admService.OpenObject("Adaxes://$groupDN", $NULL, $NULL, 0)

$scopeItem = $obj.ActivityScopeItems.Create()
$scopeItem.BaseObject = $groupObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_GROUP"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $True
$scopeItem.SetInfo()
$obj.ActivityScopeItems.Add($scopeItem)
// The obj variable refers to a Business Rule, Scheduled Task,
// Property Pattern or Password Self-Service Policy

// Include all objects in the domain 'example.com'

// Bind to the domain object
const String domain = "example.com";
IAdmTop domainObj = (IAdmTop)admService.OpenObject("Adaxes://" + domain,
    null, null, 0);

IAdmActivityScopeItem scopeItem =
    (IAdmActivityScopeItem)obj.ActivityScopeItems.Create();
scopeItem.BaseObject = domainObj;
scopeItem.Type =
    ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_CONTAINER;
scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
scopeItem.Exclude = false;
scopeItem.SetInfo();
obj.ActivityScopeItems.Add(scopeItem);

// Exclude members of the group 'IT Staff'

// Bind to the group object
const String groupDN = "CN=IT Staff,DC=example,DC=com";
IAdmTop groupObj = (IAdmTop)admService.OpenObject("Adaxes://" + groupDN,
    null, null, 0);
scopeItem = (IAdmActivityScopeItem)obj.ActivityScopeItems.Create();
scopeItem.BaseObject = groupObj;
scopeItem.Type =
    ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_GROUP;
scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
scopeItem.Exclude = true;
scopeItem.SetInfo();
obj.ActivityScopeItems.Add(scopeItem);

Example 3: Include objects located under the Organizational Unit named Sales

# The $obj variable refers to a Business Rule, Scheduled Task,
# Property Pattern or Password Self-Service Policy

# Bind to the Organizational Unit object
$ouDN = "OU=Sales,DC=example,DC=com"
$ouObj = $admService.OpenObject("Adaxes://$ouDN", $NULL, $NULL, 0)

$scopeItem = $obj.ActivityScopeItems.Create()
$scopeItem.BaseObject = $ouObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$obj.ActivityScopeItems.Add($scopeItem)
// The obj variable refers to a Business Rule, Scheduled Task,
// Property Pattern or Password Self-Service Policy

// Bind to the Organizational Unit object
const String ouDN = "OU=Sales,DC=example,DC=com";
IAdmTop ouObj = (IAdmTop)admService.OpenObject("Adaxes://" + ouDN,
null, null, 0);

IAdmActivityScopeItem scopeItem =
(IAdmActivityScopeItem)obj.ActivityScopeItems.Create();
scopeItem.BaseObject = ouObj;
scopeItem.Type =
ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_CONTAINER;
scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
scopeItem.Exclude = false;
scopeItem.SetInfo();
obj.ActivityScopeItems.Add(scopeItem);

Example 4: Include a specific group object (not members of the group)

# The $obj variable refers to a Business Rule, Scheduled Task,
# Property Pattern or Password Self-Service Policy

# Bind to the group object
$groupDN = "CN=My Group,DC=example,DC=com"
$groupObj = $admService.OpenObject("Adaxes://$groupDN" ,$NULL, $NULL, 0)
$scopeItem = $obj.ActivityScopeItems.Create()
$scopeItem.BaseObject = $groupObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_BASE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$obj.ActivityScopeItems.Add($scopeItem)
// The obj variable refers to a Business Rule, Scheduled Task,
// Property Pattern or Password Self-Service Policy

// Bind to the group object
const String groupDN = "CN=My Group,DC=example,DC=com";
IAdmTop groupObj = (IAdmTop)admService.OpenObject("Adaxes://" + groupDN,
null, null, 0);
IAdmActivityScopeItem scopeItem =
(IAdmActivityScopeItem)obj.ActivityScopeItems.Create();
scopeItem.BaseObject = groupObj;
scopeItem.Type =
ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_CONTAINER;
scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_BASE;
scopeItem.Exclude = false;
scopeItem.SetInfo();
obj.ActivityScopeItems.Add(scopeItem);

See also