Adaxes enables you to track and control critical administrative tasks, such as user and group management, by adding approval steps to the process. Approval workflow can be configured for any operation, including adding and removing members from groups, enabling and disabling user accounts, assigning Office 365 licenses, etc. In this tutorial, you will learn how to request approval for creation of new user accounts in Active Directory.
To submit requests for approval, you need to create a Business Rule that will be triggered before a user account is created in Active Directory.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.
Enter a name for the new Business Rule and click Next.
To trigger the Business Rule before a user account is created:
Click Add an action and select Send this operation for approval.
In the Action Parameters section specify the approvers for the operation.
Click Add to select specific users and groups.
If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.
Click the Edit button.
To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.
The following script submits an approval request to a user and members of a group.
$approvers = @( "CN=John Smith,CN=Users,DC=example,DC=com", "CN=My Group,OU=Groups,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
Click Copy DN. The DN of the selected object will be copied to the clipboard.
You can use value references in the script (e.g. %department%). Value references will be replaced with corresponding property values of the new user account.
The following example submits an approval request to the members of a group with the name consisting of the name of the user's department plus Managers.
$approvers = @("CN=%department% Managers,CN=Users,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
The following example submits an approval request to the user's secretary and members of group Admins located in the user's Organizational Unit.
$approvers = @( "%secretary%", "CN=Admins,%adm-InitiatorParentDN%") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
For information on how to create scripts for Business Rules, see Server-Side Scripting.
Approval workflow can be configured for multiple levels of approval. To request approval from another group of approvers, you need to add another Send operation for approval action to the Business Rule.
To request an approval only if certain conditions are met, right-click the action and select Add Condition.
Example 1 - If the initiator is not a member of a specific group.
Select the If the initiator is a member of <Group> condition.
In the Condition Parameters section, select is not in the drop-down list and specify the group.
Example 2 - If the Job Title property of the new user's account contains the word Manager.
Select the If <property> <relation> <value> condition.
In the Condition Parameters section specify Job Title - contains - Manager.
When done, click Next.
To define the scope of activity for the Business Rule, click Add.
In the Activity Scope dialog, select the following items:
All Objects - select to request approval when a user account is created in any domain managed by Adaxes.
Specific Domain - select to request approval when a user account is created in a specific AD domain.
OU or Container - select to request approval when a user account is created in a specific Organizational Unit or container.
You can exclude specific Organizational Units and domains from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over the whole domain, but do not want it to trigger when a user account is created in a specific Organizational Unit, you can exclude the Organizational Unit from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.
Click the object you want to exclude.
In the Assignment Options dialog, select the Exclude option.
When an operation is submitted for approval, approved, denied or cancelled, Adaxes sends email notifications to request approvers and the request initiator. To enable Adaxes to send email messages, you need to configure the outgoing mail settings for your Adaxes service.
To configure outgoing mail settings:
In Adaxes Administration Console, right-click your Adaxes service and click Properties in the context menu.
Activate the Mail Settings tab and change the SMTP settings.
If you want email notifications to include a link to view and process the approval request, as well as links to the Active Directory objects related to it, you need to register a Web Interface for your Adaxes service.
To register a Web Interface:
Specify the URL of the Web Interface you want to use for processing requests.
It is possible to customize templates for email notifications sent during the approval workflow process.
To customize email templates:
Right-click Approval Requests and click Properties in the context menu.
Activate the E-Mail Notifications tab.
To approve, deny and cancel approval requests, users can use either Adaxes Web Interface, or Administration Console.